Hi Philipp, On Wed, Mar 29, 2017 at 10:57:03AM +0200, Emilio Pozuelo Monfort wrote: > On 29/03/17 10:12, Philipp Huebner wrote: > > Package: release.debian.org > > Severity: normal > > Tags: wheezy > > User: [email protected] > > Usertags: pu > > > > Hi, > > > > I'm not sure if another point update for Wheezy is planned or if this is > > a case for the LTS team, but I would like to update ejabberd in Wheezy. > > wheezy-proposed-updates is closed, closing this bug (-done Bcc'ed) and adding > debian-lts@ to Cc. > > Cheers, > Emilio > > > > > There are 2 minor security patches: > > * disable SSLv3 (Closes: #767521) > > * enforce the starttls_required setting (CVE-2014-8760, closes: #767535) > > > > Please advise. Complete diff from git repository is attached. > > > > Best wishes, > > Philipp > > >
> diff --git a/debian/changelog b/debian/changelog > index 2869431..55ede73 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high > + > + * Disable SSLv3 (Closes: #767521) > + * Add patch to fix CVE-2014-8760 (Closes: #767535) > + > + -- Philipp Huebner <[email protected]> Wed, 29 Mar 2017 10:05:39 +0200 > + > ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low > > [ Konstantin Khomoutov ] > diff --git a/debian/patches/CVE-2014-8760.patch > b/debian/patches/CVE-2014-8760.patch > new file mode 100644 > index 0000000..cd8c08b > --- /dev/null > +++ b/debian/patches/CVE-2014-8760.patch > @@ -0,0 +1,27 @@ > +Description: Make sure "starttls_required" can't be bypassed. > + Don't allow clients to circumvent the "starttls_required" option by > + enabling XMPP stream compression. (CVE-2014-8760) > +Author: Holger Weiss <[email protected]> > + > +Index: ejabberd/src/ejabberd_c2s.erl > +=================================================================== > +--- ejabberd.orig/src/ejabberd_c2s.erl > ++++ ejabberd/src/ejabberd_c2s.erl > +@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme > + TLSRequired = StateData#state.tls_required, > + SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket), > + case {xml:get_attr_s("xmlns", Attrs), Name} of > +- {?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) -> > ++ {?NS_SASL, "auth"} when TLSEnabled or not TLSRequired -> > + Mech = xml:get_attr_s("mechanism", Attrs), > + ClientIn = jlib:decode_base64(xml:get_cdata(Els)), > + case cyrsasl:server_start(StateData#state.sasl_state, > +@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme > + end; > + _ -> > + if > +- (SockMod == gen_tcp) and TLSRequired -> > ++ TLSRequired and not TLSEnabled -> > + Lang = StateData#state.lang, > + send_element(StateData, ?POLICY_VIOLATION_ERR( > + Lang, > diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch > b/debian/patches/disable-insecure-ssl-cyphers.patch > index 4ff049f..dc678c5 100644 > --- a/debian/patches/disable-insecure-ssl-cyphers.patch > +++ b/debian/patches/disable-insecure-ssl-cyphers.patch > @@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver > * Export ciphers - broken by design, 40 and 56 bit encryption. > * Low encryption ciphers - 56 and 64 bit encryption. > * SSLv2 ciphers - some ciphers using MD5 MAC. > + * SSLv3 ciphers > . > This patch is a backport of changes introduced by the commit > d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository > to the ejabberd code base as of version 2.1.12. > + It was later extended to also disable SSLv3. > Author: Janusz Dziemidowicz <[email protected]> > Forwarded: not-needed > -Last-Update: 2013-09-29 > +Last-Update: 2017-03-29 > --- > This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ > ---- a/src/tls/tls_drv.c > -+++ b/src/tls/tls_drv.c > +Index: ejabberd/src/tls/tls_drv.c > +=================================================================== > +--- ejabberd.orig/src/tls/tls_drv.c > ++++ ejabberd/src/tls/tls_drv.c > @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t; > #define SSL_OP_NO_TICKET 0 > #endif > > -+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2" > ++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3" > + > /* > * R15B changed several driver callbacks to use ErlDrvSizeT and > * ErlDrvSSizeT typedefs instead of int. > -@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle, > +@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD > + die_unless(res > 0, "SSL_CTX_check_private_key failed"); > > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); > - > -+ SSL_CTX_set_cipher_list(ctx, CIPHERS); > ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET); > + > ++ SSL_CTX_set_cipher_list(ctx, CIPHERS); > + > SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); > SSL_CTX_set_default_verify_paths(ctx); > - #ifdef SSL_MODE_RELEASE_BUFFERS > diff --git a/debian/patches/series b/debian/patches/series > index 297e201..30f0424 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -12,3 +12,4 @@ fix-odbc-escaping.patch > disable-ssl2.patch > disable-insecure-ssl-cyphers.patch > fix-nicks-in-plaintext-muc-log.patch > +CVE-2014-8760.patch The changes look sane to me. Could you upload to wheezy-security? If you don't want to prepare the DLA yourself I can do that but then it would be awesome if this cold happen on Friday earliest since I'm currently bit tight on time. I can test the package beforehand if you have built binaries for amd64 already. Cheers -- Guido
