[Secure-testing-team] Bug#629234: Vulnerable to the “billion laughs” denial-of-service attack
Enrico Tassi
gareuselesinge at debian.org
Sat Jun 4 16:38:43 UTC 2011
Package: prosody
Version: 0.8.0-1
Severity: important
Tags: security
Version 0.7 and 0.8 are vulnerable to a DoS attack:
http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html#N100F1
To fix the bug, lua-expat 1.2.0 is needed, and an update version of prosody
http://prosody.im/doc/release/0.8.1#backporting
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (150, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.39-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages prosody depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libidn11 1.20-1 GNU Libidn library, implementation
ii liblua5.1-0 5.1.4-6 Simple, extensible, embeddable pro
ii liblua5.1-expat0 1.2.0-1 libexpat bindings for the Lua lang
ii liblua5.1-filesystem0 1.5.0-2 luafilesystem library for the Lua
ii liblua5.1-socket2 2.0.2-5 TCP/UDP socket library for Lua 5.1
ii libssl1.0.0 1.0.0d-2 SSL shared libraries
ii lua5.1 5.1.4-6 Simple, extensible, embeddable pro
ii openssl 1.0.0d-2 Secure Socket Layer (SSL) binary a
Versions of packages prosody recommends:
ii liblua5.1-event0 0.1.1-3 asynchronous event notification li
ii liblua5.1-sec1 0.4-4 SSL socket library for the Lua lan
prosody suggests no packages.
-- Configuration Files:
/etc/prosody/conf.avail/example.com.cfg.lua [Errno 13] Permission denied: u'/etc/prosody/conf.avail/example.com.cfg.lua'
/etc/prosody/conf.avail/localhost.cfg.lua [Errno 13] Permission denied: u'/etc/prosody/conf.avail/localhost.cfg.lua'
/etc/prosody/prosody.cfg.lua [Errno 13] Permission denied: u'/etc/prosody/prosody.cfg.lua'
-- no debconf information
More information about the Secure-testing-team
mailing list