Bug#725791: pu: ejabberd/2.1.5-3+squeeze2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Tags: squeeze
Usertags: pu
Please let ejabberd/2.1.5-3+squeeze2 enter Squeeze.
It fixes just a single security bug [1]: by disabling SSLv2 and weak
cyphers in TLS driver (this bug is itself a clone of [2] which has
been filed against the version in Sid and is intended to be fixed
by [3]).
Please see the attached debdiff.
1. http://bugs.debian.org/724993
2. http://bugs.debian.org/722105
3. http://bugs.debian.org/725790
diff -u ejabberd-2.1.5/debian/changelog ejabberd-2.1.5/debian/changelog
--- ejabberd-2.1.5/debian/changelog
+++ ejabberd-2.1.5/debian/changelog
@@ -1,3 +1,9 @@
+ejabberd (2.1.5-3+squeeze2) stable-security; urgency=low
+
+ * Disable SSLv2 and weak/export cyphers in TLS driver (closes: #724993).
+
+ -- Konstantin Khomoutov <flatworm@users.sourceforge.net> Mon, 30 Sep 2013 17:10:02 +0400
+
ejabberd (2.1.5-3+squeeze1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -u ejabberd-2.1.5/debian/patches/series ejabberd-2.1.5/debian/patches/series
--- ejabberd-2.1.5/debian/patches/series
+++ ejabberd-2.1.5/debian/patches/series
@@ -10,0 +11,2 @@
+disable-ssl2.patch
+disable-insecure-ssl-cyphers.patch
only in patch2:
unchanged:
--- ejabberd-2.1.5.orig/debian/patches/disable-ssl2.patch
+++ ejabberd-2.1.5/debian/patches/disable-ssl2.patch
@@ -0,0 +1,36 @@
+Description: Disable SSLv2 in the TLS driver
+ SSL 2.0 is not used anywhere as it has security problems.
+ Disable it unconditionally both in server and client mode.
+ This does not disable support for SSL 2.0 compatible client
+ hello which still will be accepted in the server mode.
+ .
+ This patch is a backport of changes introduced by the commit
+ e06c1c49c14c3f56cf4ddae080514f7802669335 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -344,6 +344,8 @@
+ res = SSL_CTX_check_private_key(ctx);
+ die_unless(res > 0, "SSL_CTX_check_private_key failed");
+
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
++
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_default_verify_paths(ctx);
+
+@@ -370,10 +372,8 @@
+ SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
+
+ if (command == SET_CERTIFICATE_FILE_ACCEPT) {
+- SSL_set_options(d->ssl, SSL_OP_NO_TICKET);
+ SSL_set_accept_state(d->ssl);
+ } else {
+- SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+ SSL_set_connect_state(d->ssl);
+ }
+ break;
only in patch2:
unchanged:
--- ejabberd-2.1.5.orig/debian/patches/disable-insecure-ssl-cyphers.patch
+++ ejabberd-2.1.5/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -0,0 +1,34 @@
+Description: Disable old and insecure cyphers in TLS driver
+ Disabled:
+ * Export ciphers - broken by design, 40 and 56 bit encryption.
+ * Low encryption ciphers - 56 and 64 bit encryption.
+ * SSLv2 ciphers - some ciphers using MD5 MAC.
+ .
+ This patch is a backport of changes introduced by the commit
+ d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -44,6 +44,8 @@
+ #define SSL_OP_NO_TICKET 0
+ #endif
+
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++
+ /*
+ * str_hash is based on the public domain code from
+ * http://www.burtleburtle.net/bob/hash/doobs.html
+@@ -346,6 +348,8 @@
+
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+
++ SSL_CTX_set_cipher_list(ctx, CIPHERS);
++
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_default_verify_paths(ctx);
+
Reply to: