Bug#725790: pu: ejabberd/2.1.10-4+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Tags: wheezy
Usertags: pu
Please let ejabberd/2.1.10-4+deb7u1 enter Wheezy.
The proposed version is built upon 2.1.10-5 [1] which was
prepared for the first Wheezy point release but missed it by a narrow
margin.
Additionally two more bugs were fixed:
* Disabled SSLv2 and weak cyphers in TLS driver [2].
* Fixed rendering of angle brackets in logs produced for
multi-user chat (MUC) rooms when a plain-text format is enabled for
them (resulting in nicknames disappearing from these logs and similar
issues) [3].
I have verified both of these bugfixes work as intended.
Please see the attached debdiff. It's a bit large but please notice
that half of it is the unborn 2.1.10-5.
1. http://bugs.debian.org/706209
2. http://bugs.debian.org/724992
3. http://bugs.debian.org/724994
diff -u ejabberd-2.1.10/debian/NEWS ejabberd-2.1.10/debian/NEWS
--- ejabberd-2.1.10/debian/NEWS
+++ ejabberd-2.1.10/debian/NEWS
@@ -1,3 +1,16 @@
+ejabberd (2.1.10-4+deb7u1) unstable; urgency=low
+
+ This release adds support for the SCRAM-SHA-1 authentication mecnahism.
+ If the fully-qualified hostname of the server differs from the name
+ of the XMPP domain it serves, in order for this mechanism to work
+ with compliant clients, a modification should be made to the ejabberd's
+ configuration file.
+
+ Please consult the section "Using SCRAM-SHA-1 authentication mechanism"
+ in the README.Debian file for detailed information.
+
+ -- Konstantin Khomoutov <flatworm@users.sourceforge.net> Thu, 16 May 2013 13:27:56 +0000
+
ejabberd (2.1.8-1) unstable; urgency=low
This release drops support for the @recent@ shared roster group
diff -u ejabberd-2.1.10/debian/changelog ejabberd-2.1.10/debian/changelog
--- ejabberd-2.1.10/debian/changelog
+++ ejabberd-2.1.10/debian/changelog
@@ -1,3 +1,22 @@
+ejabberd (2.1.10-4+deb7u1) unstable; urgency=low
+
+ [ Konstantin Khomoutov ]
+ * Add patch fixing parsing of optional parameters in SCRAM SHA-1 headers
+ (closes: #705613, thanks to Stephen Röttger for both writing the
+ original patch and backporting it to 2.1.10).
+ * Explain the "fqdn" configuration file option which has to be used
+ in certain setups for the SCRAM-SHA-1 to work with complying clients.
+ Mention this fact in the NEWS file. (Closes: #706590)
+ * Add upstream patch fixing incorrect escaping of a single quote character
+ in SQL queries generated by the ODBC storage backend (closes: #708151,
+ thanks to Vladislav Chugunov).
+ * Add upstream patches disabling SSLv2 and weak cyphers in TLS driver
+ (closes: #724992).
+ * Add patch (extracted from upstream) which fixes rendering of angle
+ brackets in plain-text MUC logs (closes: #724994).
+
+ -- Konstantin Khomoutov <flatworm@users.sourceforge.net> Sun, 29 Sep 2013 21:48:11 +0400
+
ejabberd (2.1.10-4) unstable; urgency=low
[ Konstantin Khomoutov ]
diff -u ejabberd-2.1.10/debian/README.Debian ejabberd-2.1.10/debian/README.Debian
--- ejabberd-2.1.10/debian/README.Debian
+++ ejabberd-2.1.10/debian/README.Debian
@@ -14,6 +14,7 @@
6. Upgrading from 2.0.x series
6.1 Changes in ejabberdctl program
6.2 Changes in logging
+7. Using SCRAM-SHA-1 authentication mechanism
1. Running
@@ -361,6 +362,47 @@
to "--erlang-log" to match the change above.
+7. Using SCRAM-SHA-1 authentication mechanism
+=============================================
+
+Since version 2.1.9 ejabberd supports the SCRAM-SHA-1 authentication
+mechanism (which, among other things, allows to not store passwords of
+XMPP accounts in clear text if the internal database backend is used
+for storage). This authentication process implemented by this
+mechanism includes the client sending a so-called "digest URI" which
+includes the server's identity as perceived by the connecting client.
