FS#42541 - [ejabberd] CVE-2014-8760: compression allows cirucumvention of encryption despite starttls_required

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Saturday, 25 October 2014, 01:37 GMT
Last edited by Sergej Pupykin (sergej) - Monday, 27 October 2014, 11:38 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
It has been reported [0] that ejabberd 14.07-1 has a bug which may results in unencrypted connection even if starttls_required is set.
This issue is tracked as CVE-2014-8760 [1].

Mitigation:
The problem has been fixed upstream [2] but no release is available yet.
I recommend to backport the patch [2] as users may unexpectedly connect without encryption and send sensitive information in plaintext even if encryption was set as required.
As the original patch is not compatible to 14.07 (because of different line numbers) I have attached an adjusted and compile-tested patch (which works on-top of 14.07).

Patch-command:
patch -p1 -i ../CVE-2014-8760.starttls_required.patch

[0] http://mail.jabber.org/pipermail/operators/2014-October/002438.html
[1] https://access.redhat.com/security/cve/CVE-2014-8760
[2] https://github.com/processone/ejabberd/commit/7bdc1151b
This task depends upon

Closed by  Sergej Pupykin (sergej)
Monday, 27 October 2014, 11:38 GMT
Reason for closing:  Fixed

Loading...