Enrico Tassi
2011-Jun-04 16:38 UTC
[Secure-testing-team] Bug#629234: Vulnerable to the “billion laughs” denial-of-service attack
Package: prosody Version: 0.8.0-1 Severity: important Tags: security Version 0.7 and 0.8 are vulnerable to a DoS attack: http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html#N100F1 To fix the bug, lua-expat 1.2.0 is needed, and an update version of prosody http://prosody.im/doc/release/0.8.1#backporting -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''testing''), (150, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages prosody depends on: ii adduser 3.112+nmu2 add and remove users and groups ii libc6 2.13-4 Embedded GNU C Library: Shared lib ii libidn11 1.20-1 GNU Libidn library, implementation ii liblua5.1-0 5.1.4-6 Simple, extensible, embeddable pro ii liblua5.1-expat0 1.2.0-1 libexpat bindings for the Lua lang ii liblua5.1-filesystem0 1.5.0-2 luafilesystem library for the Lua ii liblua5.1-socket2 2.0.2-5 TCP/UDP socket library for Lua 5.1 ii libssl1.0.0 1.0.0d-2 SSL shared libraries ii lua5.1 5.1.4-6 Simple, extensible, embeddable pro ii openssl 1.0.0d-2 Secure Socket Layer (SSL) binary a Versions of packages prosody recommends: ii liblua5.1-event0 0.1.1-3 asynchronous event notification li ii liblua5.1-sec1 0.4-4 SSL socket library for the Lua lan prosody suggests no packages. -- Configuration Files: /etc/prosody/conf.avail/example.com.cfg.lua [Errno 13] Permission denied: u''/etc/prosody/conf.avail/example.com.cfg.lua'' /etc/prosody/conf.avail/localhost.cfg.lua [Errno 13] Permission denied: u''/etc/prosody/conf.avail/localhost.cfg.lua'' /etc/prosody/prosody.cfg.lua [Errno 13] Permission denied: u''/etc/prosody/prosody.cfg.lua'' -- no debconf information