[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

Hi Philipp,
On Wed, Mar 29, 2017 at 10:57:03AM +0200, Emilio Pozuelo Monfort wrote:
> On 29/03/17 10:12, Philipp Huebner wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: wheezy
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > Hi,
> > 
> > I'm not sure if another point update for Wheezy is planned or if this is
> > a case for the LTS team, but I would like to update ejabberd in Wheezy.
> 
> wheezy-proposed-updates is closed, closing this bug (-done Bcc'ed) and adding
> debian-lts@ to Cc.
> 
> Cheers,
> Emilio
> 
> > 
> > There are 2 minor security patches:
> > * disable SSLv3 (Closes: #767521)
> > * enforce the starttls_required setting (CVE-2014-8760, closes: #767535)
> > 
> > Please advise. Complete diff from git repository is attached.
> > 
> > Best wishes,
> > Philipp
> > 
> 

> diff --git a/debian/changelog b/debian/changelog
> index 2869431..55ede73 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high
> +
> +  * Disable SSLv3 (Closes: #767521)
> +  * Add patch to fix CVE-2014-8760 (Closes: #767535)
> +
> + -- Philipp Huebner <debalance@debian.org>  Wed, 29 Mar 2017 10:05:39 +0200
> +
>  ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
>  
>    [ Konstantin Khomoutov ]
> diff --git a/debian/patches/CVE-2014-8760.patch b/debian/patches/CVE-2014-8760.patch
> new file mode 100644
> index 0000000..cd8c08b
> --- /dev/null
> +++ b/debian/patches/CVE-2014-8760.patch
> @@ -0,0 +1,27 @@
> +Description: Make sure "starttls_required" can't be bypassed.
> + Don't allow clients to circumvent the "starttls_required" option by
> + enabling XMPP stream compression. (CVE-2014-8760)
> +Author: Holger Weiss <holger@zedat.fu-berlin.de>
> +
> +Index: ejabberd/src/ejabberd_c2s.erl
> +===================================================================
> +--- ejabberd.orig/src/ejabberd_c2s.erl
> ++++ ejabberd/src/ejabberd_c2s.erl
> +@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme
> +     TLSRequired = StateData#state.tls_required,
> +     SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket),
> +     case {xml:get_attr_s("xmlns", Attrs), Name} of
> +-	{?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) ->
> ++	{?NS_SASL, "auth"} when TLSEnabled or not TLSRequired ->
> + 	    Mech = xml:get_attr_s("mechanism", Attrs),
> + 	    ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
> + 	    case cyrsasl:server_start(StateData#state.sasl_state,
> +@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme
> + 	    end;
> + 	_ ->
> + 	    if
> +-		(SockMod == gen_tcp) and TLSRequired ->
> ++		TLSRequired and not TLSEnabled ->
> + 		    Lang = StateData#state.lang,
> + 		    send_element(StateData, ?POLICY_VIOLATION_ERR(
> + 					       Lang,
> diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch b/debian/patches/disable-insecure-ssl-cyphers.patch
> index 4ff049f..dc678c5 100644
> --- a/debian/patches/disable-insecure-ssl-cyphers.patch
> +++ b/debian/patches/disable-insecure-ssl-cyphers.patch
> @@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver
>   * Export ciphers - broken by design, 40 and 56 bit encryption.
>   * Low encryption ciphers - 56 and 64 bit encryption.
>   * SSLv2 ciphers - some ciphers using MD5 MAC.
> + * SSLv3 ciphers
>   .
>   This patch is a backport of changes introduced by the commit
>   d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
>   to the ejabberd code base as of version 2.1.12.
> + It was later extended to also disable SSLv3.
>  Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
>  Forwarded: not-needed
> -Last-Update: 2013-09-29
> +Last-Update: 2017-03-29
>  ---
>  This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
> ---- a/src/tls/tls_drv.c
> -+++ b/src/tls/tls_drv.c
> +Index: ejabberd/src/tls/tls_drv.c
> +===================================================================
> +--- ejabberd.orig/src/tls/tls_drv.c
> ++++ ejabberd/src/tls/tls_drv.c
>  @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
>   #define SSL_OP_NO_TICKET 0
>   #endif
>   
> -+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
> ++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
>  +
>   /*
>    * R15B changed several driver callbacks to use ErlDrvSizeT and
>    * ErlDrvSSizeT typedefs instead of int.
> -@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
> +@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD
> + 	    die_unless(res > 0, "SSL_CTX_check_private_key failed");
>   
>   	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
> - 
> -+	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
> ++	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
>  +
> ++	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
> + 
>   	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
>   	    SSL_CTX_set_default_verify_paths(ctx);
> - #ifdef SSL_MODE_RELEASE_BUFFERS
> diff --git a/debian/patches/series b/debian/patches/series
> index 297e201..30f0424 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -12,3 +12,4 @@ fix-odbc-escaping.patch
>  disable-ssl2.patch
>  disable-insecure-ssl-cyphers.patch
>  fix-nicks-in-plaintext-muc-log.patch
> +CVE-2014-8760.patch

The changes look sane to me. Could you upload to wheezy-security? If you
don't want to prepare the DLA yourself I can do that but then it would
be awesome if this cold happen on Friday earliest since I'm currently
bit tight on time.

I can test the package beforehand if you have built binaries for amd64
already.
Cheers
 -- Guido
Reply to: