XMMP/Jabber clients DoS vulnerability report

Mark Doliner mark at kingant.net
Sun Feb 14 15:53:56 EST 2010


On Thu, Jan 28, 2010 at 1:41 AM, Andrea Barisani <lcars at ocert.org> wrote:
> On Wed, Jan 27, 2010 at 10:45:50PM -0500, Ethan Blanton wrote:
>> Andrea Barisani spake unto us the following wisdom:
>> > oCERT is mainly concerned about the issue not being exploitable as we
>> > generally don't issue advisory about "simple DoS conditions.
>>
>> This is not an exploitable bug, it is simply a denial of service
>> through resource allocation.

*snip*

> We won't release a public advisory (unless you specifically want us to).
> Embargo date sounds good to us, if you send us a patch we will forward it to
> vendor-sec and/or other linux vendors pointing out the embargo date to speed
> up patching if you like. Just make sure you give us the exact date if
> possible, so that I can reference that.

Ari Pollak from Debian asked if there is a CVE# for this issue?  I
don't believe there is, but I thought I would check.

I think in the past we have had CVE#s issued for denial of service
bugs like this.  Unless you have any objections I guess I'll ask one
of the distributions who packages Pidgin to request a CVE# for this.
I don't know if that's something that oCERT usually does?  Or if you
have a preference who requests the number?

--Mark


More information about the security mailing list