LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

jabber: denial of service

Package(s):jabber CVE #(s):CAN-2004-0013
Created:January 7, 2004 Updated:January 26, 2004
Description: A vulnerability was discovered in jabber, an instant messaging server, whereby a bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service.
Alerts:
Mandrake MDKSA-2004:005 2004-01-23
Debian DSA-414-1 2004-01-06
(Log in to post comments)

Note that this was fixed in jabberd 1.4.3 back in Nov 2003

Posted Jan 8, 2004 19:25 UTC (Thu) by dyork (guest, #2819) [Link]

I've now seen a couple of alerts sent out on this issue, which I find a bit curious given that the issue was fixed with the release of jabberd 1.4.3 back on November 15, 2003. See the release notes for more info. The relevant line is:
  • fixed a possible DoS attack with SSL in pthsock_client (by Nathan Sharp)

The Debian alert (and others circulating) ask that users upgrade their servers to run jabberd 1.4.3, so there is no new software to download in response to this alert. The fact that this was previously fixed is also acknowledged on the Jabber support mailing list.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds