summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authornectar <nectar@FreeBSD.org>2005-01-13 20:26:03 +0000
committernectar <nectar@FreeBSD.org>2005-01-13 20:26:03 +0000
commit1f929921c8e3b582c24ba6fa65fd9bab4fee7e46 (patch)
treea3b17c4bf54937b8ed2f690e52409f6d27533ded /security
parent03da6dcd30132d7bb2ba2e4b15c50ca3bcfefbe5 (diff)
downloadFreeBSD-ports-1f929921c8e3b582c24ba6fa65fd9bab4fee7e46.zip
FreeBSD-ports-1f929921c8e3b582c24ba6fa65fd9bab4fee7e46.tar.gz
Add a better reference and description of the jabberd vulnerability.
Diffstat (limited to 'security')
-rw-r--r--security/vuxml/vuln.xml24
1 files changed, 21 insertions, 3 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 423edc2..a1d0e7a 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -880,17 +880,35 @@ http_access deny Gopher</pre>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Caused by corrupt parsing code in the expat library
- part of jabberd it is possible for an attacker to
- crash the daemon if it is not using UTF-8.</p>
+ <p>José Antonio Calvo discovered a bug in the Jabber 1.x server.
+ According to Matthias Wimmer:</p>
+ <blockquote cite="http://devel.amessage.info/jabberd14/README.html">
+ <p>Without this patch, it is possible to remotly crash
+ jabberd14, if there is access to one of the following types
+ of network sockets:</p>
+ <ul>
+ <li>Socket accepting client connections</li>
+ <li>Socket accepting connections from other servers</li>
+ <li>Socket connecting to an other Jabber server</li>
+ <li>Socket accepting connections from server components</li>
+ <li>Socket connecting to server components</li>
+ </ul>
+ <p>This is any socket on which the jabberd server parses
+ XML!</p>
+ <p>The problem existed in the included expat XML parser code.
+ This patch removes the included expat code from jabberd14
+ and links jabberd against an installed version of expat.</p>
+ </blockquote>
</body>
</description>
<references>
+ <url>http://devel.amessage.info/jabberd14/README.html</url>
<url>http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html</url>
</references>
<dates>
<discovery>2004-09-19</discovery>
<entry>2004-12-26</entry>
+ <modified>2005-01-13</modified>
</dates>
</vuln>
OpenPOWER on IntegriCloud