| Summary: | <net-im/openfire-3.10.0: two vulnerabilities (CVE-2015-2080) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | net-im, slyfox |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/04/23/16 | ||
| Whiteboard: | B3 [noglsa/cve] | ||
| Package list: | Runtime testing required: | --- | |
Bumped as: > *openfire-3.10.0 (24 Apr 2015) > > 24 Apr 2015; Sergei Trofimovich <slyfox@gentoo.org> +openfire-3.10.0.ebuild: > Version bump, bug #547552 by Agostino Sarubbo: CVE-2014-3451, CVE-2015-2080 Survives basic tests in a small network of ~20 users. Should be ready to stable on: amd64 x86 (In reply to Sergei Trofimovich from comment #1) > Bumped as: > > > *openfire-3.10.0 (24 Apr 2015) > > > > 24 Apr 2015; Sergei Trofimovich <slyfox@gentoo.org> +openfire-3.10.0.ebuild: > > Version bump, bug #547552 by Agostino Sarubbo: CVE-2014-3451, CVE-2015-2080 > > Survives basic tests in a small network of ~20 users. Should be ready > to stable on: > amd64 x86 So I guess it is about time to add arch teams? Yeah, let's do that.
Arches, please stabilize for:
amd64, x86
Arches, please test and mark stable: =openfire-3.10.0 Target Keywords : "amd64 x86" Thank you! amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Vulnerable versions have been removed. Arches and Maintainer(s), Thank you for your work. Security Please Vote. First GLSA Vote: No NO too, closing. |
From ${URL} : Affected software: OpenFire XMPP server Affected versions: 3.9.3 and earlier Vulnerabilities addressed: CVE-2014-3451, CVE-2015-2080 Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the widely adopted open protocol for instant messaging, XMPP (also called Jabber). Vulnerability details The OpenFire server would incorrectly accept self signed certificates potentially allowing spoofing attacks. This issue (CVE-2014-3451) is fixed in release 3.10 (OF-405). We would like to thank Kim Alvefur for reporting this issue. Notes on release The 3.10 release of OpenFire also addresses a reflected XSS issue (OF-845), and upgrades the Jetty library used (addressing CVE-2015-2080). Release announcement (includes link to download and sha1 checksums) https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released <https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released> @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.