FYI. > Begin forwarded message: > > > When parsing a JID, jabberd2 version 2.3.2 and below truncate the data > > but do not verify whether the result is valid UTF8 before passing it > > to libidn. > > Use CVE-2015-2058 for this jabberd2 vulnerability in which truncation > fails to preserve the validity of the input, because the truncation > occurs on a byte boundary that is not necessarily a character > boundary. (The resulting invalid input has security-relevant > mishandling within the current version of a required library, and it's > reasonable to expect that security-relevant mishandling could occur in > other cases.)
More context: https://github.com/jabberd2/jabberd2/issues/85 http://seclists.org/oss-sec/2015/q1/487 Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
