svn commit: r302966 - head/security/vuxml
Eygene Ryabinkin
rea at FreeBSD.org
Wed Aug 22 21:10:12 UTC 2012
Author: rea
Date: Wed Aug 22 21:10:10 2012
New Revision: 302966
URL: http://svn.freebsd.org/changeset/ports/302966
Log:
VuXML: document CVE-2012-3525 in jabberd 2.x
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Wed Aug 22 20:40:40 2012 (r302965)
+++ head/security/vuxml/vuln.xml Wed Aug 22 21:10:10 2012 (r302966)
@@ -51,6 +51,39 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="4d1d2f6d-ec94-11e1-8bd8-0022156e8794">
+ <topic>jabberd -- domain spoofing in server dialback protocol</topic>
+ <affects>
+ <package>
+ <name>jabberd</name>
+ <range><lt>2.2.16_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>XMPP Standards Foundation reports:</p>
+ <blockquote cite="http://xmpp.org/resources/security-notices/server-dialback/">
+ <p>Some implementations of the XMPP Server Dialback protocol
+ (RFC 3920/XEP-0220) have not been checking dialback
+ responses to ensure that validated results are correlated
+ with requests.</p>
+ <p>An attacking server could spoof one or more domains in
+ communicating with a vulnerable server implementation,
+ thereby avoiding the protections built into the Server
+ Dialback protocol.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2012-3525</cvename>
+ <url>http://xmpp.org/resources/security-notices/server-dialback/</url>
+ </references>
+ <dates>
+ <discovery>2012-08-21</discovery>
+ <entry>2012-08-23</entry>
+ </dates>
+ </vuln>
+
<vuln vid="a4598875-ec91-11e1-8bd8-0022156e8794">
<topic>rssh -- configuration restrictions bypass</topic>
<affects>
More information about the svn-ports-all
mailing list