XMMP/Jabber clients DoS vulnerability report
Andrea Barisani
lcars at ocert.org
Sun Feb 14 17:29:09 EST 2010
On Sun, Feb 14, 2010 at 12:53:56PM -0800, Mark Doliner wrote:
> On Thu, Jan 28, 2010 at 1:41 AM, Andrea Barisani <lcars at ocert.org> wrote:
> > On Wed, Jan 27, 2010 at 10:45:50PM -0500, Ethan Blanton wrote:
> >> Andrea Barisani spake unto us the following wisdom:
> >> > oCERT is mainly concerned about the issue not being exploitable as we
> >> > generally don't issue advisory about "simple DoS conditions.
> >>
> >> This is not an exploitable bug, it is simply a denial of service
> >> through resource allocation.
>
> *snip*
>
> > We won't release a public advisory (unless you specifically want us to).
> > Embargo date sounds good to us, if you send us a patch we will forward it to
> > vendor-sec and/or other linux vendors pointing out the embargo date to speed
> > up patching if you like. Just make sure you give us the exact date if
> > possible, so that I can reference that.
>
> Ari Pollak from Debian asked if there is a CVE# for this issue? I
> don't believe there is, but I thought I would check.
>
> I think in the past we have had CVE#s issued for denial of service
> bugs like this. Unless you have any objections I guess I'll ask one
> of the distributions who packages Pidgin to request a CVE# for this.
> I don't know if that's something that oCERT usually does? Or if you
> have a preference who requests the number?
>
Please use CVE-2010-0423 which was assinged for this.
Thanks!
> --Mark
--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
<lcars at ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
More information about the security
mailing list