Debian has issued an advisory on October 10: http://www.debian.org/security/2013/dsa-2775 It's not clear whether we should follow suit in disabling SSLv2, but I'm filing this bug just in case we do decide to act on it later. Reproducible: Steps to Reproduce:
I asked neoclust to upgrade to the 2.1.13 version for mga2, mga3 (and mbs1) the other day. Don't know the status on that right now.
CC: (none) => oe
CC: (none) => nicolas.lecureuil
CC: (none) => mitya
FYI, I've upgraded ejabberd to 2.1.13 a couple of days ago.
====================================================== Name: CVE-2013-6169 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6169 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131017 Category: Reference: CONFIRM:https://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.12/ Reference: DEBIAN:DSA-2775 Reference: URL:http://www.debian.org/security/2013/dsa-2775 The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack.
Version: Cauldron => 3Summary: ejabberd insecure SSLv2 usage => ejabberd insecure SSLv2 usage (CVE-2013-6169)Whiteboard: (none) => MGA2TOO
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA2TOO => (none)
Mandriva has issued an advisory for this today (January 16): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:005/
LWN created another entry for this since Debian's advisory didn't have a CVE: http://lwn.net/Vulnerabilities/580997/
ejabberd-2.1.13-1.mga3 has been submitted.
Thanks Oden! Advisory: ======================== Updated ejabberd packages fix security vulnerability: The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack (CVE-2013-6169). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6169 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:005/ ======================== Updated packages in core/updates_testing: ======================== ejabberd-2.1.13-1.mga3 ejabberd-devel-2.1.13-1.mga3 ejabberd-doc-2.1.13-1.mga3 from ejabberd-2.1.13-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Testing complete mga3 64 Started ejabberd service then used kopete to register a new jabber account with server 'localhost' as user 'admin' and password 'passwd'. I was then able to log in to the admin web interface at http://localhost:5280/admin as the admin user.
Slight correction, the user or jabber id was actually 'admin@localhost' Testing complete mga3 32
Whiteboard: (none) => has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded, please push to 3 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0057.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED