Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/

igniterealtime.org   Openfire   Fixed in 3.9.2

We did not find any commits for this under the
http://fisheye.igniterealtime.org/changelog/ URL. Accordingly, only
one CVE is possible at present. Use CVE-2014-2741.



Isode Ltd.           M-Link     Fixed in 16.0v7

We did not find any details about the change under the
http://www.isode.com/products/m-link.html URL. (Also, the
http://www.isode.com/evaluate/instant-messaging-xmpp.html page seems
to imply that this is not open source.) Accordingly, only one CVE is
possible at present. Use CVE-2014-2742.



lightwitch.org       Metronome  Fix in progress
http://code.lightwitch.org/metronome/rev/49f47277a411

Use CVE-2014-2743 for "Don't process deflated data if it exceedes the
max allowed limit."

Use CVE-2014-2744 for "Don't allow to compress a stream if it's not
authenticated."



Prosody              Prosody    Fixed in 0.9.4
http://blog.prosody.im/prosody-0-9-4-released/

Use CVE-2014-2745 for these changes that address resource consumption
in general:
  http://hg.prosody.im/0.9/rev/a97591d2e1ad
  http://hg.prosody.im/0.9/rev/1107d66d2ab2

Use CVE-2014-2744 for this change that addresses decompression of
unauthenticated data:
  http://hg.prosody.im/0.9/rev/b3b1c9da38fb

(This is exactly the same plugins/mod_compression.lua fix as in
Metronome, and thus has the same CVE ID. Metronome was originally
based on the Prosody codebase.)



Tigase               Tigase     Fixed in 5.2.1
http://www.tigase.org/content/uncontrolled-resource-consumption-highly-compressed-xmpp-messages
https://projects.tigase.org/projects/tigase-server/repository/revisions/7f5af2f8c5b97bbf9def66fbb9dd47746a7ac292
https://projects.tigase.org/issues/1780 (not a public bug)

We did not determine that more than one issue was fixed. Accordingly,
only one CVE is possible at present. Use CVE-2014-2746.



Erlang Solutions     MongooseIM Under Investigation

We did not find anything under the
https://github.com/esl/MongooseIM/commits/master URL. There is
apparently no publicly known vulnerability and thus no CVE assignment.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTRJxDAAoJEKllVAevmvmsUdcH/0W6GGzE1yTEOnxFqtZ8ghvE
gavs13esHOeB/FLHdliJx54y/xzKoXbWPwItKVju/lqbRJwCMpy1G7+to4PoZ3ZO
O1hanQGjCwmH48D4pY0z203d3whXuMGoZI+DLhyDqvVvwYAwboTCu2E36j0q8Zj2
kwpxfzShE6v13PKriEwMgVLZMj1xUZSD6yXMg24v48vjcRnDqReZ5wdrnXRYIwPP
Kkzlj9P6D+gR98ZQp5pLX5Db574vcAP+7v5jn2EvfGJRsofUhX/K2oPrQ/xGfCpH
rJpvIvBglugtW3/iVKtrKK9QBF5bcFxBrFGWAfrTois5du4FA9iQoi0jC6J0AHo=
=U9OB
-----END PGP SIGNATURE-----