Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

To: Philipp Huebner <debalance@debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed, 29 Mar 2017 10:57:03 +0200
Message-id: <[🔎] 3b3950d3-0123-e0f6-2938-94ad7752b2c6@debian.org>
In-reply-to: <149077516080.26596.10779403267637927143.reportbug@dex.debalance.de>
References: <149077516080.26596.10779403267637927143.reportbug@dex.debalance.de>

On 29/03/17 10:12, Philipp Huebner wrote:
> Package: release.debian.org
> Severity: normal
> Tags: wheezy
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> I'm not sure if another point update for Wheezy is planned or if this is
> a case for the LTS team, but I would like to update ejabberd in Wheezy.

wheezy-proposed-updates is closed, closing this bug (-done Bcc'ed) and adding
debian-lts@ to Cc.

Cheers,
Emilio

> 
> There are 2 minor security patches:
> * disable SSLv3 (Closes: #767521)
> * enforce the starttls_required setting (CVE-2014-8760, closes: #767535)
> 
> Please advise. Complete diff from git repository is attached.
> 
> Best wishes,
> Philipp
>

diff --git a/debian/changelog b/debian/changelog
index 2869431..55ede73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high
+
+  * Disable SSLv3 (Closes: #767521)
+  * Add patch to fix CVE-2014-8760 (Closes: #767535)
+
+ -- Philipp Huebner <debalance@debian.org>  Wed, 29 Mar 2017 10:05:39 +0200
+
 ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
 
   [ Konstantin Khomoutov ]
diff --git a/debian/patches/CVE-2014-8760.patch b/debian/patches/CVE-2014-8760.patch
new file mode 100644
index 0000000..cd8c08b
--- /dev/null
+++ b/debian/patches/CVE-2014-8760.patch
@@ -0,0 +1,27 @@
+Description: Make sure "starttls_required" can't be bypassed.
+ Don't allow clients to circumvent the "starttls_required" option by
+ enabling XMPP stream compression. (CVE-2014-8760)
+Author: Holger Weiss <holger@zedat.fu-berlin.de>
+
+Index: ejabberd/src/ejabberd_c2s.erl
+===================================================================
+--- ejabberd.orig/src/ejabberd_c2s.erl
++++ ejabberd/src/ejabberd_c2s.erl
+@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme
+     TLSRequired = StateData#state.tls_required,
+     SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket),
+     case {xml:get_attr_s("xmlns", Attrs), Name} of
+-	{?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) ->
++	{?NS_SASL, "auth"} when TLSEnabled or not TLSRequired ->
+ 	    Mech = xml:get_attr_s("mechanism", Attrs),
+ 	    ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
+ 	    case cyrsasl:server_start(StateData#state.sasl_state,
+@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme
+ 	    end;
+ 	_ ->
+ 	    if
+-		(SockMod == gen_tcp) and TLSRequired ->
++		TLSRequired and not TLSEnabled ->
+ 		    Lang = StateData#state.lang,
+ 		    send_element(StateData, ?POLICY_VIOLATION_ERR(
+ 					       Lang,
diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch b/debian/patches/disable-insecure-ssl-cyphers.patch
index 4ff049f..dc678c5 100644
--- a/debian/patches/disable-insecure-ssl-cyphers.patch
+++ b/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver
  * Export ciphers - broken by design, 40 and 56 bit encryption.
  * Low encryption ciphers - 56 and 64 bit encryption.
  * SSLv2 ciphers - some ciphers using MD5 MAC.
+ * SSLv3 ciphers
  .
  This patch is a backport of changes introduced by the commit
  d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
  to the ejabberd code base as of version 2.1.12.
+ It was later extended to also disable SSLv3.
 Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
 Forwarded: not-needed
-Last-Update: 2013-09-29
+Last-Update: 2017-03-29
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/src/tls/tls_drv.c
-+++ b/src/tls/tls_drv.c
+Index: ejabberd/src/tls/tls_drv.c
+===================================================================
+--- ejabberd.orig/src/tls/tls_drv.c
++++ ejabberd/src/tls/tls_drv.c
 @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
  #define SSL_OP_NO_TICKET 0
  #endif
  
-+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
 +
  /*
   * R15B changed several driver callbacks to use ErlDrvSizeT and
   * ErlDrvSSizeT typedefs instead of int.
-@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD
+ 	    die_unless(res > 0, "SSL_CTX_check_private_key failed");
  
  	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
- 
-+	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
++	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
 +
++	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
+ 
  	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
  	    SSL_CTX_set_default_verify_paths(ctx);
- #ifdef SSL_MODE_RELEASE_BUFFERS
diff --git a/debian/patches/series b/debian/patches/series
index 297e201..30f0424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ fix-odbc-escaping.patch
 disable-ssl2.patch
 disable-insecure-ssl-cyphers.patch
 fix-nicks-in-plaintext-muc-log.patch
+CVE-2014-8760.patch

Reply to:

Follow-Ups:
- Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: fixing links for DLAs in the security tracker
Next by Date: Re: fixing links for DLAs in the security tracker
Previous by thread: Re: Bug#761945: fixing links for DLAs in the security tracker
Next by thread: Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2
Index(es):
- Date
- Thread