ejabberd has a vulnerability that allows insecure/unencrypted connections even if the server setting is starttls_required.
This is the upstream fix, not in a release yet:
I consider this to be quite severe.
ejabberd before 2.1.13 does not enforce the starttls_required setting when
compression is used, which causes clients to establish connections without
I assume the fix is probably in 15.03 now in the tree.
ejabberd-16.04 has been committed to the tree and it is a candidate for stabilization. Maybe it should be stabilized sooner?
ejabber-16.04 is stabilized. The issue should be fixed.
@ Security: Please vote!
GLSA Vote: No