Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 266129 (CVE-2009-1595)

Summary: <net-im/openfire-3.7.0: Multiple password related vulnerabilities (CVE-2009-{1595,1596})
Product: Gentoo Security Reporter: Tobias Klausmann <klausman>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: Dessa, jokey, jr.juiliano, lordvan, net-im
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.igniterealtime.org/issues/browse/JM-1532
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Patch against openfire_src/src/java/org/jivesoftware/openfire/handler/IQAuthHandler.java none

Description Tobias Klausmann gentoo-dev 2009-04-14 17:15:00 UTC
See $URL. A fix and a fixed build are available, there. I don't know if upstream has any plans to release a fix soon, but given the gravity of the bug, I recommend patching over waiting for it.

Note that even with password changing disabled in the server config, *every* password can be changed on a logged-in connection.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-15 09:28:29 UTC
Created attachment 188405 [details, diff]
Patch against openfire_src/src/java/org/jivesoftware/openfire/handler/IQAuthHandler.java
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-04 23:06:39 UTC
*** Bug 268560 has been marked as a duplicate of this bug. ***
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-04 23:07:38 UTC
3.6.4 is out, incorporating this fix.
Comment 4 Thomas Raschbacher gentoo-dev 2009-05-06 09:48:27 UTC
i suggest to just add 3.6.4 and mask all other releases? i know keywording normally should be later but in case of a security problem like this..
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-05-06 12:58:02 UTC
(In reply to comment #4)
> i suggest to just add 3.6.4 and mask all other releases? i know keywording
> normally should be later but in case of a security problem like this..

Please add the ebuild to the tree. We will handle stabling immediately after that. Masking does not seem appropriate to me as this can handled by the normal upgrade process.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-15 09:20:47 UTC
CVE-2009-1595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1595):
  The jabber:iq:auth implementation in IQAuthHandler.java in Ignite
  Realtime Openfire before 3.6.4 allows remote authenticated users to
  change the passwords of arbitrary accounts via a modified username
  element in a passwd_change action.

CVE-2009-1596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1596):
  Ignite Realtime Openfire before 3.6.5 does not properly implement the
  register.password (aka canChangePassword) console configuration
  setting, which allows remote authenticated users to bypass intended
  policy and change their own passwords via a passwd_change IQ packet.
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-15 09:42:15 UTC
No patch for the new issue yet.
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2009-05-16 08:16:16 UTC
added openfire 3.6.4 for now, at least the remote login change is fixed there
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-05-16 10:00:58 UTC
Since CVE-2009-1596 has been sitting without a patch for 4 weeks now, let's stable 3.6.4.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-05-16 10:01:26 UTC
Arches, please test and mark stable:
=net-im/openfire-3.6.4
Target keywords : "amd64 x86"
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-18 15:54:06 UTC
x86 stable
Comment 12 Markus Meier gentoo-dev 2009-05-22 19:51:26 UTC
amd64 stable, all arches done.
Comment 13 Markus Ullmann (RETIRED) gentoo-dev 2011-03-05 10:48:16 UTC
3.7.0 which includes all fixes has been released and added to the tree now
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-03-05 21:13:19 UTC
(In reply to comment #13)
> 3.7.0 which includes all fixes has been released and added to the tree now
> 

Great, thank you.

Arches, please test and mark stable:
=net-im/openfire-3.7.0
Target keywords : "amd64 x86"
Comment 15 Agostino Sarubbo gentoo-dev 2011-03-06 01:04:39 UTC
i'm not sure on java app(s), anyway here i found and RWX segment and text relocation. Is normal for that sw?

TEXTREL opt/openfire/resources/nativeAuth/linux-i386/libshaj.so
TEXTREL opt/openfire/resources/nativeAuth/solaris-sparc/libshaj.so

RWX opt/openfire/resources/nativeAuth/solaris-sparc/libshaj.so
Comment 16 Markos Chandras (RETIRED) gentoo-dev 2011-03-06 12:44:25 UTC
amd64 done. Thanks Agostino
Comment 17 Thomas Kahle (RETIRED) gentoo-dev 2011-03-08 14:52:37 UTC
x86 done. Thanks.
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2011-03-10 13:59:11 UTC
GLSA Vote: no.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2011-03-14 21:53:54 UTC
Vote: YES.
Comment 20 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 22:21:18 UTC
GLSA vote: YES, request filed.
Comment 21 Thomas Raschbacher gentoo-dev 2011-10-10 19:41:53 UTC
3.7.1 is out see bug #386687
Comment 22 Thomas Raschbacher gentoo-dev 2013-02-15 06:23:59 UTC
openfire 3.8 is out: Bug #457658
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2014-06-30 18:17:16 UTC
This issue was resolved and addressed in
 GLSA 201406-35 at http://security.gentoo.org/glsa/glsa-201406-35.xml
by GLSA coordinator Mikle Kolyada (Zlogene).