Ubuntu
ejabberd package

CVE-2011-1753: billion laughs DoS vulnerability

Bug #791730 reported by Felix Geyer on 2011-06-02

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ejabberd (Ubuntu)	Fix Released	Medium	Unassigned
	Hardy	Won't Fix	Medium	Unassigned
	Lucid	Fix Released	Medium	Unassigned
	Maverick	Fix Released	Medium	Unassigned
	Natty	Fix Released	Medium	Unassigned
	Oneiric	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: ejabberd

From http://www.debian.org/security/2011/dsa-2248

> Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server
> written in Erlang, is vulnerable to the so-called "billion laughs" attack
> because it does not prevent entity expansion on received data.
> This allows an attacker to perform denial of service attacks against the
> service by sending specially crafted XML data to it.

Related branches

lp:ubuntu/maverick-updates/ejabberd

lp:ubuntu/lucid-security/ejabberd

CVE References

2011-1753

Felix Geyer (debfx) on 2011-06-02

visibility:

private → public

Revision history for this message

Felix Geyer (debfx) wrote on 2011-06-02:

#1

Upstream bug report: https://support.process-one.net/browse/EJAB-1451
Upstream fix: https://git.process-one.net/ejabberd/mainline/commit/bd1df027c622e1f96f9eeaac612a6a956c1ff0b6

The bug report states that all ejabberd versions before 2.1.7 are affected.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-06-03:

#2

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in ejabberd (Ubuntu Lucid):
status:	New → Triaged
importance:	Undecided → Medium
Changed in ejabberd (Ubuntu Maverick):
status:	New → Triaged
importance:	Undecided → Medium
Changed in ejabberd (Ubuntu Natty):
status:	New → Triaged
importance:	Undecided → Medium
Changed in ejabberd (Ubuntu Oneiric):
status:	New → Triaged
importance:	Undecided → Medium
Changed in ejabberd (Ubuntu Hardy):
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-06-03:

#3

Oneiric is fixed via 2.1.6-2.1.

Changed in ejabberd (Ubuntu Oneiric):
status:	Triaged → Fix Released

Revision history for this message

Felix Geyer (debfx) wrote on 2011-06-16:

#4

natty fixed in 2.1.5-3+squeeze1build0.11.04.1

Changed in ejabberd (Ubuntu Natty):
status:	Triaged → Fix Released

Revision history for this message

Felix Geyer (debfx) wrote on 2011-06-16:

#5

ejabberd_2.1.2-2ubuntu0.1.debdiff Edit (2.2 KiB, text/plain)

debdiff for lucid

Revision history for this message

Felix Geyer (debfx) wrote on 2011-06-16:

#6

ejabberd_2.1.5-2ubuntu0.1.debdiff Edit (2.2 KiB, text/plain)

debdiff for maverick

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-06-16:

#7

Thanks for the debdiffs, ACK.

Package are being built now, and will be released in the next few hours.

Thanks!

Changed in ejabberd (Ubuntu Lucid):
status:	Triaged → Fix Committed
Changed in ejabberd (Ubuntu Maverick):
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-06-16:

#8

This bug was fixed in the package ejabberd - 2.1.5-2ubuntu0.1

---------------
ejabberd (2.1.5-2ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: billion laughs DoS vulnerability (LP: #791730)
    - debian/patches/CVE-2011-1753.patch: patch from upstream
    - CVE-2011-1753
-- Felix Geyer <email address hidden> Thu, 16 Jun 2011 12:06:06 +0200

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-06-16:

#9

This bug was fixed in the package ejabberd - 2.1.2-2ubuntu0.1

---------------
ejabberd (2.1.2-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: billion laughs DoS vulnerability (LP: #791730)
    - debian/patches/CVE-2011-1753.patch: patch from upstream
    - CVE-2011-1753
-- Felix Geyer <email address hidden> Thu, 16 Jun 2011 11:53:01 +0200

Changed in ejabberd (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in ejabberd (Ubuntu Maverick):
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#10

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in ejabberd (Ubuntu Hardy):
status:	Triaged → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.