jadc2s up to and including version 0.9.0 includes a bug in the included expat parser, that allows a remote user to crash jadc2s by sending invalid XML code.

The bug has been reported on 2004-09-19 on the jabberd mailing list. CVS versions of jadc2s are not affected by this bug since 2004-09-07 as the code containing the bug had been removed from jadc2s at this date.

The patch on this page includes two other fixes:

• fix for a small problem in the command line parsing, that is not security relevant but made the -c option useless in version 0.9.0.
• fix for a problem, that the SSL security layer in jadc2s 0.9.0 may break

2004-09-20, Matthias Wimmer