Home » ejabberd Book » Releases

ejabberd 1.1.3: Security fix on mod_roster_odbc

Submitted by badlop on Sat, 2007-02-03 13:52

ejabberd 1.1.3 has been released. This release fixes a security issue in the module mod_roster_odbc. If you are using ejabberd 1.1.2 with mod_roster_odbc, you should upgrade as soon as possible. The upgrade is only necessary if you are using ejabberd with the mod_roster_odbc.

More information:

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Assholes... 1.1.2 to 1.1.3 upgrade issue with mod_roster_odbc

Submitted by Anonymous (not verified) on Fri, 2007-06-01 13:03.

Okay, after just upgrading ejabberd from 1.1.2 to 1.1.3 we have not working roster at all...
What da f*ck?
=ERROR REPORT==== 2007-06-01 15:47:03 ===
E(<0.287.0>:ejabberd_hooks:187): {function_clause,
[{mod_roster_odbc,
raw_to_record,
["server.com",
{"user",
"999939393@icq.server.com",
[],
"B",
"N"}]},
{mod_roster_odbc,
'-get_in_pending_subscriptions/3-fun-1-',
2},
{lists,flatmap,2},
{mod_roster_odbc,
get_in_pending_subscriptions,
3},
{ejabberd_hooks,run_fold1,4},
{ejabberd_c2s,
resend_subscription_requests,
1},
{ejabberd_c2s,presence_update,3},
{ejabberd_c2s,session_established,2}]}
running hook: {resend_subscription_requests_hook,["user","server.com"]}

investigation showed, when rosterusers table gets cleared, new users can be added without any problem.

that means, that we should blame developers... they've done stupid things with NULL analysis...

the solution is one-string (for postgresql)

update rosterusers set askmessage = '', subscribe = '';

Again, and again... everything is done through anus....

»

It must come from somewhere else sir

Submitted by Mickaël Rémond (not verified) on Tue, 2007-06-05 11:39.

Hello Sir,

Migration from ejabberd 1.1.2 to 1.1.3 cannot do what you say, because it only add one line, which is escaping before writing in the database.

See the only change, here:
https://forge.process-one.net/browse/ejabberd/branches/ejabberd-1.1.3/sr...

Sorry, but this version does not have any impact on existing data, thus your problem might come from somewhere else.

»

Yeah, this change hurts

Submitted by Anonymous (not verified) on Wed, 2007-06-13 15:40.

Yeah, this change hurts db...

»

Did you actually read the patch ?

Submitted by Mickaël Rémond (not verified) on Wed, 2007-06-13 16:27.

Did you read it ?
How can he hurt the DB ?
It does not do any change to the database.

»

Guys

Submitted by Anonymous (not verified) on Wed, 2007-06-13 15:41.

And fix plz this....

ejabberd 1.1.3 - Security fix on mod_roster_odbc

user warning: Unknown column 'style' in 'field list' query: SELECT scid, filter, style, effect, action FROM spam_custom WHERE effect != 4
in /usr/local/www/data-dist/drupal/includes/database.mysql.inc on line 172.

Submitted by badlop on Sat, 2007-02-03 13:52.

* Planet Jabber News

how ironic.... ;-)

»

Where does this error appear?

Submitted by badlop on Wed, 2007-06-13 16:08.
Anonymous wrote:

And fix plz this....

I don't see that error message anywhere, could you please be more specific?

»

Glad it works!

Submitted by legoscia on Sat, 2007-06-02 16:55.
Anonymous wrote:

the solution is one-string

I'm happy that you could make it work again ☺

»

I'm happy that you could make it work again

Submitted by jason (not verified) on Wed, 2007-06-20 10:42.

Is there any chance to send automatic reports on every bug that is being happened? Or to have some sort of errors history?

»
Syndicate content