A CVE was assigned for a security issue fixed in ejabberd: http://openwall.com/lists/oss-security/2014/10/16/7 The upstream commit is linked in the message above. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated ejabberd packages fix security vulnerability: A flaw was discovered in ejabberd that allows clients to connect with an unencrypted connection even if starttls_required is set (CVE-2014-8760). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8760 http://mail.jabber.org/pipermail/operators/2014-October/002438.html http://openwall.com/lists/oss-security/2014/10/16/7 ======================== Updated packages in core/updates_testing: ======================== ejabberd-2.1.13-1.1.mga3 ejabberd-devel-2.1.13-1.1.mga3 ejabberd-doc-2.1.13-1.1.mga3 ejabberd-2.1.13-3.1.mga4 ejabberd-devel-2.1.13-3.1.mga4 ejabberd-doc-2.1.13-3.1.mga4 from SRPMS: ejabberd-2.1.13-1.1.mga3.src.rpm ejabberd-2.1.13-3.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
I start to testing it i can test all Mga4 64&32 and Mga3 64&32.
CC: (none) => ozkyster
Elements of a procedure in https://bugs.mageia.org/show_bug.cgi?id=11447#c9
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Yes i used this guide to set it up. https://www.digitalocean.com/community/tutorials/how-to-install-ejabberd-xmpp-server-on-ubuntu
Great thanks for this link Otto.
Tested mga4 and 3 all arch no problems found,i validate this update. Can sysadmin push it to updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0417.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/617973/
*** Bug 19804 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
*** Bug 20294 has been marked as a duplicate of this bug. ***
There exists a Roster bug in 2.2.13 handling standard XEP-0321. A patch for this exists for ejabberd 2.2.11 to correct the bad mod_roster behavior, but not 2.2.13. Can the patch be rediffed to fix the problem.
Please file a new bug for this issue with a link to the patch and we will try to fix it. Thanks.