This directory contains a fix for the possible DoS attack against jabberd version 1.4.3 reported by José Antonio Calvo in http://jabberstudio.org/pipermail/jabberd/2004-September/002004.html.

Without this patch, it is possible to remotly crash jabberd14, if there is access to one of the following types of network sockets:

• Socket accepting client connections
• Socket accepting connections from other servers
• Socket connecting to an other Jabber server
• Socket accepting connections from server components
• Socket connecting to server components

This is any socket on which the jabberd server parses XML!

The problem existed in the included expat XML parser code. This patch removes the included expat code from jabberd14 and links jabberd against an installed version of expat. Before compiling jabberd14 including the patch, make sure that expat is instaled on your system including the necessary development package of expat! (The configure script will not check the existence of an expat installation of your system. If expat is not installed including the development files, the compilation of jabberd will fail.)

To verify the vulnerability of your existing installation, you can use the following command: echo -e '\xef\xbb\xbf'|netcat {serverIP} {serverPort}.

You can download the fix as a patch either as a patch against version 1.4.3 of the server or as a complete archive containing the already patched server code. Both files are compressed with bzip2. To decompress the first file use bzip2 -d <filename>, to unpack the second one use tar xfvj <filename>.

Version 1.4.3.1 is identical to the pure patch version contained in the old subdirectory exept for the version string contained.