Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2
Hi Philipp,
On Wed, Mar 29, 2017 at 10:57:03AM +0200, Emilio Pozuelo Monfort wrote:
> On 29/03/17 10:12, Philipp Huebner wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: wheezy
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> >
> > Hi,
> >
> > I'm not sure if another point update for Wheezy is planned or if this is
> > a case for the LTS team, but I would like to update ejabberd in Wheezy.
>
> wheezy-proposed-updates is closed, closing this bug (-done Bcc'ed) and adding
> debian-lts@ to Cc.
>
> Cheers,
> Emilio
>
> >
> > There are 2 minor security patches:
> > * disable SSLv3 (Closes: #767521)
> > * enforce the starttls_required setting (CVE-2014-8760, closes: #767535)
> >
> > Please advise. Complete diff from git repository is attached.
> >
> > Best wishes,
> > Philipp
> >
>
> diff --git a/debian/changelog b/debian/changelog
> index 2869431..55ede73 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high
> +
> + * Disable SSLv3 (Closes: #767521)
> + * Add patch to fix CVE-2014-8760 (Closes: #767535)
> +
> + -- Philipp Huebner <debalance@debian.org> Wed, 29 Mar 2017 10:05:39 +0200
> +
> ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
>
> [ Konstantin Khomoutov ]
> diff --git a/debian/patches/CVE-2014-8760.patch b/debian/patches/CVE-2014-8760.patch
> new file mode 100644
> index 0000000..cd8c08b
> --- /dev/null
> +++ b/debian/patches/CVE-2014-8760.patch
> @@ -0,0 +1,27 @@
> +Description: Make sure "starttls_required" can't be bypassed.
> + Don't allow clients to circumvent the "starttls_required" option by
> + enabling XMPP stream compression. (CVE-2014-8760)
> +Author: Holger Weiss <holger@zedat.fu-berlin.de>
> +
> +Index: ejabberd/src/ejabberd_c2s.erl
> +===================================================================
> +--- ejabberd.orig/src/ejabberd_c2s.erl
> ++++ ejabberd/src/ejabberd_c2s.erl
> +@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme
> + TLSRequired = StateData#state.tls_required,
> + SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket),
> + case {xml:get_attr_s("xmlns", Attrs), Name} of
> +- {?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) ->
> ++ {?NS_SASL, "auth"} when TLSEnabled or not TLSRequired ->
> + Mech = xml:get_attr_s("mechanism", Attrs),
> + ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
> + case cyrsasl:server_start(StateData#state.sasl_state,
> +@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme
> + end;
> + _ ->
> + if
> +- (SockMod == gen_tcp) and TLSRequired ->
> ++ TLSRequired and not TLSEnabled ->
> + Lang = StateData#state.lang,
> + send_element(StateData, ?POLICY_VIOLATION_ERR(
> + Lang,
> diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch b/debian/patches/disable-insecure-ssl-cyphers.patch
> index 4ff049f..dc678c5 100644
> --- a/debian/patches/disable-insecure-ssl-cyphers.patch
> +++ b/debian/patches/disable-insecure-ssl-cyphers.patch
> @@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver
> * Export ciphers - broken by design, 40 and 56 bit encryption.
> * Low encryption ciphers - 56 and 64 bit encryption.
> * SSLv2 ciphers - some ciphers using MD5 MAC.
> + * SSLv3 ciphers
> .
> This patch is a backport of changes introduced by the commit
> d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
> to the ejabberd code base as of version 2.1.12.
> + It was later extended to also disable SSLv3.
> Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
> Forwarded: not-needed
> -Last-Update: 2013-09-29
> +Last-Update: 2017-03-29
> ---
> This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
> ---- a/src/tls/tls_drv.c
> -+++ b/src/tls/tls_drv.c
> +Index: ejabberd/src/tls/tls_drv.c
> +===================================================================
> +--- ejabberd.orig/src/tls/tls_drv.c
> ++++ ejabberd/src/tls/tls_drv.c
> @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
> #define SSL_OP_NO_TICKET 0
> #endif
>
> -+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
> ++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
> +
> /*
> * R15B changed several driver callbacks to use ErlDrvSizeT and
> * ErlDrvSSizeT typedefs instead of int.
> -@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
> +@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD
> + die_unless(res > 0, "SSL_CTX_check_private_key failed");
>
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
> -
> -+ SSL_CTX_set_cipher_list(ctx, CIPHERS);
> ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
> +
> ++ SSL_CTX_set_cipher_list(ctx, CIPHERS);
> +
> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
> SSL_CTX_set_default_verify_paths(ctx);
> - #ifdef SSL_MODE_RELEASE_BUFFERS
> diff --git a/debian/patches/series b/debian/patches/series
> index 297e201..30f0424 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -12,3 +12,4 @@ fix-odbc-escaping.patch
> disable-ssl2.patch
> disable-insecure-ssl-cyphers.patch
> fix-nicks-in-plaintext-muc-log.patch
> +CVE-2014-8760.patch
The changes look sane to me. Could you upload to wheezy-security? If you
don't want to prepare the DLA yourself I can do that but then it would
be awesome if this cold happen on Friday earliest since I'm currently
bit tight on time.
I can test the package beforehand if you have built binaries for amd64
already.
Cheers
-- Guido
Reply to: