ports/170894: [vuxml][patch] net-im/jabberd: fix CVE-2012-3525
Eygene Ryabinkin
rea at FreeBSD.org
Wed Aug 22 21:30:07 UTC 2012
>Number: 170894
>Category: ports
>Synopsis: [vuxml][patch] net-im/jabberd: fix CVE-2012-3525
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 22 21:30:06 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 10.0-CURRENT amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 10.0-CURRENT amd64
>Description:
XMPP Standards Foundation reported that some XMPP implementations,
including jabberd 2.x, are prone to the domain spoofing via the
server dialback protocol [1]. Jabberd developers already fixed
this in their Git repository [2].
I had added VuXML entry 4d1d2f6d-ec94-11e1-8bd8-0022156e8794 to the
FreeBSD VuXML index [3], please, use it in the commit log.
[1] http://xmpp.org/resources/security-notices/server-dialback/
[2] https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d
[3] http://svnweb.freebsd.org/ports?view=revision&revision=302966
>How-To-Repeat:
Look at [1] and [2].
>Fix:
Patch is available at
http://codelabs.ru/fbsd/ports/jabberd/jabberd-cve-2012-3525.diff
It just adds vendor patch to the current port.
I had briefly tested it our CodeLabs Jabber server. No problems
were yet found.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list