Re: CVE-2011-1757: djabberd billion laughs vulnerability

[Brad Fitzpatrick]

Yann or Martin are the new maintainers, I believe.

On Sat, Jun 4, 2011 at 1:22 PM, Wouter Coekaerts <wou...@coekaerts.be> wrote:

Hi,

I'm a bit confused with this group being empty (on
http://groups.google.com/group/djabberd/topics ), but I'll give it a
shot anyways.

I'm not sure you're already aware of this (only Brad got notified in
advance in private and might have missed/ignored it): just like many
other jabber servers, djabberd is vulnerable to the "billion laughs"
attack. This is CVE-2011-1757.
This is the first time I'm mentioning that in public, but it's already
public for other jabber servers so there's no point in pretending this
is still secret.

Is djabberd still being maintained? Is there a fix available or
planned for this?
And in case you don't care enough about it because it's just a denial
of service: what's the chance of a worse not-really-public-yet
vulnerability getting fixed? Who should be contacted for that?

Regards,

Wouter.

[Wouter Coekaerts]