Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Tags: wheezy Usertags: pu
Please let ejabberd/2.1.10-4+deb7u1 enter Wheezy. The proposed version is built upon 2.1.10-5 [1] which was prepared for the first Wheezy point release but missed it by a narrow margin. Additionally two more bugs were fixed: * Disabled SSLv2 and weak cyphers in TLS driver [2]. * Fixed rendering of angle brackets in logs produced for multi-user chat (MUC) rooms when a plain-text format is enabled for them (resulting in nicknames disappearing from these logs and similar issues) [3]. I have verified both of these bugfixes work as intended. Please see the attached debdiff. It's a bit large but please notice that half of it is the unborn 2.1.10-5. 1. http://bugs.debian.org/706209 2. http://bugs.debian.org/724992 3. http://bugs.debian.org/724994
diff -u ejabberd-2.1.10/debian/NEWS ejabberd-2.1.10/debian/NEWS --- ejabberd-2.1.10/debian/NEWS +++ ejabberd-2.1.10/debian/NEWS @@ -1,3 +1,16 @@ +ejabberd (2.1.10-4+deb7u1) unstable; urgency=low + + This release adds support for the SCRAM-SHA-1 authentication mecnahism. + If the fully-qualified hostname of the server differs from the name + of the XMPP domain it serves, in order for this mechanism to work + with compliant clients, a modification should be made to the ejabberd's + configuration file. + + Please consult the section "Using SCRAM-SHA-1 authentication mechanism" + in the README.Debian file for detailed information. + + -- Konstantin Khomoutov <flatw...@users.sourceforge.net> Thu, 16 May 2013 13:27:56 +0000 + ejabberd (2.1.8-1) unstable; urgency=low This release drops support for the @recent@ shared roster group diff -u ejabberd-2.1.10/debian/changelog ejabberd-2.1.10/debian/changelog --- ejabberd-2.1.10/debian/changelog +++ ejabberd-2.1.10/debian/changelog @@ -1,3 +1,22 @@ +ejabberd (2.1.10-4+deb7u1) unstable; urgency=low + + [ Konstantin Khomoutov ] + * Add patch fixing parsing of optional parameters in SCRAM SHA-1 headers + (closes: #705613, thanks to Stephen Röttger for both writing the + original patch and backporting it to 2.1.10). + * Explain the "fqdn" configuration file option which has to be used + in certain setups for the SCRAM-SHA-1 to work with complying clients. + Mention this fact in the NEWS file. (Closes: #706590) + * Add upstream patch fixing incorrect escaping of a single quote character + in SQL queries generated by the ODBC storage backend (closes: #708151, + thanks to Vladislav Chugunov). + * Add upstream patches disabling SSLv2 and weak cyphers in TLS driver + (closes: #724992). + * Add patch (extracted from upstream) which fixes rendering of angle + brackets in plain-text MUC logs (closes: #724994). + + -- Konstantin Khomoutov <flatw...@users.sourceforge.net> Sun, 29 Sep 2013 21:48:11 +0400 + ejabberd (2.1.10-4) unstable; urgency=low [ Konstantin Khomoutov ] diff -u ejabberd-2.1.10/debian/README.Debian ejabberd-2.1.10/debian/README.Debian --- ejabberd-2.1.10/debian/README.Debian +++ ejabberd-2.1.10/debian/README.Debian @@ -14,6 +14,7 @@ 6. Upgrading from 2.0.x series 6.1 Changes in ejabberdctl program 6.2 Changes in logging +7. Using SCRAM-SHA-1 authentication mechanism 1. Running @@ -361,6 +362,47 @@ to "--erlang-log" to match the change above. +7. Using SCRAM-SHA-1 authentication mechanism +============================================= + +Since version 2.1.9 ejabberd supports the SCRAM-SHA-1 authentication +mechanism (which, among other things, allows to not store passwords of +XMPP accounts in clear text if the internal database backend is used +for storage). This authentication process