Bug 14305

Summary: ejabberd new security issue CVE-2014-8760
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: ottoleipala1, rverschelde, sysadmin-bugs, zombie_ryushu
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/617973/
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory
Source RPM: ejabberd-2.1.13-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-10-16 18:25:53 CEST 
A CVE was assigned for a security issue fixed in ejabberd:
http://openwall.com/lists/oss-security/2014/10/16/7

The upstream commit is linked in the message above.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-16 18:26:04 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-10-17 23:43:54 CEST 
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated ejabberd packages fix security vulnerability:

A flaw was discovered in ejabberd that allows clients to connect with an
unencrypted connection even if starttls_required is set (CVE-2014-8760).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8760
http://mail.jabber.org/pipermail/operators/2014-October/002438.html
http://openwall.com/lists/oss-security/2014/10/16/7
========================

Updated packages in core/updates_testing:
========================
ejabberd-2.1.13-1.1.mga3
ejabberd-devel-2.1.13-1.1.mga3
ejabberd-doc-2.1.13-1.1.mga3
ejabberd-2.1.13-3.1.mga4
ejabberd-devel-2.1.13-3.1.mga4
ejabberd-doc-2.1.13-3.1.mga4

from SRPMS:
ejabberd-2.1.13-1.1.mga3.src.rpm
ejabberd-2.1.13-3.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 Otto Leipälä 2014-10-21 16:34:47 CEST 
I start to testing it i can test all Mga4 64&32 and Mga3 64&32.

CC: (none) => ozkyster

Comment 3 Rémi Verschelde 2014-10-21 17:04:17 CEST 
Elements of a procedure in https://bugs.mageia.org/show_bug.cgi?id=11447#c9

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 Otto Leipälä 2014-10-21 17:09:02 CEST 
Yes i used this guide to set it up.
https://www.digitalocean.com/community/tutorials/how-to-install-ejabberd-xmpp-server-on-ubuntu
Comment 5 Rémi Verschelde 2014-10-21 17:11:16 CEST 
Great thanks for this link Otto.
Comment 6 Otto Leipälä 2014-10-21 20:21:16 CEST 
Tested mga4 and 3 all arch no problems found,i validate this update.
Can sysadmin push it to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok

Comment 7 Rémi Verschelde 2014-10-23 11:11:59 CEST 
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory

Comment 8 Mageia Robot 2014-10-23 15:28:37 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0417.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-10-24 18:54:28 CEST

URL: (none) => http://lwn.net/Vulnerabilities/617973/

Comment 9 David Walser 2016-11-17 16:41:13 CET 
*** Bug 19804 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 10 David Walser 2017-02-15 12:07:29 CET 
*** Bug 20294 has been marked as a duplicate of this bug. ***
Comment 11 Zombie Ryushu 2017-02-15 13:15:49 CET 
There exists a Roster bug in 2.2.13 handling standard XEP-0321. A patch for this exists for ejabberd 2.2.11 to correct the bad mod_roster behavior, but not 2.2.13. Can the patch be rediffed to fix the problem.
Comment 12 David Walser 2017-02-15 13:21:14 CET 
Please file a new bug for this issue with a link to the patch and we will try to fix it.  Thanks.