Red Hat Product Errata RHSA-2011:0882 - Security Advisory

Issued:: 2011-06-16
Updated:: 2011-06-16

RHSA-2011:0882 - Security Advisory

Overview
Updated Packages

Synopsis

Low: Red Hat Network Satellite server jabberd security update

Type/Severity

Security Advisory: Low

Topic

An updated jabberd package that fixes one security issue is now available
for Red Hat Network Satellite 5.4.1 for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

This package provides jabberd 2, an Extensible Messaging and Presence
Protocol (XMPP) server used for XML based communication.

It was found that the jabberd daemon did not properly detect recursion
during entity expansion. A remote attacker could provide a
specially-crafted XML file containing a large number of nested entity
references, which once processed by the jabberd daemon, could lead to a
denial of service (excessive memory and CPU consumption). (CVE-2011-1755)

Red Hat would like to thank Nico Golde of the Debian Security Team for
reporting this issue. The Debian Security Team acknowledges Wouter
Coekaerts as the original reporter.

Users of Red Hat Network Satellite 5.4.1 are advised to upgrade to this
updated jabberd package, which resolves this issue. For this update to take
effect, Red Hat Network Satellite must be restarted. Refer to the Solution
section for details.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Run the following command to restart the Red Hat Network Satellite
server:

# rhn-satellite restart

Affected Products

Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5 x86_64
Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5 s390x
Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5 i386

Fixes

BZ - 700390 - CVE-2011-1755 jabberd: DoS via the XML "billion laughs attack"

CVEs

CVE-2011-1755

References

https://access.redhat.com/security/updates/classification/#low

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5

SRPM
jabberd-2.2.8-12.el5sat.src.rpm	SHA-256: 9375d731fef6aa19c06579d3e274e992c5c425e2696101dfc96842ea7faa0d3f
x86_64
jabberd-2.2.8-12.el5sat.x86_64.rpm	SHA-256: fa2da79df290a4e560914aea83b898d4f66d4b9b4dc72830695f6d81d3f88802
s390x
jabberd-2.2.8-12.el5sat.s390x.rpm	SHA-256: a54a46e83c1b065c840ad27ae5f28d1fe8cd93b634961a7c718979dc709936e5
i386
jabberd-2.2.8-12.el5sat.i386.rpm	SHA-256: 6ff2ff632df1f291d1cedcfa7afd150910f03426aa16cb647d6187f8027b955a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories