547552 – (CVE-2015-2080) <net-im/openfire-3.10.0: two vulnerabilities (CVE-2015-2080)

Bug 547552 (CVE-2015-2080) - <net-im/openfire-3.10.0: two vulnerabilities (CVE-2015-2080)

Summary: <net-im/openfire-3.10.0: two vulnerabilities (CVE-2015-2080)

Status:	RESOLVED FIXED

Alias:	CVE-2015-2080

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [noglsa/cve]
Keywords:

Depends on:
Blocks:

Reported:	2015-04-24 07:31 UTC by Agostino Sarubbo
Modified:	2015-08-04 16:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-04-24 07:31:04 UTC

From ${URL} :

Affected software: OpenFire XMPP server
Affected versions: 3.9.3 and earlier
Vulnerabilities addressed: CVE-2014-3451, CVE-2015-2080

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the widely adopted open protocol for instant messaging, XMPP (also called Jabber). 


Vulnerability details

The OpenFire server would incorrectly accept self signed certificates potentially allowing spoofing attacks.

This issue (CVE-2014-3451) is fixed in release 3.10 (OF-405). 

We would like to thank Kim Alvefur for reporting this issue.


Notes on release

The 3.10 release of OpenFire also addresses a reflected XSS issue (OF-845), and upgrades the Jetty library used (addressing CVE-2015-2080).



Release announcement (includes link to download and sha1 checksums)

https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released <https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released>



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev

2015-04-24 21:38:31 UTC

Bumped as:

> *openfire-3.10.0 (24 Apr 2015)
>
>  24 Apr 2015; Sergei Trofimovich <slyfox@gentoo.org> +openfire-3.10.0.ebuild:
>  Version bump, bug #547552 by Agostino Sarubbo: CVE-2014-3451, CVE-2015-2080

Survives basic tests in a small network of ~20 users. Should be ready
to stable on:
    amd64 x86

Comment 2 Manuel Rüger (RETIRED) gentoo-dev

2015-05-23 00:32:14 UTC

(In reply to Sergei Trofimovich from comment #1)
> Bumped as:
> 
> > *openfire-3.10.0 (24 Apr 2015)
> >
> >  24 Apr 2015; Sergei Trofimovich <slyfox@gentoo.org> +openfire-3.10.0.ebuild:
> >  Version bump, bug #547552 by Agostino Sarubbo: CVE-2014-3451, CVE-2015-2080
> 
> Survives basic tests in a small network of ~20 users. Should be ready
> to stable on:
>     amd64 x86

So I guess it is about time to add arch teams?

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2015-05-30 20:51:17 UTC

Yeah, let's do that.

Arches, please stabilize for:
    amd64, x86

Comment 4 Yury German Gentoo Infrastructure

2015-05-30 23:56:49 UTC

Arches, please test and mark stable:

=openfire-3.10.0

Target Keywords : "amd64 x86"

Thank you!

Comment 5 Agostino Sarubbo gentoo-dev

2015-06-01 09:26:33 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2015-06-01 09:27:17 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Manuel Rüger (RETIRED) gentoo-dev

2015-06-01 10:51:18 UTC

Vulnerable versions have been removed.

Comment 8 Yury German Gentoo Infrastructure

2015-06-07 13:34:57 UTC

Arches and Maintainer(s), Thank you for your work.

Security Please Vote.
First GLSA Vote: No

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2015-06-30 22:43:43 UTC

NO too, closing.