jabberd SSL Connection Handling Flaw May Let Remote Users Crash the System
|
|
SecurityTracker Alert ID: 1008625
|
|
CVE Reference: CAN-2004-0013
(Links to External Site)
|
Date: Jan 7 2004
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.4.3
|
Description: A denial of service vulnerability was reported in jabberd. A remote user can cause the target jabberd service to crash.
It is reported that the software does not properly handle SSL connections, as non-blocking sockets are not used. The flaw reportedly resides in 'mio_ssl.c'.
A remote user may be able to cause the target daemon to crash.
|
Impact: A remote user can cause the jabberd process to crash.
|
Solution: The vendor has released a fixed version (1.4.3), available at:
http://jabberd.jabberstudio.org/1.4/dist/jabberd-1.4.3.tar.gz
http://jabberd.jabberstudio.org/1.4/#download
|
Vendor URL: jabberd.jabberstudio.org/1.4/ (Links to External Site)
|
Cause: Resource error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 06 Jan 2004 20:26:53 -0500
Subject: CVE: CAN-2004-0013
|
http://jabberd.jabberstudio.org/1.4/release-1.4.3.shtml
> Release notes - jabberd 1.4.3 - released 2003-11-15
>
> This is a brief summary of the various fixes and additions in 1.4.3.
> * fixed a possible DoS attack with SSL in pthsock_client (by Nathan Sharp)
It is reported that a remote user can cause the target server to crash.
CVE: CAN-2004-0013
|
|
