Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 623806 (CVE-2017-10807) - <net-im/jabberd2-2.6.1: Allows to authenticate using SASL ANONYMOUS even if disabled / Denial of Service
Summary: <net-im/jabberd2-2.6.1: Allows to authenticate using SASL ANONYMOUS even if d...
Status: RESOLVED FIXED
Alias: CVE-2017-10807
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-04 15:39 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2018-03-19 01:06 UTC (History)
2 users (show)

See Also:
Package list:
net-im/jabberd2-2.6.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-04 15:39:47 UTC
From $URL:
Hi

The Jabberd, before 2.6.1 allowed anyone to authenticate SASL
ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled.
The bug allows nauthorized usage of jabberd server installations and
could possibly lead to a DoS.

References:

https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1

Upstream fix:

https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16

As mentioned in the subject, MITRE has assigned CVE-2017-10807 for
this issue.

Regards,
Salvatore
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-04 15:40:49 UTC
@poly-c: Adding you to CC as you were last one to bump this package, are you interested in taking over maintainership?
Comment 2 Pacho Ramos gentoo-dev 2017-11-27 17:43:41 UTC
stabilizing 2.6.1 should be enough for this
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-29 11:19:25 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-03 13:17:22 UTC
dropping ppc. no need to stabilize package masked for removal. Feel free to readd is decision is reverted.
Comment 5 Larry the Git Cow gentoo-dev 2018-03-03 17:16:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6

commit b50a30689fca4c60d2b4e625f341daff116e51b6
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-03-03 17:15:10 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-03-03 17:15:10 +0000

    net-im/jabberd2: Removed from repository
    
    Bug: https://bugs.gentoo.org/623806

 net-im/jabberd2/Manifest                           |   2 -
 net-im/jabberd2/files/jabberd2-2.3.1.pamd          |   6 -
 net-im/jabberd2/files/jabberd2-2.3.2.init          |  96 -----------
 net-im/jabberd2/files/jabberd2-2.3.2.logrotate     |   8 -
 net-im/jabberd2/files/jabberd2-2.5.0.init          |  90 ----------
 net-im/jabberd2/jabberd2-2.3.3-r2.ebuild           | 159 -----------------
 net-im/jabberd2/jabberd2-2.6.1.ebuild              | 190 ---------------------
 net-im/jabberd2/metadata.xml                       |  15 --
 profiles/arch/sparc/package.use.mask               |   4 -
 profiles/package.mask                              |   6 -
 x11-misc/screen-message/screen-message-0.24.ebuild |   5 +-
 x11-misc/screen-message/screen-message-0.25.ebuild |   5 +-
 12 files changed, 4 insertions(+), 582 deletions(-)}
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-03 17:22:30 UTC
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6.

Added to an existing GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:06:48 UTC
This issue was resolved and addressed in
 GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07
by GLSA coordinator Christopher Diaz Riveros (chrisadr).