Openfire: Denial of Service — GLSA 200804-26

A design error in Openfire might lead to a Denial of Service.

Affected Packages

net-im/openfire on all architectures
Affected versions < 3.5.0
Unaffected versions >= 3.5.0

Background

Openfire (formerly Wildfire) is a Java implementation of a complete Jabber server.

Description

Openfire's connection manager in the file ConnectionManagerImpl.java cannot handle clients that fail to read messages, and has no limit on their session's send buffer.

Impact

Remote authenticated attackers could trigger large outgoing queues without reading messages, causing a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All Openfire users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-im/openfire-3.5.0"

References

Release Date
April 23, 2008

Latest Revision
April 23, 2008: 01

Severity
normal

Exploitable
remote

Bugzilla entries