Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 525478 (CVE-2014-8760) - <net-im/ejabberd-16.04: compression can circumvent starttls_required and allow insecure connections
Summary: <net-im/ejabberd-16.04: compression can circumvent starttls_required and allo...
Status: RESOLVED FIXED
Alias: CVE-2014-8760
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://mail.jabber.org/pipermail/oper...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on: 576398
Blocks:
  Show dependency tree
 
Reported: 2014-10-15 08:37 UTC by Hanno Böck
Modified: 2016-11-18 21:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-10-15 08:37:27 UTC 
ejabberd has a vulnerability that allows insecure/unencrypted connections even if the server setting is starttls_required.
http://mail.jabber.org/pipermail/operators/2014-October/002438.html

This is the upstream fix, not in a release yet:
https://github.com/processone/ejabberd/commit/7bdc1151b

I consider this to be quite severe.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 21:35:56 UTC 
CVE-2014-8760 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8760):
  ejabberd before 2.1.13 does not enforce the starttls_required setting when
  compression is used, which causes clients to establish connections without
  encryption.
Comment 2 Tim Harder gentoo-dev 2015-04-12 05:39:02 UTC 
I assume the fix is probably in 15.03 now in the tree.
Comment 3 Amadeusz Żołnowski (RETIRED) gentoo-dev 2016-06-07 22:51:55 UTC 
ejabberd-16.04 has been committed to the tree and it is a candidate for stabilization. Maybe it should be stabilized sooner?
Comment 4 Amadeusz Żołnowski (RETIRED) gentoo-dev 2016-08-21 10:57:23 UTC 
ejabber-16.04 is stabilized. The issue should be fixed.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 20:42:47 UTC 
@ Security: Please vote!
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-11-18 21:01:34 UTC 
GLSA Vote: No