Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 488636 (CVE-2013-6169)

Summary: <net-im/ejabberd-2.1.12: TLS driver supports SSLv2 and weak SSL ciphers (CVE-2013-6169)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-im, radhermit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1020971
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-10-19 18:35:08 UTC 
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6169 to
the following vulnerability:

Name: CVE-2013-6169
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6169
Assigned: 20131017
Reference: https://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.12/
Reference: DEBIAN:DSA-2775
Reference: http://www.debian.org/security/2013/dsa-2775


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-24 00:06:39 UTC 
GLSA vote: no.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:06:49 UTC 
CVE-2013-6169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6169):
  The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL
  ciphers, which makes it easier for remote attackers to obtain sensitive
  information via a brute-force attack.
Comment 3 Sergey Popov (RETIRED) gentoo-dev 2013-10-28 17:15:36 UTC 
GLSA vote: no

@maintainers: please clean up vulnerable versions, thanks
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2013-12-04 07:38:29 UTC 
+  04 Dec 2013; Sergey Popov <pinkbyte@gentoo.org> -ejabberd-2.1.11.ebuild:
+  Security cleanup, bug #488636