Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Tags: squeeze Usertags: pu
Please let ejabberd/2.1.5-3+squeeze2 enter Squeeze. It fixes just a single security bug [1]: by disabling SSLv2 and weak cyphers in TLS driver (this bug is itself a clone of [2] which has been filed against the version in Sid and is intended to be fixed by [3]). Please see the attached debdiff. 1. http://bugs.debian.org/724993 2. http://bugs.debian.org/722105 3. http://bugs.debian.org/725790
diff -u ejabberd-2.1.5/debian/changelog ejabberd-2.1.5/debian/changelog --- ejabberd-2.1.5/debian/changelog +++ ejabberd-2.1.5/debian/changelog @@ -1,3 +1,9 @@ +ejabberd (2.1.5-3+squeeze2) stable-security; urgency=low + + * Disable SSLv2 and weak/export cyphers in TLS driver (closes: #724993). + + -- Konstantin Khomoutov <flatw...@users.sourceforge.net> Mon, 30 Sep 2013 17:10:02 +0400 + ejabberd (2.1.5-3+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. diff -u ejabberd-2.1.5/debian/patches/series ejabberd-2.1.5/debian/patches/series --- ejabberd-2.1.5/debian/patches/series +++ ejabberd-2.1.5/debian/patches/series @@ -10,0 +11,2 @@ +disable-ssl2.patch +disable-insecure-ssl-cyphers.patch only in patch2: unchanged: --- ejabberd-2.1.5.orig/debian/patches/disable-ssl2.patch +++ ejabberd-2.1.5/debian/patches/disable-ssl2.patch @@ -0,0 +1,36 @@ +Description: Disable SSLv2 in the TLS driver + SSL 2.0 is not used anywhere as it has security problems. + Disable it unconditionally both in server and client mode. + This does not disable support for SSL 2.0 compatible client + hello which still will be accepted in the server mode. + . + This patch is a backport of changes introduced by the commit + e06c1c49c14c3f56cf4ddae080514f7802669335 in the upstream Git repository + to the ejabberd code base as of version 2.1.12. +Author: Janusz Dziemidowicz <rrapt...@nails.eu.org> +Forwarded: not-needed +Last-Update: 2013-09-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/tls/tls_drv.c ++++ b/src/tls/tls_drv.c +@@ -344,6 +344,8 @@ + res = SSL_CTX_check_private_key(ctx); + die_unless(res > 0, "SSL_CTX_check_private_key failed"); + ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); ++ + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + SSL_CTX_set_default_verify_paths(ctx); + +@@ -370,10 +372,8 @@ + SSL_set_bio(d->ssl, d->bio_read, d->bio_write); + + if (command == SET_CERTIFICATE_FILE_ACCEPT) { +- SSL_set_options(d->ssl, SSL_OP_NO_TICKET); + SSL_set_accept_state(d->ssl); + } else { +- SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); + SSL_set_connect_state(d->ssl); + } + break; only in patch2: unchanged: --- ejabberd-2.1.5.orig/debian/patches/disable-insecure-ssl-cyphers.patch +++ ejabberd-2.1.5/debian/patches/disable-insecure-ssl-cyphers.patch @@ -0,0 +1,34 @@ +Description: Disable old and insecure cyphers in TLS driver + Disabled: + * Export ciphers - broken by design, 40 and 56 bit encryption. + * Low encryption ciphers - 56 and 64 bit encryption. + * SSLv2 ciphers - some ciphers using MD5 MAC. + . + This patch is a backport of changes introduced by the commit + d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository + to the ejabberd code base as of version 2.1.12. +Author: Janusz Dziemidowicz <rrapt...@nails.eu.org> +Forwarded: not-needed +Last-Update: 2013-09-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/tls/tls_drv.c ++++ b/src/tls/tls_drv.c +@@ -44,6 +44,8 @@ + #define SSL_OP_NO_TICKET 0 + #endif + ++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2" ++ + /* + * str_hash is based on the public domain code from + * http://www.burtleburtle.net/bob/hash/doobs.html +@@ -346,6 +348,8 @@ + + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); + ++ SSL_CTX_set_cipher_list(ctx, CIPHERS); ++ + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + SSL_CTX_set_default_verify_paths(ctx); +
