Source: ejabberd Version: 23.01-1 Severity: wishlist Dear Maintainer,
please consider packaging 24.02 (if possible it would be great if you'd also backport it to bookworm). Ejabberd < 24.02 has an issue with channel binding and TLSv1.3. When using channel binding (e.g. SCRAM mechanism SCRAM-SHA-1-PLUS) with TLSv1.3 tls-exporter must be used but ejabberd < 24.02 uses tls-unique (which should only be used for < TLSv1.3). [1] Due to the recent MITM on jabber.ru many clients and servers have enabled SCRAM mechanisms with channel binding to mitigate MITM attacks. But due to the linked issue authenticating will fail when using a SCRAM mechanism with channel binding and TLSv1.3, therefore it would be awesome if Debian would provide ejabberd 24.02 and enable ejabberd operators using Debian to upgrade to a fixed version. Best regards, Martin [1] https://github.com/processone/ejabberd/issues/4105 -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-20-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
signature.asc
Description: PGP signature