implemented by this +mechanism includes the client sending a so-called "digest URI" which +includes the server's identity as perceived by the connecting client. +The SCRAM-SHA-1 RFC document requires this identity to be the +fully-qualified host name of the server. This hostname is typically +obtained by the client by looking up a server-specific DNS record of +type SRV for the XMPP domain the client wants to register in. + +Unfortunately, the current implementation of SCRAM-SHA-1 in ejabberd +is not able to perform the same kind of DNS query as used by the +clients to know its "canonical" fully-qualified host name. +Consequently, if the actual hostname of the server differs from the +name of the XMPP domain it serves, a special option should be included +in the configuration file to let the server know its hostname as seen +by its clients. This configuration option is called "fqdn" and it +expects a single argument -- the fully-qualified hostname of the +server, as recorded in the appropriate DNS SRV record for the server. +An example of its usage: + +{fqdn, "foo.example.com"}. + +It worth repeating that if the server's hostname is not different from +the name of XMPP domain it servers (for instance, the XMPP domain is +"example.com" and the server's hostname is also "example.com") the +usage of this configuration option is not necessary as ejabberd will +just use the domain name in the indicated case. + +It should be noted that while certain clients faithfully implement the +SCRAM-SHA-1 specification, some other clients diverge and use the XMPP +domain instead of the fully-qualified hostname of the server in the +digest URI strings they send. Ejabberd implements relaxed rules for +interpreting digest URIs to be interoperable with broken client +implementations. + + Authors ======= diff -u ejabberd-2.1.10/debian/patches/series ejabberd-2.1.10/debian/patches/series --- ejabberd-2.1.10/debian/patches/series +++ ejabberd-2.1.10/debian/patches/series @@ -9,0 +10,5 @@ +scram-optional-parameter-parsing-bugfix.patch +fix-odbc-escaping.patch +disable-ssl2.patch +disable-insecure-ssl-cyphers.patch +fix-nicks-in-plaintext-muc-log.patch only in patch2: unchanged: --- ejabberd-2.1.10.orig/debian/patches/disable-ssl2.patch +++ ejabberd-2.1.10/debian/patches/disable-ssl2.patch @@ -0,0 +1,36 @@ +Description: Disable SSLv2 in the TLS driver + SSL 2.0 is not used anywhere as it has security problems. + Disable it unconditionally both in server and client mode. + This does not disable support for SSL 2.0 compatible client + hello which still will be accepted in the server mode. + . + This patch is a backport of changes introduced by the commit + e06c1c49c14c3f56cf4ddae080514f7802669335 in the upstream Git repository + to the ejabberd code base as of version 2.1.12. +Author: Janusz Dziemidowicz <rrapt...@nails.eu.org> +Forwarded: not-needed +Last-Update: 2013-09-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/tls/tls_drv.c ++++ b/src/tls/tls_drv.c +@@ -354,6 +354,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle, + res = SSL_CTX_check_private_key(ctx); + die_unless(res > 0, "SSL_CTX_check_private_key failed"); + ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); ++ + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + SSL_CTX_set_default_verify_paths(ctx); + #ifdef SSL_MODE_RELEASE_BUFFERS +@@ -386,10 +388,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle, + SSL_set_bio(d->ssl, d->bio_read, d->bio_write); + + if (command == SET_CERTIFICATE_FILE_ACCEPT) { +- SSL_set_options(d->ssl, SSL_OP_NO_TICKET); + SSL_set_accept_state(d->ssl); + } else { +- SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); + SSL_set_connect_state(d->ssl); + } + break; only in patch2: unchanged: --- ejabberd-2.1.10.orig/debian/patches/scram-optional-parameter-parsing-bugfix.patch +++ ejabberd-2.1.10/debian/patches/scram-optional-parameter-parsing-bugfix.patch @@ -0,0 +1,99 @@ +Description: Fix parsing SCRAM optional parameters + The server gave an authentication error, if optional parameters + were present in the GS2 Header. Specifically, the "a=" parameter, + that can be used by admins to login as a different user. + . + This patch is a backport of changes introduced by the commit + 9e9b0eae802ee0508db6780426954efd048e7976 in the upstream Git repository + to the ejabberd code base as of version 2.1.10. +Author: Stephen Röttger <stephen.roett...@gmail.com> +Forwarded: not-needed +Bug: https://support.process-one.net/browse/EJAB-1632 +Last-Update: 2013-03-25 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/cyrsasl_scram.erl ++++ b/src/cyrsasl_scram.erl +@@ -34,6 +34,8 @@ + + -include("ejabberd.hrl"). + ++-include("jlib.hrl"). ++ + -behaviour(cyrsasl). + + -record(state, {step, stored_key, server_key, username, get_password, check_password, +@@ -52,8 +54,12 @@ + {ok, #state{step = 2, get_password = GetPassword}}. + + mech_step(#state{step = 2} = State, ClientIn) -> +- case string:tokens(ClientIn, ",") of +- [CBind, UserNameAttribute, ClientNonceAttribute] when (CBind == "y") or (CBind == "n") -> ++ case re:split(ClientIn, ",", [{return, list}]) of ++ [_CBind, _AuthorizationIdentity, _UserNameAttribute, _ClientNonceAttribute, ExtensionAttribute | _] ++ when ExtensionAttribute /= [] -> ++ {error, <<"protocol-error-extension-not-supported">>}; ++ [CBind, _AuthorizationIdentity, UserNameAttribute, ClientNonceAttribute | _] ++ when (CBind == "y") or (CBind == "n") -> + case parse_attribute(UserNameAttribute) of + {error, Reason} -> + {error, Reason}; +@@ -100,32 +106,36 @@ + case string:tokens(ClientIn, ",") of + [GS2ChannelBindingAttribute, NonceAttribute, ClientProofAttribute] -> + case parse_attribute(GS2ChannelBindingAttribute) of +- {$c, CVal} when (CVal == "biws") or (CVal == "eSws") -> +- %% biws is base64 for n,, => channelbinding not supported +- %% eSws is base64 for y,, => channelbinding supported by client only +- Nonce = State#state.client_nonce ++ State#state.server_nonce, +- case parse_attribute(NonceAttribute) of +- {$r, CompareNonce} when CompareNonce == Nonce -> +- case parse_attribute(ClientProofAttribute) of +- {$p, ClientProofB64} -> +- ClientProof = base64:decode(ClientProofB64), +- AuthMessage = State#state.auth_message ++ "," ++ string:substr(ClientIn, 1, string:str(ClientIn, ",p=")-1), +- ClientSignature = scram:client_signature(State#state.stored_key, AuthMessage), +- ClientKey = scram:client_key(ClientProof, ClientSignature), +- CompareStoredKey = scram:stored_key(ClientKey), +- if CompareStoredKey == State#state.stored_key -> +- ServerSignature = scram:server_signature(State#state.server_key, AuthMessage), +- {ok, [{username, State#state.username}], "v=" ++ base64:encode_to_string(ServerSignature)}; +- true -> +- {error, "bad-auth"} ++ {$c, CVal} -> ++ ChannelBindingSupport = string:left(jlib:decode_base64(CVal), 1), ++ if (ChannelBindingSupport == "n") ++ or (ChannelBindingSupport == "y") -> ++ Nonce = State#state.client_nonce ++ State#state.server_nonce, ++ case parse_attribute(NonceAttribute) of ++ {$r, CompareNonce} when CompareNonce == Nonce -> ++ case parse_attribute(ClientProofAttribute) of ++ {$p, ClientProofB64} -> ++ ClientProof = base64:decode(ClientProofB64), ++ AuthMessage = State#state.auth_message ++ "," ++ string:substr(ClientIn, 1, string:str(ClientIn, ",p=")-1), ++ ClientSignature = scram:client_signature(State#state.stored_key, AuthMessage), ++ ClientKey = scram:client_key(ClientProof, ClientSignature), ++ CompareStoredKey = scram:stored_key(ClientKey), ++ if CompareStoredKey == State#state.stored_key -> ++ ServerSignature = scram:server_signature(State#state.server_key, AuthMessage), ++ {ok, [{username, State#state.username}], "v=" ++ base64:encode_to_string(ServerSignature)}; ++ true -> ++ {error, "bad-auth"} ++ end; ++ _Else -> ++ {error, "bad-protocol"} + end; ++ {$r, _} -> ++ {error, "bad-nonce"}; + _Else -> + {error, "bad-protocol"} + end; +- {$r, _} -> +- {error, "bad-nonce"}; +- _Else -> +- {error, "bad-protocol"} ++ true -> ++ {error, "bad-channel-binding"} + end; + _Else -> + {error, "bad-protocol"} only in patch2: unchanged: --- ejabberd-2.1.10.orig/debian/patches/fix-nicks-in-plaintext-muc-log.patch +++ ejabberd-2.1.10/debian/patches/fix-nicks-in-plaintext-muc-log.patch @@ -0,0 +1,92 @@ +Description: Fix angle brackets handle in MUC plaintext log + If the type of log files generated by the mod_muc_module + is set to plaintext, the renderer cuts out all the text + which starts with a '<' character and ends with a '>' characters, + inclusive, which, among other things, inhibits displaying of + room nicknames. This patch fixes this behaviour. + . + This patch is a backport of changes introduced by the commits + 15073aafa58871b8d5e25652d492fb3a76900d5b, + bc8264b2ac6cf58d267dc06bb0d45585d5d677d0, + e85f7566dd7895f922f63528feed2995cd3eb52b and + 0b96b745bf4146dca3c3709765945fc97679465f in the upstream + Git repository to the ejabberd code base as of version 2.1.13. +Author: Badlop <bad...@process-one.net> +Forwarded: not-needed +Last-Update: 2013-09-30 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/mod_muc/mod_muc_log.erl ++++ b/src/mod_muc/mod_muc_log.erl +@@ -52,6 +52,9 @@ + -define(PROCNAME, ejabberd_mod_muc_log). + -record(room, {jid, title, subject, subject_author, config}). + ++-define(PLAINTEXT_CO, "ZZCZZ"). ++-define(PLAINTEXT_IN, "ZZIZZ"). ++-define(PLAINTEXT_OUT, "ZZOZZ"). + + -record(logstate, {host, + out_dir, +@@ -311,6 +314,11 @@ + fw(F, " <a href=\"http://jigsaw.w3.org/css-validator/\"><img style=\"border:0;width:88px;height:31px\" src=\"~s/vcss.png\" alt=\"Valid CSS!\"/></a>", [Images_dir]), + fw(F, "</span></div></body></html>"). + ++htmlize_nick(Nick1, html) -> ++ htmlize("<"++Nick1++">", html); ++htmlize_nick(Nick1, plaintext) -> ++ htmlize(?PLAINTEXT_IN++Nick1++?PLAINTEXT_OUT, plaintext). ++ + add_message_to_log(Nick1, Message, RoomJID, Opts, State) -> + #logstate{out_dir = OutDir, + dir_type = DirType, +@@ -323,7 +331,7 @@ + top_link = TopLink} = State, + Room = get_room_info(RoomJID, Opts), + Nick = htmlize(Nick1, FileFormat), +- Nick2 = htmlize("<"++Nick1++">", FileFormat), ++ Nick2 = htmlize_nick(Nick1, FileFormat), + Now = now(), + TimeStamp = case Timezone of + local -> calendar:now_to_local_time(Now); +@@ -438,7 +446,7 @@ + STimeUnique = io_lib:format("~s.~w", [STime, Microsecs]), + + %% Write message +- fw(F, io_lib:format("<a id=\"~s\" name=\"~s\" href=\"#~s\" class=\"ts\">[~s]</a> ", ++ catch fw(F, io_lib:format("<a id=\"~s\" name=\"~s\" href=\"#~s\" class=\"ts\">[~s]</a> ", + [STimeUnique, STimeUnique, STimeUnique, STime]) ++ Text, FileFormat), + + %% Close file +@@ -662,7 +670,10 @@ + html -> + S1; + plaintext -> +- ejabberd_regexp:greplace(S1, "<[^>]*>", "") ++ S1a = ejabberd_regexp:greplace(S1, "<[^<^>]*>", ""), ++ S1x = ejabberd_regexp:greplace(S1a, ?PLAINTEXT_CO, "~~"), ++ S1y = ejabberd_regexp:greplace(S1x, ?PLAINTEXT_IN, "<"), ++ ejabberd_regexp:greplace(S1y, ?PLAINTEXT_OUT, ">") + end, + io:format(F, S2, []). + +@@ -767,14 +778,16 @@ + htmlize(S1, html). + + htmlize(S1, plaintext) -> +- S1; ++ ejabberd_regexp:greplace(S1, "~", ?PLAINTEXT_CO); + htmlize(S1, FileFormat) -> + htmlize(S1, false, FileFormat). + + %% The NoFollow parameter tell if the spam prevention should be applied to the link found + %% true means 'apply nofollow on links'. +-htmlize(S1, _NoFollow, plaintext) -> +- S1; ++htmlize(S0, _NoFollow, plaintext) -> ++ S1 = ejabberd_regexp:greplace(S0, "~", ?PLAINTEXT_CO), ++ S1x = ejabberd_regexp:greplace(S1, "<", ?PLAINTEXT_IN), ++ ejabberd_regexp:greplace(S1x, ">", ?PLAINTEXT_OUT); + htmlize(S1, NoFollow, _FileFormat) -> + S2_list = string:tokens(S1, "\n"), + lists:foldl( only in patch2: unchanged: --- ejabberd-2.1.10.orig/debian/patches/disable-insecure-ssl-cyphers.patch +++ ejabberd-2.1.10/debian/patches/disable-insecure-ssl-cyphers.patch @@ -0,0 +1,34 @@ +Description: Disable old and insecure cyphers in TLS driver + Disabled: + * Export ciphers - broken by design, 40 and 56 bit encryption. + * Low encryption ciphers - 56 and 64 bit encryption. + * SSLv2 ciphers - some ciphers using MD5 MAC. + . + This patch is a backport of changes introduced by the commit + d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository + to the ejabberd code base as of version 2.1.12. +Author: Janusz Dziemidowicz <rrapt...@nails.eu.org> +Forwarded: not-needed +Last-Update: 2013-09-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/tls/tls_drv.c ++++ b/src/tls/tls_drv.c +@@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t; + #define SSL_OP_NO_TICKET 0 + #endif + ++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2" ++ + /* + * R15B changed several driver callbacks to use ErlDrvSizeT and + * ErlDrvSSizeT typedefs instead of int. +@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle, + + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); + ++ SSL_CTX_set_cipher_list(ctx, CIPHERS); ++ + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + SSL_CTX_set_default_verify_paths(ctx); + #ifdef SSL_MODE_RELEASE_BUFFERS only in patch2: unchanged: --- ejabberd-2.1.10.orig/debian/patches/fix-odbc-escaping.patch +++ ejabberd-2.1.10/debian/patches/fix-odbc-escaping.patch @@ -0,0 +1,35 @@ +Description: Fix escaping of single quotes in SQL queries + The ODBC backend code improperly used a backslash character + to escape a single quote character in SQL queries instead of + duplicating the single quote character as required by SQL-92, + rendering the generated queries not understandable for certain + SQL servers, namely PostgreSQL. The patch corrects this problem. + . + This patch is extracted from the commit + 89aa7baa5b5601c078d90bcd64deede218c7e5a8 in the upstream Git repository. + . + The first upstream version to integrate this patch is 2.1.11. +Author: Evgeniy Khramtsov <ekhramt...@process-one.net> +Forwarded: not-needed +Bug: https://github.com/processone/ejabberd/issues/24 +Last-Update: 2013-05-15 +XXX +commit +Date: Tue Jan 31 11:18:14 2012 +1000 + + Replace a single quote with double quotes in + an ODBC escape (thanks to Vladislav Chugunov) + +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/odbc/odbc_queries.erl ++++ b/src/odbc/odbc_queries.erl +@@ -557,7 +557,7 @@ escape($\n) -> "\\n"; + escape($\t) -> "\\t"; + escape($\b) -> "\\b"; + escape($\r) -> "\\r"; +-escape($') -> "\\'"; ++escape($') -> "''"; + escape($") -> "\\\""; + escape($\\) -> "\\\\"; + escape(C) -> C.