From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Aug 22 21:30:07 2012 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4C35E1065673 for ; Wed, 22 Aug 2012 21:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1013F8FC12 for ; Wed, 22 Aug 2012 21:30:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7MLU6rF070567 for ; Wed, 22 Aug 2012 21:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7MLU6d5070566; Wed, 22 Aug 2012 21:30:06 GMT (envelope-from gnats) Resent-Date: Wed, 22 Aug 2012 21:30:06 GMT Resent-Message-Id: <201208222130.q7MLU6d5070566@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 28E621065675; Wed, 22 Aug 2012 21:20:58 +0000 (UTC) (envelope-from rea@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.6.71]) by mx1.freebsd.org (Postfix) with ESMTP id BCAC58FC1C; Wed, 22 Aug 2012 21:20:57 +0000 (UTC) Received: from void.codelabs.ru (void.codelabs.ru [144.206.6.66]) by 0.mx.codelabs.ru with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) id 1T4IMA-000F1M-Cr; Thu, 23 Aug 2012 01:20:56 +0400 Message-Id: <20120822212054.0ED80DA81F@void.codelabs.ru> Date: Thu, 23 Aug 2012 01:20:54 +0400 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: mm@FreeBSD.org Subject: ports/170894: [vuxml][patch] net-im/jabberd: fix CVE-2012-3525 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2012 21:30:07 -0000 >Number: 170894 >Category: ports >Synopsis: [vuxml][patch] net-im/jabberd: fix CVE-2012-3525 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 22 21:30:06 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 10.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 10.0-CURRENT amd64 >Description: XMPP Standards Foundation reported that some XMPP implementations, including jabberd 2.x, are prone to the domain spoofing via the server dialback protocol [1]. Jabberd developers already fixed this in their Git repository [2]. I had added VuXML entry 4d1d2f6d-ec94-11e1-8bd8-0022156e8794 to the FreeBSD VuXML index [3], please, use it in the commit log. [1] http://xmpp.org/resources/security-notices/server-dialback/ [2] https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d [3] http://svnweb.freebsd.org/ports?view=revision&revision=302966 >How-To-Repeat: Look at [1] and [2]. >Fix: Patch is available at http://codelabs.ru/fbsd/ports/jabberd/jabberd-cve-2012-3525.diff It just adds vendor patch to the current port. I had briefly tested it our CodeLabs Jabber server. No problems were yet found. >Release-Note: >Audit-Trail: >Unformatted: