FS#42541 : [ejabberd] CVE-2014-8760: compression allows cirucumvention of encryption despite starttls

FS#42541 - [ejabberd] CVE-2014-8760: compression allows cirucumvention of encryption despite starttls_required

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Saturday, 25 October 2014, 01:37 GMT
Last edited by Sergej Pupykin (sergej) - Monday, 27 October 2014, 11:38 GMT

Task Type	Bug Report
Category	Upstream Bugs
Status	Closed
Assigned To	Sergej Pupykin (sergej)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Levente Polyak (anthraxx) (2014-10-25)
Private	No

Details

Description:
It has been reported [0] that ejabberd 14.07-1 has a bug which may results in unencrypted connection even if starttls_required is set.
This issue is tracked as CVE-2014-8760 [1].

Mitigation:
The problem has been fixed upstream [2] but no release is available yet.
I recommend to backport the patch [2] as users may unexpectedly connect without encryption and send sensitive information in plaintext even if encryption was set as required.
As the original patch is not compatible to 14.07 (because of different line numbers) I have attached an adjusted and compile-tested patch (which works on-top of 14.07).

Patch-command:
patch -p1 -i ../CVE-2014-8760.starttls_required.patch

[0] http://mail.jabber.org/pipermail/operators/2014-October/002438.html
[1] https://access.redhat.com/security/cve/CVE-2014-8760
[2] https://github.com/processone/ejabberd/commit/7bdc1151b

CVE-2014-8760.starttls_requir... (1.3 KiB)

This task depends upon

Closed by Sergej Pupykin (sergej)
Monday, 27 October 2014, 11:38 GMT
Reason for closing: Fixed

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#42541 - [ejabberd] CVE-2014-8760: compression allows cirucumvention of encryption despite starttls_required

Details

Loading...