Bug#858973: marked as done (wheezy-pu: package ejabberd/2.1.10-4+deb7u2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 29 Mar 2017 10:57:03 +0200
with message-id <3b3950d3-0123-e0f6-2938-94ad7752b2c6@debian.org>
and subject line Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2
has caused the Debian Bug report #858973,
regarding wheezy-pu: package ejabberd/2.1.10-4+deb7u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858973: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858973
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wheezy-pu: package ejabberd/2.1.10-4+deb7u2
• From: Philipp Huebner <debalance@debian.org>
• Date: Wed, 29 Mar 2017 10:12:40 +0200
• Message-id: <[🔎] 149077516080.26596.10779403267637927143.reportbug@dex.debalance.de>

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'm not sure if another point update for Wheezy is planned or if this is
a case for the LTS team, but I would like to update ejabberd in Wheezy.

There are 2 minor security patches:
* disable SSLv3 (Closes: #767521)
* enforce the starttls_required setting (CVE-2014-8760, closes: #767535)

Please advise. Complete diff from git repository is attached.

Best wishes,
Philipp

diff --git a/debian/changelog b/debian/changelog
index 2869431..55ede73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high
+
+  * Disable SSLv3 (Closes: #767521)
+  * Add patch to fix CVE-2014-8760 (Closes: #767535)
+
+ -- Philipp Huebner <debalance@debian.org>  Wed, 29 Mar 2017 10:05:39 +0200
+
 ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
 
   [ Konstantin Khomoutov ]
diff --git a/debian/patches/CVE-2014-8760.patch b/debian/patches/CVE-2014-8760.patch
new file mode 100644
index 0000000..cd8c08b
--- /dev/null
+++ b/debian/patches/CVE-2014-8760.patch
@@ -0,0 +1,27 @@
+Description: Make sure "starttls_required" can't be bypassed.
+ Don't allow clients to circumvent the "starttls_required" option by
+ enabling XMPP stream compression. (CVE-2014-8760)
+Author: Holger Weiss <holger@zedat.fu-berlin.de>
+
+Index: ejabberd/src/ejabberd_c2s.erl
+===================================================================
+--- ejabberd.orig/src/ejabberd_c2s.erl
++++ ejabberd/src/ejabberd_c2s.erl
+@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme
+     TLSRequired = StateData#state.tls_required,
+     SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket),
+     case {xml:get_attr_s("xmlns", Attrs), Name} of
+-	{?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) ->
++	{?NS_SASL, "auth"} when TLSEnabled or not TLSRequired ->
+ 	    Mech = xml:get_attr_s("mechanism", Attrs),
+ 	    ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
+ 	    case cyrsasl:server_start(StateData#state.sasl_state,
+@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme
+ 	    end;
+ 	_ ->
+ 	    if
+-		(SockMod == gen_tcp) and TLSRequired ->
++		TLSRequired and not TLSEnabled ->
+ 		    Lang = StateData#state.lang,
+ 		    send_element(StateData, ?POLICY_VIOLATION_ERR(
+ 					       Lang,
diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch b/debian/patches/disable-insecure-ssl-cyphers.patch
index 4ff049f..dc678c5 100644
--- a/debian/patches/disable-insecure-ssl-cyphers.patch
+++ b/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver
  * Export ciphers - broken by design, 40 and 56 bit encryption.
  * Low encryption ciphers - 56 and 64 bit encryption.
  * SSLv2 ciphers - some ciphers using MD5 MAC.
+ * SSLv3 ciphers
  .
  This patch is a backport of changes introduced by the commit
  d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
  to the ejabberd code base as of version 2.1.12.
+ It was later extended to also disable SSLv3.
 Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
 Forwarded: not-needed
-Last-Update: 2013-09-29
+Last-Update: 2017-03-29
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/src/tls/tls_drv.c
-+++ b/src/tls/tls_drv.c
+Index: ejabberd/src/tls/tls_drv.c
+===================================================================
+--- ejabberd.orig/src/tls/tls_drv.c
++++ ejabberd/src/tls/tls_drv.c
 @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
  #define SSL_OP_NO_TICKET 0
  #endif
  
-+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
 +
  /*
   * R15B changed several driver callbacks to use ErlDrvSizeT and
   * ErlDrvSSizeT typedefs instead of int.
-@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD
+ 	    die_unless(res > 0, "SSL_CTX_check_private_key failed");
  
  	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
- 
-+	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
++	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
 +
++	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
+ 
  	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
  	    SSL_CTX_set_default_verify_paths(ctx);
- #ifdef SSL_MODE_RELEASE_BUFFERS
diff --git a/debian/patches/series b/debian/patches/series
index 297e201..30f0424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ fix-odbc-escaping.patch
 disable-ssl2.patch
 disable-insecure-ssl-cyphers.patch
 fix-nicks-in-plaintext-muc-log.patch
+CVE-2014-8760.patch

--- End Message ---

--- Begin Message ---

• To: Philipp Huebner <debalance@debian.org>, Debian LTS <debian-lts@lists.debian.org>
• Subject: Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2
• From: Emilio Pozuelo Monfort <pochu@debian.org>
• Date: Wed, 29 Mar 2017 10:57:03 +0200
• Message-id: <3b3950d3-0123-e0f6-2938-94ad7752b2c6@debian.org>
• In-reply-to: <[🔎] 149077516080.26596.10779403267637927143.reportbug@dex.debalance.de>
• References: <[🔎] 149077516080.26596.10779403267637927143.reportbug@dex.debalance.de>

On 29/03/17 10:12, Philipp Huebner wrote:
> Package: release.debian.org
> Severity: normal
> Tags: wheezy
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> I'm not sure if another point update for Wheezy is planned or if this is
> a case for the LTS team, but I would like to update ejabberd in Wheezy.

wheezy-proposed-updates is closed, closing this bug (-done Bcc'ed) and adding
debian-lts@ to Cc.