+The SCRAM-SHA-1 RFC document requires this identity to be the
+fully-qualified host name of the server. This hostname is typically
+obtained by the client by looking up a server-specific DNS record of
+type SRV for the XMPP domain the client wants to register in.
+
+Unfortunately, the current implementation of SCRAM-SHA-1 in ejabberd
+is not able to perform the same kind of DNS query as used by the
+clients to know its "canonical" fully-qualified host name.
+Consequently, if the actual hostname of the server differs from the
+name of the XMPP domain it serves, a special option should be included
+in the configuration file to let the server know its hostname as seen
+by its clients. This configuration option is called "fqdn" and it
+expects a single argument -- the fully-qualified hostname of the
+server, as recorded in the appropriate DNS SRV record for the server.
+An example of its usage:
+
+{fqdn, "foo.example.com"}.
+
+It worth repeating that if the server's hostname is not different from
+the name of XMPP domain it servers (for instance, the XMPP domain is
+"example.com" and the server's hostname is also "example.com") the
+usage of this configuration option is not necessary as ejabberd will
+just use the domain name in the indicated case.
+
+It should be noted that while certain clients faithfully implement the
+SCRAM-SHA-1 specification, some other clients diverge and use the XMPP
+domain instead of the fully-qualified hostname of the server in the
+digest URI strings they send. Ejabberd implements relaxed rules for
+interpreting digest URIs to be interoperable with broken client
+implementations.
+
+
Authors
=======
diff -u ejabberd-2.1.10/debian/patches/series ejabberd-2.1.10/debian/patches/series
--- ejabberd-2.1.10/debian/patches/series
+++ ejabberd-2.1.10/debian/patches/series
@@ -9,0 +10,5 @@
+scram-optional-parameter-parsing-bugfix.patch
+fix-odbc-escaping.patch
+disable-ssl2.patch
+disable-insecure-ssl-cyphers.patch
+fix-nicks-in-plaintext-muc-log.patch
only in patch2:
unchanged:
--- ejabberd-2.1.10.orig/debian/patches/disable-ssl2.patch
+++ ejabberd-2.1.10/debian/patches/disable-ssl2.patch
@@ -0,0 +1,36 @@
+Description: Disable SSLv2 in the TLS driver
+ SSL 2.0 is not used anywhere as it has security problems.
+ Disable it unconditionally both in server and client mode.
+ This does not disable support for SSL 2.0 compatible client
+ hello which still will be accepted in the server mode.
+ .
+ This patch is a backport of changes introduced by the commit
+ e06c1c49c14c3f56cf4ddae080514f7802669335 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -354,6 +354,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+ res = SSL_CTX_check_private_key(ctx);
+ die_unless(res > 0, "SSL_CTX_check_private_key failed");
+
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
++
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_default_verify_paths(ctx);
+ #ifdef SSL_MODE_RELEASE_BUFFERS
+@@ -386,10 +388,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+ SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
+
+ if (command == SET_CERTIFICATE_FILE_ACCEPT) {
+- SSL_set_options(d->ssl, SSL_OP_NO_TICKET);
+ SSL_set_accept_state(d->ssl);
+ } else {
+- SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+ SSL_set_connect_state(d->ssl);
+ }
+ break;
only in patch2:
unchanged:
--- ejabberd-2.1.10.orig/debian/patches/scram-optional-parameter-parsing-bugfix.patch
+++ ejabberd-2.1.10/debian/patches/scram-optional-parameter-parsing-bugfix.patch
@@ -0,0 +1,99 @@
+Description: Fix parsing SCRAM optional parameters
+ The server gave an authentication error, if optional parameters
+ were present in the GS2 Header. Specifically, the "a=" parameter,
+ that can be used by admins to login as a different user.
+ .
+ This patch is a backport of changes introduced by the commit
+ 9e9b0eae802ee0508db6780426954efd048e7976 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.10.
+Author: Stephen Röttger <stephen.roettger@gmail.com>
+Forwarded: not-needed
+Bug: https://support.process-one.net/browse/EJAB-1632
+Last-Update: 2013-03-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/cyrsasl_scram.erl
++++ b/src/cyrsasl_scram.erl
+@@ -34,6 +34,8 @@
+
+ -include("ejabberd.hrl").
+
++-include("jlib.hrl").
++
+ -behaviour(cyrsasl).
+
+ -record(state, {step, stored_key, server_key, username, get_password, check_password,
+@@ -52,8 +54,12 @@
+ {ok, #state{step = 2, get_password = GetPassword}}.
+
+ mech_step(#state{step = 2} = State, ClientIn) ->
+- case string:tokens(ClientIn, ",") of
+- [CBind, UserNameAttribute, ClientNonceAttribute] when (CBind == "y") or (CBind == "n") ->
++ case re:split(ClientIn, ",", [{return, list}]) of
++ [_CBind, _AuthorizationIdentity, _UserNameAttribute, _ClientNonceAttribute, ExtensionAttribute | _]
++ when ExtensionAttribute /= [] ->
++ {error, <<"protocol-error-extension-not-supported">>};
++ [CBind, _AuthorizationIdentity, UserNameAttribute, ClientNonceAttribute | _]
++ when (CBind == "y") or (CBind == "n") ->
+ case parse_attribute(UserNameAttribute) of
+ {error, Reason} ->
+ {error, Reason};
+@@ -100,32 +106,36 @@
+ case string:tokens(ClientIn, ",") of
+ [GS2ChannelBindingAttribute, NonceAttribute, ClientProofAttribute] ->
+ case parse_attribute(GS2ChannelBindingAttribute) of
+- {$c, CVal} when (CVal == "biws") or (CVal == "eSws") ->
+- %% biws is base64 for n,, => channelbinding not supported
+- %% eSws is base64 for y,, => channelbinding supported by client only
+- Nonce = State#state.client_nonce ++ State#state.server_nonce,
+- case parse_attribute(NonceAttribute) of
+- {$r, CompareNonce} when CompareNonce == Nonce ->
+- case parse_attribute(ClientProofAttribute) of
+- {$p, ClientProofB64} ->
+- ClientProof = base64:decode(ClientProofB64),
+- AuthMessage = State#state.auth_message ++ "," ++ string:substr(ClientIn, 1, string:str(ClientIn, ",p=")-1),
+- ClientSignature = scram:client_signature(State#state.stored_key, AuthMessage),
+- ClientKey = scram:client_key(ClientProof, ClientSignature),
+- CompareStoredKey = scram:stored_key(ClientKey),
+- if CompareStoredKey == State#state.stored_key ->
+- ServerSignature = scram:server_signature(State#state.server_key, AuthMessage),
+- {ok, [{username, State#state.username}], "v=" ++ base64:encode_to_string(ServerSignature)};
+- true ->
+- {error, "bad-auth"}
++ {$c, CVal} ->
++ ChannelBindingSupport = string:left(jlib:decode_base64(CVal), 1),
++ if (ChannelBindingSupport == "n")
++ or (ChannelBindingSupport == "y") ->
++ Nonce = State#state.client_nonce ++ State#state.server_nonce,
++ case parse_attribute(NonceAttribute) of
++ {$r, CompareNonce} when CompareNonce == Nonce ->
++ case parse_attribute(ClientProofAttribute) of
++ {$p, ClientProofB64} ->
++ ClientProof = base64:decode(ClientProofB64),
++ AuthMessage = State#state.auth_message ++ "," ++ string:substr(ClientIn, 1, string:str(ClientIn, ",p=")-1),
++ ClientSignature = scram:client_signature(State#state.stored_key, AuthMessage),
++ ClientKey = scram:client_key(ClientProof, ClientSignature),
++ CompareStoredKey = scram:stored_key(ClientKey),
++ if CompareStoredKey == State#state.stored_key ->
++ ServerSignature = scram:server_signature(State#state.server_key, AuthMessage),
++ {ok, [{username, State#state.username}], "v=" ++ base64:encode_to_string(ServerSignature)};
++ true ->
++ {error, "bad-auth"}
++ end;
++ _Else ->
++ {error, "bad-protocol"}
+ end;
++ {$r, _} ->
++ {error, "bad-nonce"};
+ _Else ->
+ {error, "bad-protocol"}
+ end;
+- {$r, _} ->
+- {error, "bad-nonce"};
+- _Else ->
+- {error, "bad-protocol"}
++ true ->
++ {error, "bad-channel-binding"}
+ end;
+ _Else ->
+ {error, "bad-protocol"}
only in patch2:
unchanged:
--- ejabberd-2.1.10.orig/debian/patches/fix-nicks-in-plaintext-muc-log.patch
+++ ejabberd-2.1.10/debian/patches/fix-nicks-in-plaintext-muc-log.patch
@@ -0,0 +1,92 @@
+Description: Fix angle brackets handle in MUC plaintext log
+ If the type of log files generated by the mod_muc_module
+ is set to plaintext, the renderer cuts out all the text
+ which starts with a '<' character and ends with a '>' characters,
+ inclusive, which, among other things, inhibits displaying of
+ room nicknames. This patch fixes this behaviour.
