Hi, What about the prosody version in squeeze. Is it unaffected? If so, it may help to make it clear in the DSA.
Warm regards and thanks for the good work, Tom On 06/04/14 01:10, Luciano Bello wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - -------------------------------------------------------------------------
Debian Security Advisory DSA-2895-1 secur...@debian.org
http://www.debian.org/security/ Luciano Bello April 06, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : prosody A denial-of-service vulnerability has been reported in Prosody, a XMPP server. If compression is enabled, an attacker might send highly-com- pressed XML elements (attack known as "zip bomb") over XMPP streams and consume all the resources of the server. The SAX XML parser lua-expat is also affected by this issues. For the stable distribution (wheezy), this problem has been fixed in version 0.8.2-4+deb7u1 of prosody. For the unstable distribution (sid), this problem has been fixed in version 0.9.4-1 of prosody. For the stable distribution (wheezy), this problem has been fixed in version 1.2.0-5+deb7u1 of lua-expat. For the unstable distribution (sid), this problem has been fixed in version 1.3.0-1 lua-expat. We recommend that you upgrade your prosody and lua-expat packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTQI03AAoJEG7C3vaP/jd0YFIQAIZPBm3OfgC09T8G5m1sP+ER wcc/dV6Mm8Ldm3dXHpHRzAB5fds5LNPe2hmWsoa4QNkCLr0a2UHhnaf3wgHld1GU 6JGQBRGWA1IjS5fJotEVlOlLQZXxfNF9coajkAD0uUviUZYIt22XBmZRleHSrE4C RZAVgFrjR2dZPDqDB9Cgnb6WAsPSn+zgPmMikdqC74RLIpl1+A7q5D4apbGUHCFa kvID5E/V9SbfgVEN6F84XN5UbHprzGGF2RpNRGJUcNHcVGb/3CKWPNUg+BUDsbRL IgwLLwClTue/+Wv0UDnIe3VyQr6h2c9+2diaj5n0DebAKE3cPpknTrrfacb9U1kS J0NTrbEKH6XoggPTJPNRY1ut+kM4dVu0oYDV1nfGlGHBxmfM5GOMNKLBU+K79PFA hNP/5shfjt8PmEG27n2UdDJiAjmVF6rWc2gdtyFQNArBZHlx0+KxBnLLYlx48r09 6W5YGhlTfVKeG07DOCCqxBHi84CL6GJ0BFn4/sE6SQS+7bOSD4VYa+3xzThp7PQr q/7NWX1rHcRm3iScJUlapZB6Zg6DzwuBJ5QcpKdWFzmYOJfDwp/GQTp+ddrSmhdc JLcNO4M9mUjFJQuitfuJTGV2j36eehaZrDZ+iBnDquI5p6yQGP2tbL3S3VXPAQuM W0hdkefNVJrhJztQvvbj =SKLx -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53409c53.8040...@gmx.net
