Package: ejabberd Version: 2.1.9 Severity: important This version of ejabberd added support for SCRAM-SHA-1 authentication. Unfortunatly, it rejects RFC-compliant GS2 headers, containing the "a=" parameter.
Here is an upstream bug report with a test case and a patch against current upstream git, developed by Stephen Röttger, who wrote the ejabberd SCRAM-SHA-1 code originally: https://support.process-one.net/browse/EJAB-1632 At least one XMPP client sends these headers by default: git-annex does, due to using the Haskell XMPP library, which uses libgsasl7. The Haskell XMPP library's only involvement seems to be in passing this information to gsasl. According to its author, John Millikin: > The XMPP code passes in any parameters it has available that might be > needed for gsasl to complete the authentication. While removing it > might allow auth to succeed in this case, it could also break auth for > servers that want to validate the user JID's domain name. So, it seems likely to me that other XMPP clients that use gsasl may also be hit by this incompatability. However, I have not tried to find ones that are incompatable. It's bad enough that git-annex hits this. I think you should consider backporting this to wheezy. It's unknown how many XMPP clients trigger this incompatability, and it's probably better not to find out! The patch, leaving aside some indentation changes, in only a few dozen lines. -- see shy jo
signature.asc
Description: Digital signature
