Bug#747673: marked as done (Horrid default cipher settings without option to adjust them to sane values)

[Debian Bug Tracking System]

Your message dated Sat, 06 Sep 2014 09:50:41 +0000
with message-id <e1xqcdl-0002gn...@franck.debian.org>
and subject line Bug#747673: fixed in ejabberd 14.07-1
has caused the Debian Bug report #747673,
regarding Horrid default cipher settings without option to adjust them to sane 
values
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
747673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747673
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ejabberd
Version: 2.1.11-1
Severity: grave
Tags: security

When setting up ejabberd with a default configuration it allows only connections
with a weak SSL configuration - if this is even configured:

1.  By default ejabberd allows SSLv3 which is broken in various ways
    and thus should no longer be used.

2.  By default ejabberd uses weak cipher suites that make use of weak primitives
    like DES, RC2, RC4, MD5, export ciphers.

3.  By default ejabberd does not provide ANY ciphers that make use of forward
    secrecy and thus jeopardizes the communication of users that crossed this
    server in case of a private key compromise.

4.  Most importantly ejabberd does not provide any way to adjust the accepted
    security parameters (acceptable protocol versions, cipher string, cipher
    ordering, used ECC curves, used ECDHE/DHE parameters)

Please make sure that a default configuration can be configured to use strong
cryptography, using non-broken primitives and does so by default.

Kind regards,
Benny Baumann

P.S.: By courtesy of #747453.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'stable'), (750, 'experimental'), (700, 
'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ejabberd depends on:
ii  adduser                        3.113+nmu3
ii  debconf [debconf-2.0]          1.5.53
ii  erlang-asn1                    1:17.0-dfsg-1
ii  erlang-base [erlang-abi-15.b]  1:17.0-dfsg-1
ii  erlang-crypto                  1:17.0-dfsg-1
ii  erlang-inets                   1:17.0-dfsg-1
ii  erlang-mnesia                  1:17.0-dfsg-1
ii  erlang-odbc                    1:17.0-dfsg-1
ii  erlang-public-key              1:17.0-dfsg-1
ii  erlang-ssl                     1:17.0-dfsg-1
ii  erlang-syntax-tools            1:17.0-dfsg-1
ii  libc6                          2.18-5
ii  libexpat1                      2.1.0-4
ii  libpam0g                       1.1.8-3
ii  libssl1.0.0                    1.0.1g-3
ii  openssl                        1.0.1g-3
ii  ucf                            3.0028
ii  zlib1g                         1:1.2.8.dfsg-1

ejabberd recommends no packages.

Versions of packages ejabberd suggests:
ii  imagemagick          8:6.7.7.10+dfsg-1
ii  libunix-syslog-perl  1.1-2+b3

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: ejabberd
Source-Version: 14.07-1