Cheers,
Emilio

> 
> There are 2 minor security patches:
> * disable SSLv3 (Closes: #767521)
> * enforce the starttls_required setting (CVE-2014-8760, closes: #767535)
> 
> Please advise. Complete diff from git repository is attached.
> 
> Best wishes,
> Philipp
> 

diff --git a/debian/changelog b/debian/changelog
index 2869431..55ede73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ejabberd (2.1.10-4+deb7u2) oldstable; urgency=high
+
+  * Disable SSLv3 (Closes: #767521)
+  * Add patch to fix CVE-2014-8760 (Closes: #767535)
+
+ -- Philipp Huebner <debalance@debian.org>  Wed, 29 Mar 2017 10:05:39 +0200
+
 ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
 
   [ Konstantin Khomoutov ]
diff --git a/debian/patches/CVE-2014-8760.patch b/debian/patches/CVE-2014-8760.patch
new file mode 100644
index 0000000..cd8c08b
--- /dev/null
+++ b/debian/patches/CVE-2014-8760.patch
@@ -0,0 +1,27 @@
+Description: Make sure "starttls_required" can't be bypassed.
+ Don't allow clients to circumvent the "starttls_required" option by
+ enabling XMPP stream compression. (CVE-2014-8760)
+Author: Holger Weiss <holger@zedat.fu-berlin.de>
+
+Index: ejabberd/src/ejabberd_c2s.erl
+===================================================================
+--- ejabberd.orig/src/ejabberd_c2s.erl
++++ ejabberd/src/ejabberd_c2s.erl
+@@ -614,7 +614,7 @@ wait_for_feature_request({xmlstreameleme
+     TLSRequired = StateData#state.tls_required,
+     SockMod = (StateData#state.sockmod):get_sockmod(StateData#state.socket),
+     case {xml:get_attr_s("xmlns", Attrs), Name} of
+-	{?NS_SASL, "auth"} when not ((SockMod == gen_tcp) and TLSRequired) ->
++	{?NS_SASL, "auth"} when TLSEnabled or not TLSRequired ->
+ 	    Mech = xml:get_attr_s("mechanism", Attrs),
+ 	    ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
+ 	    case cyrsasl:server_start(StateData#state.sasl_state,
+@@ -720,7 +720,7 @@ wait_for_feature_request({xmlstreameleme
+ 	    end;
+ 	_ ->
+ 	    if
+-		(SockMod == gen_tcp) and TLSRequired ->
++		TLSRequired and not TLSEnabled ->
+ 		    Lang = StateData#state.lang,
+ 		    send_element(StateData, ?POLICY_VIOLATION_ERR(
+ 					       Lang,
diff --git a/debian/patches/disable-insecure-ssl-cyphers.patch b/debian/patches/disable-insecure-ssl-cyphers.patch
index 4ff049f..dc678c5 100644
--- a/debian/patches/disable-insecure-ssl-cyphers.patch
+++ b/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -3,32 +3,37 @@ Description: Disable old and insecure cyphers in TLS driver
  * Export ciphers - broken by design, 40 and 56 bit encryption.
  * Low encryption ciphers - 56 and 64 bit encryption.
  * SSLv2 ciphers - some ciphers using MD5 MAC.
+ * SSLv3 ciphers
  .
  This patch is a backport of changes introduced by the commit
  d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
  to the ejabberd code base as of version 2.1.12.
+ It was later extended to also disable SSLv3.
 Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
 Forwarded: not-needed
-Last-Update: 2013-09-29
+Last-Update: 2017-03-29
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/src/tls/tls_drv.c
-+++ b/src/tls/tls_drv.c
+Index: ejabberd/src/tls/tls_drv.c
+===================================================================
+--- ejabberd.orig/src/tls/tls_drv.c
++++ ejabberd/src/tls/tls_drv.c
 @@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
  #define SSL_OP_NO_TICKET 0
  #endif
  
-+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
 +
  /*
   * R15B changed several driver callbacks to use ErlDrvSizeT and
   * ErlDrvSSizeT typedefs instead of int.
-@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+@@ -355,6 +357,9 @@ static ErlDrvSSizeT tls_drv_control(ErlD
+ 	    die_unless(res > 0, "SSL_CTX_check_private_key failed");
  
  	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
- 
-+	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
++	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
 +
++	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
+ 
  	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
  	    SSL_CTX_set_default_verify_paths(ctx);
- #ifdef SSL_MODE_RELEASE_BUFFERS
diff --git a/debian/patches/series b/debian/patches/series
index 297e201..30f0424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ fix-odbc-escaping.patch
 disable-ssl2.patch
 disable-insecure-ssl-cyphers.patch
 fix-nicks-in-plaintext-muc-log.patch
+CVE-2014-8760.patch

--- End Message ---