Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-04-17 Thread Markus Raab 
Hi,

17. April 2017, 00:20:43 Guido Günther wrote:
> I think the reason is that the N900s telepathy-gabble doesn't support
> any better than SSL 3.0 and that got disabled with the ejabberd
> update. Can you report that to the Maemo folks? Maybe they can enable it
> (they enabled it for other things like IMAP in the past).

My device already has several hardware defects and I do not want to invest the 
time to report on their bug tracker (I do not have an account) or check fixes 
with unreleased SSU packages. I only wanted to have it documented for others 
searching why it does not work.

Sorry for being seemingly uncooperative but it is really an old device ;)

best regards,
Markus

Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-04-16 Thread Guido Günther 
Hi Markus,
On Sun, Apr 16, 2017 at 08:43:36PM +0200, Markus Raab wrote:
> Hello,
> 
> Thanks for still maintaining wheezy.
> 
> This security fix broke the N900 jabber (xmpp) client (included in Maemo).
> 
> With 2.1.10-4+deb7u1 the N900 xmpp client was connecting without troubles, 
> since 2.1.10-4+deb7u2 it immediately fails with a "network error".
> 
> I only wanted to mention the bug for reference, it is much more likely that 
> the problem is the unmaintained N900 xmpp client, and not the security fix.

I think the reason is that the N900s telepathy-gabble doesn't support
any better than SSL 3.0 and that got disabled with the ejabberd
update. Can you report that to the Maemo folks? Maybe they can enable it
(they enabled it for other things like IMAP in the past).

Cheers,
 -- Guido

Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-04-16 Thread Guido Günther 
On Sun, Apr 16, 2017 at 04:44:22PM -0400, PICCORO McKAY Lenz wrote:
> does any other tested the pckage with real production clients?

Yes we did.
 -- Guido

> 
> i could test that but its better upgrade event use a unmantained package..
> 
> some times ago i try to mantain that package but the debian process are a
> great obstacle!
> 
> today i used my own package and made track of the debian ...
> 
> Lenz McKAY Gerardo (PICCORO)
> http://qgqlochekone.blogspot.com
> 
> 2017-04-16 14:43 GMT-04:00 Markus Raab :
> 
> > Hello,
> >
> > Thanks for still maintaining wheezy.
> >
> > This security fix broke the N900 jabber (xmpp) client (included in Maemo).
> >
> > With 2.1.10-4+deb7u1 the N900 xmpp client was connecting without troubles,
> > since 2.1.10-4+deb7u2 it immediately fails with a "network error".
> >
> > I only wanted to mention the bug for reference, it is much more likely that
> > the problem is the unmaintained N900 xmpp client, and not the security fix.
> >
> > best regards,
> > Markus
> >
> >

Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-04-16 Thread PICCORO McKAY Lenz 
does any other tested the pckage with real production clients?

i could test that but its better upgrade event use a unmantained package..

some times ago i try to mantain that package but the debian process are a
great obstacle!

today i used my own package and made track of the debian ...

Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com

2017-04-16 14:43 GMT-04:00 Markus Raab :

> Hello,
>
> Thanks for still maintaining wheezy.
>
> This security fix broke the N900 jabber (xmpp) client (included in Maemo).
>
> With 2.1.10-4+deb7u1 the N900 xmpp client was connecting without troubles,
> since 2.1.10-4+deb7u2 it immediately fails with a "network error".
>
> I only wanted to mention the bug for reference, it is much more likely that
> the problem is the unmaintained N900 xmpp client, and not the security fix.
>
> best regards,
> Markus
>
>

Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-04-16 Thread Markus Raab 
Hello,

Thanks for still maintaining wheezy.

This security fix broke the N900 jabber (xmpp) client (included in Maemo).

With 2.1.10-4+deb7u1 the N900 xmpp client was connecting without troubles, 
since 2.1.10-4+deb7u2 it immediately fails with a "network error".

I only wanted to mention the bug for reference, it is much more likely that 
the problem is the unmaintained N900 xmpp client, and not the security fix.

best regards,
Markus

Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-03-29 Thread Philipp Huebner 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'm not sure if another point update for Wheezy is planned or if this is
a case for the LTS team, but I would like to update ejabberd in Wheezy.

There are 2 minor security patches:
* disable SSLv3 (Closes: #767521)
* enforce the starttls_required setting (CVE-2014-8760, closes: #767535)

Please advise. Complete diff from git repository is attached.

Best wishes,
Philipp
diff --git a/debian/changelog b/debian/changelog
index 2869431..55ede73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high
+
+  * Disable SSLv3 (Closes: #767521)
+  * Add patch to fix CVE-2014-8760 (Closes: #767535)
+
+ -- Philipp Huebner   Wed, 29 Mar 2017 10:05:39 +0200
+
 ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
 
   [ Konstantin Khomoutov ]
diff --git a/debian/patches/CVE-2014-8760.patch 
b/debian/patches/CVE-2014-8760.patch
new file mode 100644
index 000..cd8c08b
--- /dev/null
+++ b/debian/patches/CVE-2014-8760.patch
@@ -0,0 +1,27 @@
+Description: Make sure "starttls_required" can't be bypassed.
+ Don't allow clients to circumvent the "starttls_required" option by
+ enabling XMPP stream compression. (CVE-2014-8760)
+Author: Holger Weiss 
+
+Index: ejabberd/src/ejabberd_c2s.erl
+===
+--- ejabberd.orig/src/ejabberd_c2s.erl
 ejabberd/src/ejabberd_c2s.erl
+@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme
+ TLSRequired = StateData#state.tls_required,
+ SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket),
+ case {xml:get_attr_s("xmlns", Attrs), Name} of
+-  {?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) ->
++  {?NS_SASL, "auth"} when TLSEnabled or not TLSRequired ->
+   Mech = xml:get_attr_s("mechanism", Attrs),
+   ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
+   case cyrsasl:server_start(StateData#state.sasl_state,
+@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme
+   end;
+   _ ->
+   if
+-  (SockMod == gen_tcp) and TLSRequired ->
++  TLSRequired and not TLSEnabled ->
+   Lang = StateData#state.lang,
+   send_element(StateData, ?POLICY_VIOLATION_ERR(
+  Lang,
diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch 
b/debian/patches/disable-insecure-ssl-cyphers.patch
index 4ff049f..dc678c5 100644
--- a/debian/patches/disable-insecure-ssl-cyphers.patch
+++ b/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver
  * Export ciphers - broken by design, 40 and 56 bit encryption.
  * Low encryption ciphers - 56 and 64 bit encryption.
  * SSLv2 ciphers - some ciphers using MD5 MAC.
+ * SSLv3 ciphers
  .
  This patch is a backport of changes introduced by the commit
  d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
  to the ejabberd code base as of version 2.1.12.
+ It was later extended to also disable SSLv3.
 Author: Janusz Dziemidowicz 
 Forwarded: not-needed
-Last-Update: 2013-09-29
+Last-Update: 2017-03-29
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 a/src/tls/tls_drv.c
-+++ b/src/tls/tls_drv.c
+Index: ejabberd/src/tls/tls_drv.c
+===
+--- ejabberd.orig/src/tls/tls_drv.c
 ejabberd/src/tls/tls_drv.c
 @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
  #define SSL_OP_NO_TICKET 0
  #endif
  
-+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
 +
  /*
   * R15B changed several driver callbacks to use ErlDrvSizeT and
   * ErlDrvSSizeT typedefs instead of int.
-@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD
+   die_unless(res > 0, "SSL_CTX_check_private_key failed");
  
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
- 
-+  SSL_CTX_set_cipher_list(ctx, CIPHERS);
++  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
 +
++  SSL_CTX_set_cipher_list(ctx, CIPHERS);
+ 
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_default_verify_paths(ctx);
- #ifdef SSL_MODE_RELEASE_BUFFERS
diff --git a/debian/patches/series b/debian/patches/series
index 297e201..30f0424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ fix-odbc-escaping.patch
 disable-ssl2.patch
 disable-insecure-ssl-cyphers.patch
 fix-nicks-in-plaintext-muc-log.patch
+CVE-2014-8760.patch