Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 623806 (CVE-2017-10807)

Summary: <net-im/jabberd2-2.6.1: Allows to authenticate using SASL ANONYMOUS even if disabled / Denial of Service
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: maintainer-needed, polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/07/04/6
Whiteboard: B3 [glsa+ cve]
Package list:
net-im/jabberd2-2.6.1
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-04 15:39:47 UTC
From $URL:
Hi

The Jabberd, before 2.6.1 allowed anyone to authenticate SASL
ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled.
The bug allows nauthorized usage of jabberd server installations and
could possibly lead to a DoS.

References:

https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1

Upstream fix:

https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16

As mentioned in the subject, MITRE has assigned CVE-2017-10807 for
this issue.

Regards,
Salvatore
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-04 15:40:49 UTC
@poly-c: Adding you to CC as you were last one to bump this package, are you interested in taking over maintainership?
Comment 2 Pacho Ramos gentoo-dev 2017-11-27 17:43:41 UTC
stabilizing 2.6.1 should be enough for this
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-29 11:19:25 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-03 13:17:22 UTC
dropping ppc. no need to stabilize package masked for removal. Feel free to readd is decision is reverted.
Comment 5 Larry the Git Cow gentoo-dev 2018-03-03 17:16:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6

commit b50a30689fca4c60d2b4e625f341daff116e51b6
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-03-03 17:15:10 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-03-03 17:15:10 +0000

    net-im/jabberd2: Removed from repository
    
    Bug: https://bugs.gentoo.org/623806

 net-im/jabberd2/Manifest                           |   2 -
 net-im/jabberd2/files/jabberd2-2.3.1.pamd          |   6 -
 net-im/jabberd2/files/jabberd2-2.3.2.init          |  96 -----------
 net-im/jabberd2/files/jabberd2-2.3.2.logrotate     |   8 -
 net-im/jabberd2/files/jabberd2-2.5.0.init          |  90 ----------
 net-im/jabberd2/jabberd2-2.3.3-r2.ebuild           | 159 -----------------
 net-im/jabberd2/jabberd2-2.6.1.ebuild              | 190 ---------------------
 net-im/jabberd2/metadata.xml                       |  15 --
 profiles/arch/sparc/package.use.mask               |   4 -
 profiles/package.mask                              |   6 -
 x11-misc/screen-message/screen-message-0.24.ebuild |   5 +-
 x11-misc/screen-message/screen-message-0.25.ebuild |   5 +-
 12 files changed, 4 insertions(+), 582 deletions(-)}
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-03 17:22:30 UTC
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6.

Added to an existing GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:06:48 UTC
This issue was resolved and addressed in
 GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07
by GLSA coordinator Christopher Diaz Riveros (chrisadr).