We believe that the bug you reported is fixed in the latest version of
ejabberd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 747...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Huebner <debala...@debian.org> (supplier of updated ejabberd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 30 Aug 2014 01:40:09 +0200
Source: ejabberd
Binary: ejabberd
Architecture: source amd64
Version: 14.07-1
Distribution: unstable
Urgency: low
Maintainer: Konstantin Khomoutov <flatw...@users.sourceforge.net>
Changed-By: Philipp Huebner <debala...@debian.org>
Description:
 ejabberd   - distributed, fault-tolerant Jabber/XMPP server written in Erlang
Closes: 503313 517178 539409 598332 610532 706897 712145 722478 737762 738496 
744084 746029 746043 746073 747673 757858
Changes:
 ejabberd (14.07-1) unstable; urgency=low
 .
   * New upstream release (Closes: #503313, #539409, #610532, #706897, #712145,
     #722478, #746029, #746043, 746073, #747673)
   * Change default EJABBERD_NODE back to "ejabberd" (Closes: #757858)
   * Suppress misleading warning during postinst (Closes: #598332)
   * Declare package source format as 3.0 (quilt)
   * Switch to debhelper 9
   * Drop obsolete patches for older releases
   * Add new patches to make 14.07 build and work
   * Drop custom scripts in favour of upstream ones
   * Drop custom config+init in favour of upstream ones (Closes: #744084,
     #517178, #738496)
   * Adjust packaging to new upstream release
   * Update (Build-)Depends and Standards-Version
   * Update copyright
   * Update maintainer scripts
   * Update TODO
   * Update NEWS
   * Fix watch file
   * Clean up packaging
   * Add Provides: xmpp-server to debian/control (Closes: #737762)
Checksums-Sha1:
 ff779cce3e0ab6d53ea7f802ba81256f583dec9a 2405 ejabberd_14.07-1.dsc
 4e6a6769f7a47fce8fe326d407179f23c76110ff 3191122 ejabberd_14.07.orig.tar.gz
 fa4d657b52aae6e75c72e0460e7e0f69ba619811 47332 ejabberd_14.07-1.debian.tar.xz
 0cc12a9af6f7d386fccb7c23c48b86ec1cd37284 4149746 ejabberd_14.07-1_amd64.deb
Checksums-Sha256:
 6a2ae12e49cf255d8e92cc83b0a648db87b03aceee434c0e08fac6621271acb8 2405 
ejabberd_14.07-1.dsc
 d8002aac827d5c23870f2b39f8e0c07c2f7c21491c416886d905b92a0395789b 3191122 
ejabberd_14.07.orig.tar.gz
 f4839a5b1c127fcbfcc7b6a338c3b41877b946e2b435d115f226d2db0fa02655 47332 
ejabberd_14.07-1.debian.tar.xz
 8d75613f4c323e7dd08195e8ba0e802158195178716db6b72d1cbcd88d42b83c 4149746 
ejabberd_14.07-1_amd64.deb
Files:
 fcec4cb6718e4570c265b7317325af7e 4149746 net optional 
ejabberd_14.07-1_amd64.deb
 51275a5724db90d7dbb5f4790deb520c 2405 net optional ejabberd_14.07-1.dsc
 5bcdb72b6812b2b6736a86d7cdec22cf 3191122 net optional 
ejabberd_14.07.orig.tar.gz
 23b0937dd10d3bffa6d039a35a69e97f 47332 net optional 
ejabberd_14.07-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUCtb+AAoJEOXKjEkl5CBfgy0P/0NaA/OTooSpJ4uhz6cHtYVq
R+FS9w36hkbY1bukQD+HxfuOxCqJKaVZl9Wa51YglJfffoOsJD7uSk/M6pb9c4Jn
7/QCUjPl3l/IhhRna1u4oKgoAYpDCZXP+f7o7FkxsrqS6t8cimQcGE6+kSS9LXg4
FDVT5YtPVxYoOACv7QWX4NftFMW2CgFcHYMUM4gs1U1HOi8hWN1l8Ix7DYutsciK
c35rxzChWzkR6mDmJIl7uGdKY7VFItJYC2KNP4fL5r/ESSf2P/Stx/JbCWDWJeBI
nQ8+NuwwABDD62jr8E61eEqEMXLOEnMc1UYG0AMhwIrkCLqC+gmHz1mQpVerkUfc
a+wsad6iYd/FCPCZYM2JmprYsvLNeQPpP09Bzd0Xd4fp6WnTMWdcWqi+pTi3EOnx
k/gEsSwZ1m1EUgEBmOw4/EUKFIjvcJA9NufZu60Yf/rMf4ofQanNMqjk2xkebVM+
zTwePUegN5tfymwcEeoiKtLrEkfDqkZHF3aGEVv78RFrJ1b5uojR+0uiD9DIvNd/
GR+iNzS4Jfh8Ujt1kaww73uYhsFDecmIv4gi1uDfNFJcnlYjaL98CQMV2DlQqV5A
iZX/H61YE+yssiOx09I0DWZCDUYaq3kVq5KUPsMjpoujIKHchFPeQ1/Gg6UmgtFD
egwLKQ84z6FXjwjFYJ0k
=hycj
-----END PGP SIGNATURE-----

--- End Message ---