Package: release.debian.org Severity: normal Tags: wheezy User: [email protected] Usertags: pu
Hi, I'm not sure if another point update for Wheezy is planned or if this is a case for the LTS team, but I would like to update ejabberd in Wheezy. There are 2 minor security patches: * disable SSLv3 (Closes: #767521) * enforce the starttls_required setting (CVE-2014-8760, closes: #767535) Please advise. Complete diff from git repository is attached. Best wishes, Philipp
diff --git a/debian/changelog b/debian/changelog index 2869431..55ede73 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high + + * Disable SSLv3 (Closes: #767521) + * Add patch to fix CVE-2014-8760 (Closes: #767535) + + -- Philipp Huebner <[email protected]> Wed, 29 Mar 2017 10:05:39 +0200 + ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low [ Konstantin Khomoutov ] diff --git a/debian/patches/CVE-2014-8760.patch b/debian/patches/CVE-2014-8760.patch new file mode 100644 index 0000000..cd8c08b --- /dev/null +++ b/debian/patches/CVE-2014-8760.patch @@ -0,0 +1,27 @@ +Description: Make sure "starttls_required" can't be bypassed. + Don't allow clients to circumvent the "starttls_required" option by + enabling XMPP stream compression. (CVE-2014-8760) +Author: Holger Weiss <[email protected]> + +Index: ejabberd/src/ejabberd_c2s.erl +=================================================================== +--- ejabberd.orig/src/ejabberd_c2s.erl ++++ ejabberd/src/ejabberd_c2s.erl +@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme + TLSRequired = StateData#state.tls_required, + SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket), + case {xml:get_attr_s("xmlns", Attrs), Name} of +- {?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) -> ++ {?NS_SASL, "auth"} when TLSEnabled or not TLSRequired -> + Mech = xml:get_attr_s("mechanism", Attrs), + ClientIn = jlib:decode_base64(xml:get_cdata(Els)), + case cyrsasl:server_start(StateData#state.sasl_state, +@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme + end; + _ -> + if +- (SockMod == gen_tcp) and TLSRequired -> ++ TLSRequired and not TLSEnabled -> + Lang = StateData#state.lang, + send_element(StateData, ?POLICY_VIOLATION_ERR( + Lang, diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch b/debian/patches/disable-insecure-ssl-cyphers.patch index 4ff049f..dc678c5 100644 --- a/debian/patches/disable-insecure-ssl-cyphers.patch +++ b/debian/patches/disable-insecure-ssl-cyphers.patch @@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver * Export ciphers - broken by design, 40 and 56 bit encryption. * Low encryption ciphers - 56 and 64 bit encryption. * SSLv2 ciphers - some ciphers using MD5 MAC. + * SSLv3 ciphers . This patch is a backport of changes introduced by the commit d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository to the ejabberd code base as of version 2.1.12. + It was later extended to also disable SSLv3. Author: Janusz Dziemidowicz <[email protected]> Forwarded: not-needed -Last-Update: 2013-09-29 +Last-Update: 2017-03-29 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/src/tls/tls_drv.c -+++ b/src/tls/tls_drv.c +Index: ejabberd/src/tls/tls_drv.c +=================================================================== +--- ejabberd.orig/src/tls/tls_drv.c ++++ ejabberd/src/tls/tls_drv.c @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t; #define SSL_OP_NO_TICKET 0 #endif -+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2" ++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3" + /* * R15B changed several driver callbacks to use ErlDrvSizeT and * ErlDrvSSizeT typedefs instead of int. -@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle, +@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD + die_unless(res > 0, "SSL_CTX_check_private_key failed"); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET); - -+ SSL_CTX_set_cipher_list(ctx, CIPHERS); ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET); + ++ SSL_CTX_set_cipher_list(ctx, CIPHERS); + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_default_verify_paths(ctx); - #ifdef SSL_MODE_RELEASE_BUFFERS diff --git a/debian/patches/series b/debian/patches/series index 297e201..30f0424 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,3 +12,4 @@ fix-odbc-escaping.patch disable-ssl2.patch disable-insecure-ssl-cyphers.patch fix-nicks-in-plaintext-muc-log.patch +CVE-2014-8760.patch
