GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Mar 19, 2018 2:26 am Post subject: [ GLSA 201803-07 ] JabberD 2.x |
|
|
Gentoo Linux Security Advisory
Title: JabberD 2.x: Multiple vulnerabilities (GLSA 201803-07)
Severity: high
Exploitable: local, remote
Date: 2018-03-19
Bug(s): #623806, #629412, #631068
ID: 201803-07
Synopsis
Multiple vulnerabilities have been found in Gentoo's JabberD 2.x
ebuild, the worst of which allows local attackers to escalate privileges.
Background
JabberD 2.x is an open source Jabber server written in C.
Affected Packages
Package: net-im/jabberd2
Vulnerable: <= 2.6.1
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in Gentoo’s JabberD 2.x
ebuild. Please review the referenced CVE identifiers for details.
Impact
An attacker could possibly escalate privileges by owning system binaries
in trusted locations, cause a Denial of Service condition by manipulating
the PID file from jabberd2 services, bypass security via SASL ANONYMOUS
connections or have other unspecified impacts.
Workaround
There is no known workaround at this time.
Resolution
Gentoo has discontinued support for JabberD 2.x and recommends that
users unmerge the package:
Code: | # emerge --unmerge "net-im/jabberd2"
| As an alternative, users may want to upgrade their systems to use
net-im/prosody instead of net-im/jabberd2.
References
CVE-2017-10807
CVE-2017-18225
CVE-2017-18226 |
|