7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
A denial-of-service vulnerability has been reported in Prosody, a XMPP
server. If compression is enabled, an attacker might send highly-compressed XML
elements (attack known as zip bomb) over XMPP streams and consume all
the resources of the server.
The SAX XML parser lua-expat is also affected by this issues.
For the stable distribution (wheezy), this problem has been fixed in
version 0.8.2-4+deb7u1 of prosody.
For the unstable distribution (sid), this problem has been fixed in
version 0.9.4-1 of prosody.
For the stable distribution (wheezy), this problem has been fixed in
version 1.2.0-5+deb7u1 of lua-expat.
For the unstable distribution (sid), this problem has been fixed in
version 1.3.0-1 lua-expat.
We recommend that you upgrade your prosody and lua-expat packages.