XMMP/Jabber clients DoS vulnerability report
Sadrul Habib Chowdhury
sadrul at pidgin.im
Wed Jan 27 13:50:05 EST 2010
* Ethan Blanton had this to say on [27 Jan 2010, 13:40:17 -0500]:
> Ethan Blanton spake unto us the following wisdom:
> > OK, that's what I was hoping ot hear, is that it eventually unfreezes.
> > I think we should handle this as follows:
> >
> > 1) Implement a cap on smileys per message; it can be quite high, even
> > -- say 128.
>
> I should add that I believe we should NOT commit this cap until the
> embargo terms are hammered out, so as not to break the embargo.
>
> > 2) Notify the original poster that we have verified the problem, that
> > it is *not* a crash bug and that Pidgin will eventually recover,
> > but that it is clearly a denial of service.
> > 3) Request that, since the severity is rather low, this be embargoed
> > for some time which we will determine among the involved projects,
> > but which gives us time to make a proper next release, rather than
> > an emergency bugfix release.
> >
> > How does that sound to everyone? I think we should take some official
> > course of action ASAP. That is, after all, the reason we created this
> > list. :-)
>
> So far I have agreement from Daniel. I would like to respond to this
> today.
This all sounds good to me too.
Cheers,
Sadrul
More information about the security
mailing list