See $URL. A fix and a fixed build are available, there. I don't know if upstream has any plans to release a fix soon, but given the gravity of the bug, I recommend patching over waiting for it. Note that even with password changing disabled in the server config, *every* password can be changed on a logged-in connection.
Created attachment 188405 [details, diff] Patch against openfire_src/src/java/org/jivesoftware/openfire/handler/IQAuthHandler.java
*** Bug 268560 has been marked as a duplicate of this bug. ***
3.6.4 is out, incorporating this fix.
i suggest to just add 3.6.4 and mask all other releases? i know keywording normally should be later but in case of a security problem like this..
(In reply to comment #4) > i suggest to just add 3.6.4 and mask all other releases? i know keywording > normally should be later but in case of a security problem like this.. Please add the ebuild to the tree. We will handle stabling immediately after that. Masking does not seem appropriate to me as this can handled by the normal upgrade process.
CVE-2009-1595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1595): The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action. CVE-2009-1596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1596): Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
No patch for the new issue yet.
added openfire 3.6.4 for now, at least the remote login change is fixed there
Since CVE-2009-1596 has been sitting without a patch for 4 weeks now, let's stable 3.6.4.
Arches, please test and mark stable: =net-im/openfire-3.6.4 Target keywords : "amd64 x86"
x86 stable
amd64 stable, all arches done.
3.7.0 which includes all fixes has been released and added to the tree now
(In reply to comment #13) > 3.7.0 which includes all fixes has been released and added to the tree now > Great, thank you. Arches, please test and mark stable: =net-im/openfire-3.7.0 Target keywords : "amd64 x86"
i'm not sure on java app(s), anyway here i found and RWX segment and text relocation. Is normal for that sw? TEXTREL opt/openfire/resources/nativeAuth/linux-i386/libshaj.so TEXTREL opt/openfire/resources/nativeAuth/solaris-sparc/libshaj.so RWX opt/openfire/resources/nativeAuth/solaris-sparc/libshaj.so
amd64 done. Thanks Agostino
x86 done. Thanks.
GLSA Vote: no.
Vote: YES.
GLSA vote: YES, request filed.
3.7.1 is out see bug #386687
openfire 3.8 is out: Bug #457658
This issue was resolved and addressed in GLSA 201406-35 at http://security.gentoo.org/glsa/glsa-201406-35.xml by GLSA coordinator Mikle Kolyada (Zlogene).