+ .
+ This patch is a backport of changes introduced by the commits
+ 15073aafa58871b8d5e25652d492fb3a76900d5b,
+ bc8264b2ac6cf58d267dc06bb0d45585d5d677d0,
+ e85f7566dd7895f922f63528feed2995cd3eb52b and
+ 0b96b745bf4146dca3c3709765945fc97679465f in the upstream
+ Git repository to the ejabberd code base as of version 2.1.13.
+Author: Badlop <badlop@process-one.net>
+Forwarded: not-needed
+Last-Update: 2013-09-30
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/mod_muc/mod_muc_log.erl
++++ b/src/mod_muc/mod_muc_log.erl
+@@ -52,6 +52,9 @@
+ -define(PROCNAME, ejabberd_mod_muc_log).
+ -record(room, {jid, title, subject, subject_author, config}).
+
++-define(PLAINTEXT_CO, "ZZCZZ").
++-define(PLAINTEXT_IN, "ZZIZZ").
++-define(PLAINTEXT_OUT, "ZZOZZ").
+
+ -record(logstate, {host,
+ out_dir,
+@@ -311,6 +314,11 @@
+ fw(F, " <a href=\"http://jigsaw.w3.org/css-validator/\";><img style=\"border:0;width:88px;height:31px\" src=\"~s/vcss.png\" alt=\"Valid CSS!\"/></a>", [Images_dir]),
+ fw(F, "</span></div></body></html>").
+
++htmlize_nick(Nick1, html) ->
++ htmlize("<"++Nick1++">", html);
++htmlize_nick(Nick1, plaintext) ->
++ htmlize(?PLAINTEXT_IN++Nick1++?PLAINTEXT_OUT, plaintext).
++
+ add_message_to_log(Nick1, Message, RoomJID, Opts, State) ->
+ #logstate{out_dir = OutDir,
+ dir_type = DirType,
+@@ -323,7 +331,7 @@
+ top_link = TopLink} = State,
+ Room = get_room_info(RoomJID, Opts),
+ Nick = htmlize(Nick1, FileFormat),
+- Nick2 = htmlize("<"++Nick1++">", FileFormat),
++ Nick2 = htmlize_nick(Nick1, FileFormat),
+ Now = now(),
+ TimeStamp = case Timezone of
+ local -> calendar:now_to_local_time(Now);
+@@ -438,7 +446,7 @@
+ STimeUnique = io_lib:format("~s.~w", [STime, Microsecs]),
+
+ %% Write message
+- fw(F, io_lib:format("<a id=\"~s\" name=\"~s\" href=\"#~s\" class=\"ts\">[~s]</a> ",
++ catch fw(F, io_lib:format("<a id=\"~s\" name=\"~s\" href=\"#~s\" class=\"ts\">[~s]</a> ",
+ [STimeUnique, STimeUnique, STimeUnique, STime]) ++ Text, FileFormat),
+
+ %% Close file
+@@ -662,7 +670,10 @@
+ html ->
+ S1;
+ plaintext ->
+- ejabberd_regexp:greplace(S1, "<[^>]*>", "")
++ S1a = ejabberd_regexp:greplace(S1, "<[^<^>]*>", ""),
++ S1x = ejabberd_regexp:greplace(S1a, ?PLAINTEXT_CO, "~~"),
++ S1y = ejabberd_regexp:greplace(S1x, ?PLAINTEXT_IN, "<"),
++ ejabberd_regexp:greplace(S1y, ?PLAINTEXT_OUT, ">")
+ end,
+ io:format(F, S2, []).
+
+@@ -767,14 +778,16 @@
+ htmlize(S1, html).
+
+ htmlize(S1, plaintext) ->
+- S1;
++ ejabberd_regexp:greplace(S1, "~", ?PLAINTEXT_CO);
+ htmlize(S1, FileFormat) ->
+ htmlize(S1, false, FileFormat).
+
+ %% The NoFollow parameter tell if the spam prevention should be applied to the link found
+ %% true means 'apply nofollow on links'.
+-htmlize(S1, _NoFollow, plaintext) ->
+- S1;
++htmlize(S0, _NoFollow, plaintext) ->
++ S1 = ejabberd_regexp:greplace(S0, "~", ?PLAINTEXT_CO),
++ S1x = ejabberd_regexp:greplace(S1, "<", ?PLAINTEXT_IN),
++ ejabberd_regexp:greplace(S1x, ">", ?PLAINTEXT_OUT);
+ htmlize(S1, NoFollow, _FileFormat) ->
+ S2_list = string:tokens(S1, "\n"),
+ lists:foldl(
only in patch2:
unchanged:
--- ejabberd-2.1.10.orig/debian/patches/disable-insecure-ssl-cyphers.patch
+++ ejabberd-2.1.10/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -0,0 +1,34 @@
+Description: Disable old and insecure cyphers in TLS driver
+ Disabled:
+ * Export ciphers - broken by design, 40 and 56 bit encryption.
+ * Low encryption ciphers - 56 and 64 bit encryption.
+ * SSLv2 ciphers - some ciphers using MD5 MAC.
+ .
+ This patch is a backport of changes introduced by the commit
+ d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
+ #define SSL_OP_NO_TICKET 0
+ #endif
+
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++
+ /*
+ * R15B changed several driver callbacks to use ErlDrvSizeT and
+ * ErlDrvSSizeT typedefs instead of int.
+@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+
++ SSL_CTX_set_cipher_list(ctx, CIPHERS);
++
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_default_verify_paths(ctx);
+ #ifdef SSL_MODE_RELEASE_BUFFERS
only in patch2:
unchanged:
--- ejabberd-2.1.10.orig/debian/patches/fix-odbc-escaping.patch
+++ ejabberd-2.1.10/debian/patches/fix-odbc-escaping.patch
@@ -0,0 +1,35 @@
+Description: Fix escaping of single quotes in SQL queries
+ The ODBC backend code improperly used a backslash character
+ to escape a single quote character in SQL queries instead of
+ duplicating the single quote character as required by SQL-92,
+ rendering the generated queries not understandable for certain
+ SQL servers, namely PostgreSQL. The patch corrects this problem.
+ .
+ This patch is extracted from the commit
+ 89aa7baa5b5601c078d90bcd64deede218c7e5a8 in the upstream Git repository.
+ .
+ The first upstream version to integrate this patch is 2.1.11.
+Author: Evgeniy Khramtsov <ekhramtsov@process-one.net>
+Forwarded: not-needed
+Bug: https://github.com/processone/ejabberd/issues/24
+Last-Update: 2013-05-15
+XXX
+commit
+Date: Tue Jan 31 11:18:14 2012 +1000
+
+ Replace a single quote with double quotes in
+ an ODBC escape (thanks to Vladislav Chugunov)
+
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/odbc/odbc_queries.erl
++++ b/src/odbc/odbc_queries.erl
+@@ -557,7 +557,7 @@ escape($\n) -> "\\n";
+ escape($\t) -> "\\t";
+ escape($\b) -> "\\b";
+ escape($\r) -> "\\r";
+-escape($') -> "\\'";
++escape($') -> "''";
+ escape($") -> "\\\"";
+ escape($\\) -> "\\\\";
+ escape(C) -> C.
Reply to: