** Description changed:
Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of
this report). This version is vulnerable to CVE-2017-10807, namely it
allows "anonymous" SASL authentication even when that option is switched
off in the configuration:
```
Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication
succeeded: 097569a80f3845d6f94a102ca0222249fec72...@average.org
::ffff:194.226.137.229:56570 TLS
Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication
succeeded: 369e2c61a89bad270f56e2c0cac4f01c9d0ab...@average.org
::ffff:194.226.137.229:56589 TLS
Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication
succeeded: b15ccb46d7197298474fb8d923701271f34b0...@average.org
::ffff:194.226.137.229:56592 TLS
Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication
succeeded: 3105c6b061a13e9e24bc72ff51f2c2f127d42...@average.org
::ffff:194.226.137.229:56611 TLS
```
There is Debian bug #867032 for this vulnerability.
Current upstream versions of jabberd2 are not vulnerable; in particular
version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so
this report only applies to the LTS release.
+
+ Apparently fixed by this upstream commit:
+
https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16
** Also affects: jabberd2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1747893
Title:
jabberd2 before 2.6.1 allows anyone to authenticate using SASL
ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/jabberd2/+bug/1747893/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
