Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'm not sure if another point update for Wheezy is planned or if this is
a case for the LTS team, but I would like to update ejabberd in Wheezy.
There are 2 minor security patches:
* disable SSLv3 (Closes: #767521)
* enforce the starttls_required setting (CVE-2014-8760, closes: #767535)
Please advise. Complete diff from git repository is attached.
Best wishes,
Philipp
diff --git a/debian/changelog b/debian/changelog
index 2869431..55ede73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high
+
+ * Disable SSLv3 (Closes: #767521)
+ * Add patch to fix CVE-2014-8760 (Closes: #767535)
+
+ -- Philipp Huebner Wed, 29 Mar 2017 10:05:39 +0200
+
ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
[ Konstantin Khomoutov ]
diff --git a/debian/patches/CVE-2014-8760.patch
b/debian/patches/CVE-2014-8760.patch
new file mode 100644
index 000..cd8c08b
--- /dev/null
+++ b/debian/patches/CVE-2014-8760.patch
@@ -0,0 +1,27 @@
+Description: Make sure "starttls_required" can't be bypassed.
+ Don't allow clients to circumvent the "starttls_required" option by
+ enabling XMPP stream compression. (CVE-2014-8760)
+Author: Holger Weiss
+
+Index: ejabberd/src/ejabberd_c2s.erl
+===
+--- ejabberd.orig/src/ejabberd_c2s.erl
ejabberd/src/ejabberd_c2s.erl
+@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme
+ TLSRequired = StateData#state.tls_required,
+ SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket),
+ case {xml:get_attr_s("xmlns", Attrs), Name} of
+- {?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) ->
++ {?NS_SASL, "auth"} when TLSEnabled or not TLSRequired ->
+ Mech = xml:get_attr_s("mechanism", Attrs),
+ ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
+ case cyrsasl:server_start(StateData#state.sasl_state,
+@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme
+ end;
+ _ ->
+ if
+- (SockMod == gen_tcp) and TLSRequired ->
++ TLSRequired and not TLSEnabled ->
+ Lang = StateData#state.lang,
+ send_element(StateData, ?POLICY_VIOLATION_ERR(
+ Lang,
diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch
b/debian/patches/disable-insecure-ssl-cyphers.patch
index 4ff049f..dc678c5 100644
--- a/debian/patches/disable-insecure-ssl-cyphers.patch
+++ b/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver
* Export ciphers - broken by design, 40 and 56 bit encryption.
* Low encryption ciphers - 56 and 64 bit encryption.
* SSLv2 ciphers - some ciphers using MD5 MAC.
+ * SSLv3 ciphers
.
This patch is a backport of changes introduced by the commit
d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
to the ejabberd code base as of version 2.1.12.
+ It was later extended to also disable SSLv3.
Author: Janusz Dziemidowicz
Forwarded: not-needed
-Last-Update: 2013-09-29
+Last-Update: 2017-03-29
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
a/src/tls/tls_drv.c
-+++ b/src/tls/tls_drv.c
+Index: ejabberd/src/tls/tls_drv.c
+===
+--- ejabberd.orig/src/tls/tls_drv.c
ejabberd/src/tls/tls_drv.c
@@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
#define SSL_OP_NO_TICKET 0
#endif
-+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
+
/*
* R15B changed several driver callbacks to use ErlDrvSizeT and
* ErlDrvSSizeT typedefs instead of int.
-@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD
+ die_unless(res > 0, "SSL_CTX_check_private_key failed");
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
-
-+ SSL_CTX_set_cipher_list(ctx, CIPHERS);
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
+
++ SSL_CTX_set_cipher_list(ctx, CIPHERS);
+
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_default_verify_paths(ctx);
- #ifdef SSL_MODE_RELEASE_BUFFERS
diff --git a/debian/patches/series b/debian/patches/series
index 297e201..30f0424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ fix-odbc-escaping.patch
disable-ssl2.patch
disable-insecure-ssl-cyphers.patch
fix-nicks-in-plaintext-muc-log.patch
+CVE-2014-8760.patch