CVE-2011-1753: billion laughs DoS vulnerability
Bug #791730 reported by
Felix Geyer
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ejabberd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Hardy |
Won't Fix
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned | ||
Maverick |
Fix Released
|
Medium
|
Unassigned | ||
Natty |
Fix Released
|
Medium
|
Unassigned | ||
Oneiric |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: ejabberd
From http://
> Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server
> written in Erlang, is vulnerable to the so-called "billion laughs" attack
> because it does not prevent entity expansion on received data.
> This allows an attacker to perform denial of service attacks against the
> service by sending specially crafted XML data to it.
CVE References
visibility: | private → public |
To post a comment you must log in.
Upstream bug report: https:/ /support. process- one.net/ browse/ EJAB-1451 /git.process- one.net/ ejabberd/ mainline/ commit/ bd1df027c622e1f 96f9eeaac612a6a 956c1ff0b6
Upstream fix: https:/
The bug report states that all ejabberd versions before 2.1.7 are affected.