Bug 11447

Summary: ejabberd insecure SSLv2 usage (CVE-2013-6169)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, mitya, oe, rverschelde, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570144/
Whiteboard: has_procedure mga3-32-ok mga3-64-ok advisory
Source RPM: ejabberd-2.1.11-8.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-10-11 20:40:49 CEST 
Debian has issued an advisory on October 10:
http://www.debian.org/security/2013/dsa-2775

It's not clear whether we should follow suit in disabling SSLv2, but I'm filing this bug just in case we do decide to act on it later.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-10-12 12:31:02 CEST 
I asked neoclust to upgrade to the 2.1.13 version for mga2, mga3 (and mbs1) the other day. Don't know the status on that right now.

CC: (none) => oe

David Walser 2013-10-12 16:23:08 CEST

CC: (none) => nicolas.lecureuil

David Walser 2013-10-17 21:32:18 CEST

CC: (none) => mitya

Comment 2 Dimitri Jakov 2013-10-17 21:54:40 CEST 
FYI, I've upgraded ejabberd to 2.1.13 a couple of days ago.
Comment 3 Oden Eriksson 2013-10-18 10:38:48 CEST 
======================================================
Name: CVE-2013-6169
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6169
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131017
Category: 
Reference:
CONFIRM:https://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.12/
Reference: DEBIAN:DSA-2775
Reference: URL:http://www.debian.org/security/2013/dsa-2775

The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2)
weak SSL ciphers, which makes it easier for remote attackers to obtain
sensitive information via a brute-force attack.
David Walser 2013-10-18 14:56:13 CEST

Version: Cauldron => 3
Summary: ejabberd insecure SSLv2 usage => ejabberd insecure SSLv2 usage (CVE-2013-6169)
Whiteboard: (none) => MGA2TOO

Comment 4 David Walser 2013-11-22 16:13:55 CET 
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Whiteboard: MGA2TOO => (none)

Comment 5 David Walser 2014-01-16 18:04:45 CET 
Mandriva has issued an advisory for this today (January 16):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:005/
Comment 6 David Walser 2014-01-17 17:11:00 CET 
LWN created another entry for this since Debian's advisory didn't have a CVE:
http://lwn.net/Vulnerabilities/580997/
Comment 7 Oden Eriksson 2014-02-10 15:28:31 CET 
ejabberd-2.1.13-1.mga3 has been submitted.
Comment 8 David Walser 2014-02-10 15:54:22 CET 
Thanks Oden!

Advisory:
========================

Updated ejabberd packages fix security vulnerability:

The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2)
weak SSL ciphers, which makes it easier for remote attackers to obtain
sensitive information via a brute-force attack (CVE-2013-6169).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6169
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:005/
========================

Updated packages in core/updates_testing:
========================
ejabberd-2.1.13-1.mga3
ejabberd-devel-2.1.13-1.mga3
ejabberd-doc-2.1.13-1.mga3

from ejabberd-2.1.13-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 9 claire robinson 2014-02-12 15:27:37 CET 
Testing complete mga3 64

Started ejabberd service then used kopete to register a new jabber account with server 'localhost' as user 'admin' and password 'passwd'.

I was then able to log in to the admin web interface at http://localhost:5280/admin as the admin user.
Comment 10 claire robinson 2014-02-12 15:33:30 CET 
Slight correction, the user or jabber id was actually 'admin@localhost'


Testing complete mga3 32

Whiteboard: (none) => has_procedure mga3-32-ok mga3-64-ok

Comment 11 RĂ©mi Verschelde 2014-02-12 17:54:12 CET 
Advisory uploaded, please push to 3 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok advisory
CC: (none) => remi, sysadmin-bugs

Comment 12 Thomas Backlund 2014-02-12 18:44:53 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0057.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED