[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#725791: marked as done (pu: ejabberd/2.1.5-3+squeeze2)

Your message dated Sat, 12 Oct 2013 19:27:45 +0100
with message-id <1381602465.13031.30.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#725791: pu: ejabberd/2.1.5-3+squeeze2
has caused the Debian Bug report #725791,
regarding pu: ejabberd/2.1.5-3+squeeze2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
725791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725791
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Tags: squeeze
Usertags: pu

Please let ejabberd/2.1.5-3+squeeze2 enter Squeeze.

It fixes just a single security bug [1]: by disabling SSLv2 and weak
cyphers in TLS driver (this bug is itself a clone of [2] which has
been filed against the version in Sid and is intended to be fixed
by [3]).

Please see the attached debdiff.

1. http://bugs.debian.org/724993
2. http://bugs.debian.org/722105
3. http://bugs.debian.org/725790

diff -u ejabberd-2.1.5/debian/changelog ejabberd-2.1.5/debian/changelog
--- ejabberd-2.1.5/debian/changelog
+++ ejabberd-2.1.5/debian/changelog
@@ -1,3 +1,9 @@
+ejabberd (2.1.5-3+squeeze2) stable-security; urgency=low
+
+  * Disable SSLv2 and weak/export cyphers in TLS driver (closes: #724993).
+
+ -- Konstantin Khomoutov <flatworm@users.sourceforge.net>  Mon, 30 Sep 2013 17:10:02 +0400
+
 ejabberd (2.1.5-3+squeeze1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -u ejabberd-2.1.5/debian/patches/series ejabberd-2.1.5/debian/patches/series
--- ejabberd-2.1.5/debian/patches/series
+++ ejabberd-2.1.5/debian/patches/series
@@ -10,0 +11,2 @@
+disable-ssl2.patch
+disable-insecure-ssl-cyphers.patch
only in patch2:
unchanged:
--- ejabberd-2.1.5.orig/debian/patches/disable-ssl2.patch
+++ ejabberd-2.1.5/debian/patches/disable-ssl2.patch
@@ -0,0 +1,36 @@
+Description: Disable SSLv2 in the TLS driver
+ SSL 2.0 is not used anywhere as it has security problems.
+ Disable it unconditionally both in server and client mode.
+ This does not disable support for SSL 2.0 compatible client
+ hello which still will be accepted in the server mode.
+ .
+ This patch is a backport of changes introduced by the commit
+ e06c1c49c14c3f56cf4ddae080514f7802669335 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -344,6 +344,8 @@
+ 	    res = SSL_CTX_check_private_key(ctx);
+ 	    die_unless(res > 0, "SSL_CTX_check_private_key failed");
+ 
++	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
++
+ 	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ 	    SSL_CTX_set_default_verify_paths(ctx);
+ 
+@@ -370,10 +372,8 @@
+ 	 SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
+ 
+ 	 if (command == SET_CERTIFICATE_FILE_ACCEPT) {
+-	    SSL_set_options(d->ssl, SSL_OP_NO_TICKET);
+ 	    SSL_set_accept_state(d->ssl);
+ 	 } else {
+-	    SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+ 	    SSL_set_connect_state(d->ssl);
+ 	 }
+ 	 break;
only in patch2:
unchanged:
--- ejabberd-2.1.5.orig/debian/patches/disable-insecure-ssl-cyphers.patch
+++ ejabberd-2.1.5/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -0,0 +1,34 @@
+Description: Disable old and insecure cyphers in TLS driver
+ Disabled:
+ * Export ciphers - broken by design, 40 and 56 bit encryption.
+ * Low encryption ciphers - 56 and 64 bit encryption.
+ * SSLv2 ciphers - some ciphers using MD5 MAC.
+ .
+ This patch is a backport of changes introduced by the commit
+ d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -44,6 +44,8 @@
+ #define SSL_OP_NO_TICKET 0
+ #endif
+ 
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++
+ /*
+  * str_hash is based on the public domain code from
+  * http://www.burtleburtle.net/bob/hash/doobs.html
+@@ -346,6 +348,8 @@
+ 
+ 	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+ 
++	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
++
+ 	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ 	    SSL_CTX_set_default_verify_paths(ctx);
+

--- End Message ---
--- Begin Message --- 
On Tue, 2013-10-08 at 16:53 +0400, Konstantin Khomoutov wrote:
> Please let ejabberd/2.1.5-3+squeeze2 enter Squeeze.
> 
> It fixes just a single security bug [1]: by disabling SSLv2 and weak
> cyphers in TLS driver (this bug is itself a clone of [2] which has
> been filed against the version in Sid and is intended to be fixed
> by [3]).

This was handled via the security archive.

Regards,

Adam

--- End Message ---
Reply to: