LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

jabber: denial of service

Package(s):jabber CVE #(s):CAN-2004-0013
Created:January 7, 2004 Updated:January 26, 2004
Description: A vulnerability was discovered in jabber, an instant messaging server, whereby a bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service.
Alerts:
Mandrake MDKSA-2004:005 2004-01-23
Debian DSA-414-1 2004-01-06
(Log in to post comments)

Note that this was fixed in jabberd 1.4.3 back in Nov 2003

Posted Jan 8, 2004 19:25 UTC (Thu) by dyork (subscriber, #2819) [Link]

I've now seen a couple of alerts sent out on this issue, which I find a bit curious given that the issue was fixed with the release of jabberd 1.4.3 back on November 15, 2003. See the release notes for more info. The relevant line is:
  • fixed a possible DoS attack with SSL in pthsock_client (by Nathan Sharp)

The Debian alert (and others circulating) ask that users upgrade their servers to run jabberd 1.4.3, so there is no new software to download in response to this alert. The fact that this was previously fixed is also acknowledged on the Jabber support mailing list.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds