Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771144 - <net-im/prosody-0.11.8 disable ‘tls-unique’ channel binding with TLS 1.3
Summary: <net-im/prosody-0.11.8 disable ‘tls-unique’ channel binding with TLS 1.3
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://blog.prosody.im/prosody-0.11....
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-17 20:20 UTC by Conrad Kostecki
Modified: 2021-05-26 08:55 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: No


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Conrad Kostecki gentoo-dev 2021-02-17 20:20:00 UTC
This release also fixes a security issue, where channel binding, which connects the authentication layer (i.e. SASL) with the security layer (i.e. TLS) to detect man-in-the-middle attacks, could be used on connections encrypted with TLS 1.3, despite the holy texts declaring this undefined.

mod_saslauth: Disable ‘tls-unique’ channel binding with TLS 1.3 (#1542)
Comment 1 Agostino Sarubbo gentoo-dev 2021-02-25 13:55:14 UTC
x86 stable
Comment 2 Agostino Sarubbo gentoo-dev 2021-03-01 09:20:37 UTC
amd64 stable
Comment 3 Sam James archtester gentoo-dev Security 2021-03-01 19:16:31 UTC
arm done
Comment 4 Sam James archtester gentoo-dev Security 2021-03-01 19:16:49 UTC
arm64 done

all arches done
Comment 5 Sam James archtester gentoo-dev Security 2021-03-01 19:22:44 UTC
Please cleanup, thanks!
Comment 6 Larry the Git Cow gentoo-dev 2021-03-01 19:43:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe2a2471c237640b00095779a694b21b0d336027

commit fe2a2471c237640b00095779a694b21b0d336027
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-03-01 19:43:12 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-03-01 19:43:12 +0000

    net-im/prosody: drop old version
    
    Bug: https://bugs.gentoo.org/771144
    Package-Manager: Portage-3.0.16, Repoman-3.0.2
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-im/prosody/Manifest                         |   1 -
 net-im/prosody/files/prosody-0.11.7-bit32.patch |  20 -----
 net-im/prosody/prosody-0.11.7-r101.ebuild       | 106 ------------------------
 3 files changed, 127 deletions(-)
Comment 7 Thomas Deutschmann gentoo-dev Security 2021-05-24 16:07:39 UTC
Added to an existing GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:55:39 UTC
This issue was resolved and addressed in
 GLSA 202105-15 at https://security.gentoo.org/glsa/202105-15
by GLSA coordinator Thomas Deutschmann (whissi).