Your message dated Fri, 26 Apr 2013 07:32:38 +0000
with message-id <[email protected]>
and subject line Bug#705613: fixed in ejabberd 2.1.10-5
has caused the Debian Bug report #705613,
regarding ejabberd: SCRAM bug in GS2 Header parsing with optional parameters
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
705613: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705613
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ejabberd
Version: 2.1.9
Severity: important
This version of ejabberd added support for SCRAM-SHA-1 authentication.
Unfortunatly, it rejects RFC-compliant GS2 headers, containing the "a="
parameter.
Here is an upstream bug report with a test case and a patch
against current upstream git, developed by Stephen Röttger, who wrote
the ejabberd SCRAM-SHA-1 code originally:
https://support.process-one.net/browse/EJAB-1632
At least one XMPP client sends these headers by default: git-annex
does, due to using the Haskell XMPP library, which uses libgsasl7.
The Haskell XMPP library's only involvement seems to be in passing
this information to gsasl. According to its author, John Millikin:
> The XMPP code passes in any parameters it has available that might be
> needed for gsasl to complete the authentication. While removing it
> might allow auth to succeed in this case, it could also break auth for
> servers that want to validate the user JID's domain name.
So, it seems likely to me that other XMPP clients that use gsasl
may also be hit by this incompatability. However, I have not tried to find
ones that are incompatable. It's bad enough that git-annex hits this.
I think you should consider backporting this to wheezy. It's unknown
how many XMPP clients trigger this incompatability, and it's probably
better not to find out! The patch, leaving aside some indentation changes,
in only a few dozen lines.
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: ejabberd
Source-Version: 2.1.10-5
We believe that the bug you reported is fixed in the latest version of
ejabberd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Konstantin Khomoutov <[email protected]> (supplier of updated
ejabberd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 25 Apr 2013 15:31:59 +0000
Source: ejabberd
Binary: ejabberd
Architecture: source i386
Version: 2.1.10-5
Distribution: unstable
Urgency: low
Maintainer: Konstantin Khomoutov <[email protected]>
Changed-By: Konstantin Khomoutov <[email protected]>
Description:
ejabberd - distributed, fault-tolerant Jabber/XMPP server written in Erlang
Closes: 705613
Changes:
ejabberd (2.1.10-5) unstable; urgency=low
.
[ Konstantin Khomoutov ]
* Add patch fixing parsing of optional parameters in SCRAM SHA-1 headers
(closes: #705613, thanks to Stephen Röttger for both writing the
original patch and backporting it to 2.1.10).
Checksums-Sha1:
0e5c5d4218adecf1fa17e5c41ab14a1910ab1e10 1661 ejabberd_2.1.10-5.dsc
6064d9770402f592b2811de80eb68cdd110c04bc 81270 ejabberd_2.1.10-5.diff.gz
b901dc1ef0aaa4ab85f5127e2f1bb00c12e0984f 1794704 ejabberd_2.1.10-5_i386.deb
Checksums-Sha256:
ba7ab525c8b2d0cd8843e857b4c6cbd14a74551745cdc678225539a7013e067f 1661
ejabberd_2.1.10-5.dsc
fc85544f14717d081e781c0613799ea89d7ddb12837d383e40432c0f1e3dba93 81270
ejabberd_2.1.10-5.diff.gz
870c4b3468cd9535edfdfa3340f05ec6bf8ae4e60f552757fad8395002366ccc 1794704
ejabberd_2.1.10-5_i386.deb
Files:
27a9e246c50ff8bffd407b8f080772cd 1661 net optional ejabberd_2.1.10-5.dsc
3628bae08ed7232aaf91e9f006261624 81270 net optional ejabberd_2.1.10-5.diff.gz
4fbf614129a2aaa21d1426d584666271 1794704 net optional
ejabberd_2.1.10-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJReiniAAoJEDH85+fdB5RhZJAH/j62Fl81frwgh51gim6PPeGu
1jBNFuu9E67AlIuhhHWza3u9LWKdNrrH01DK02nGgkfehkweFEBtLyIIfnANay8o
GK+QuvFOf7o6f4CVIUts+JAtHEA6Qj/MNql5Jv/y07/FFQTxFr2CXjMcELLpaYLh
lRVRx1/yVjiiE60LiYvISkbsZ3rHqmNAuiJRg19v+dVlnOoOI921dNV5EtEraOtl
fPsr+iTxq2ZsSnE4I6UPLmAgVKtJT3cMfxiamMtyUzAf+/ptPxYFndHLleNbKxYr
ujQrJ8rD3H9fqvQ0RAMnxLAfPFBlYdU5wujedqMFYy5UDfWLTmyHsNGxLP3b+BU=
=QE/u
-----END PGP SIGNATURE-----
--- End Message ---
