Summary: | <net-im/ejabberd-16.04: compression can circumvent starttls_required and allow insecure connections | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | aidecoe, hanno, net-im |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://mail.jabber.org/pipermail/operators/2014-October/002438.html | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 576398 | ||
Bug Blocks: |
Description
Hanno Böck
2014-10-15 08:37:27 UTC
CVE-2014-8760 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8760): ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption. I assume the fix is probably in 15.03 now in the tree. ejabberd-16.04 has been committed to the tree and it is a candidate for stabilization. Maybe it should be stabilized sooner? ejabber-16.04 is stabilized. The issue should be fixed. @ Security: Please vote! GLSA Vote: No |