ejabberd has a vulnerability that allows insecure/unencrypted connections even if the server setting is starttls_required. http://mail.jabber.org/pipermail/operators/2014-October/002438.html This is the upstream fix, not in a release yet: https://github.com/processone/ejabberd/commit/7bdc1151b I consider this to be quite severe.
CVE-2014-8760 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8760): ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
I assume the fix is probably in 15.03 now in the tree.
ejabberd-16.04 has been committed to the tree and it is a candidate for stabilization. Maybe it should be stabilized sooner?
ejabber-16.04 is stabilized. The issue should be fixed.
@ Security: Please vote!
GLSA Vote: No