Debian Bug report logs - #722105
ejabberd: disable SSLv2 and weak ciphers

version graph

Package: ejabberd; Maintainer for ejabberd is Konstantin Khomoutov <flatworm@users.sourceforge.net>; Source for ejabberd is src:ejabberd.

Reported by: Christian Hofstaedtler <christian@hofstaedtler.name>

Date: Sun, 8 Sep 2013 00:03:02 UTC

Severity: serious

Tags: fixed-upstream, security

Fixed in version ejabberd/2.1.11-1

Done: Gerfried Fuchs <rhonda@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Konstantin Khomoutov <flatworm@users.sourceforge.net>:
Bug#722105; Package ejabberd. (Sun, 08 Sep 2013 00:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Hofstaedtler <christian@hofstaedtler.name>:
New Bug report received and forwarded. Copy sent to Konstantin Khomoutov <flatworm@users.sourceforge.net>. (Sun, 08 Sep 2013 00:03:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Hofstaedtler <christian@hofstaedtler.name>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ejabberd: New version 2.1.13 availabe
Date: Sun, 08 Sep 2013 01:46:37 +0200
Package: ejabberd
Severity: wishlist

Dear Maintainer,

Upstream has released new versions; 2.1.12 has important changes to the
SSL/TLS driver, disabling broken SSLv2 and export ciphers.

Thank you,
C.



Information forwarded to debian-bugs-dist@lists.debian.org, Konstantin Khomoutov <flatworm@users.sourceforge.net>:
Bug#722105; Package ejabberd. (Sun, 08 Sep 2013 14:21:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Konstantin Khomoutov <flatworm@users.sourceforge.net>. (Sun, 08 Sep 2013 14:21:12 GMT) Full text and rfc822 format available.

Message #10 received at 722105@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 722105@bugs.debian.org
Cc: control@bugs.debian.org, team@security.debian.org
Subject: Re: ejabberd: New version 2.1.13 availabe
Date: Sun, 8 Sep 2013 16:19:17 +0200
severity 722105 serious
tags 722105 security
thanks

Having SSLv2 enabled is not acceptable for a server in Debian, especially
since it apparently cannot be disabled by user configuration. Please
ensure that >= 2.1.12 enters the archive.

Also, can you investigate whether the relevant changes:
- Disable old and unsecure ciphers in TLS driver
- Disable SSL 2.0 in TLS driver
are suitable for squeeze and wheezy?


thanks,
Thijs



Severity set to 'serious' from 'wishlist' Request was from "Thijs Kinkhorst" <thijs@debian.org> to control@bugs.debian.org. (Sun, 08 Sep 2013 14:21:15 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from "Thijs Kinkhorst" <thijs@debian.org> to control@bugs.debian.org. (Sun, 08 Sep 2013 14:21:16 GMT) Full text and rfc822 format available.

Bug 722105 cloned as bug 722478 Request was from Jonathan Wiltshire <jmw@tiger-computing.co.uk> to control@bugs.debian.org. (Wed, 11 Sep 2013 14:12:25 GMT) Full text and rfc822 format available.

Changed Bug title to 'ejabberd: disable SSLv2 and weak ciphers' from 'ejabberd: New version 2.1.13 availabe' Request was from Jonathan Wiltshire <jmw@tiger-computing.co.uk> to control@bugs.debian.org. (Wed, 11 Sep 2013 14:18:07 GMT) Full text and rfc822 format available.

Bug 722105 cloned as bugs 724992, 724993 Request was from Konstantin Khomoutov <flatworm@users.sourceforge.net> to control@bugs.debian.org. (Mon, 30 Sep 2013 09:54:07 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Konstantin Khomoutov <flatworm@users.sourceforge.net> to control@bugs.debian.org. (Mon, 30 Sep 2013 09:54:19 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Konstantin Khomoutov <flatworm@users.sourceforge.net> to control@bugs.debian.org. (Mon, 30 Sep 2013 09:54:20 GMT) Full text and rfc822 format available.

Reply sent to Gerfried Fuchs <rhonda@debian.org>:
You have taken responsibility. (Wed, 23 Oct 2013 06:36:13 GMT) Full text and rfc822 format available.

Notification sent to Christian Hofstaedtler <christian@hofstaedtler.name>:
Bug acknowledged by developer. (Wed, 23 Oct 2013 06:36:13 GMT) Full text and rfc822 format available.

Message #29 received at 722105-close@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@debian.org>
To: 722105-close@bugs.debian.org
Subject: Bug#722105: fixed in ejabberd 2.1.11-1
Date: Wed, 23 Oct 2013 06:33:35 +0000
Source: ejabberd
Source-Version: 2.1.11-1

We believe that the bug you reported is fixed in the latest version of
ejabberd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722105@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerfried Fuchs <rhonda@debian.org> (supplier of updated ejabberd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 17 Oct 2013 12:57:47 +0200
Source: ejabberd
Binary: ejabberd
Architecture: source amd64
Version: 2.1.11-1
Distribution: unstable
Urgency: low
Maintainer: Konstantin Khomoutov <flatworm@users.sourceforge.net>
Changed-By: Gerfried Fuchs <rhonda@debian.org>
Description: 
 ejabberd   - distributed, fault-tolerant Jabber/XMPP server written in Erlang
Closes: 654853 664034 670307 706590 708151 722105
Changes: 
 ejabberd (2.1.11-1) unstable; urgency=low
 .
   [ Konstantin Khomoutov ]
   * New upstream release (closes: #654853).
   * Update mod_admin_extra module to revision 1126.
   * Provide custom implementation of xmerl_regexp:sh_to_awk/1
     (closes: #670307).
   * Refresh reopen-log.patch
   * Add use_dpkg_buildflags.patch (thanks to Simon Ruderich,
     closes: #664034).
   * Explain the "fqdn" configuration file option which has to be used
     in certain setups for the SCRAM-SHA-1 to work with complying clients.
     Mention this fact in the NEWS file. (Closes: #706590)
   * Add upstream patch fixing incorrect escaping of a single quote character
     in SQL queries generated by the ODBC storage backend (closes: #708151,
     thanks to Vladislav Chugunov).
 .
   [ Gerfried Fuchs ]
   * Add upstream patches disabling SSLv2 and weak cyphers in TLS driver
     (closes: #722105).
   * New upstream release made these patches obsolete:
     relax-digest-uri-handling.patch, fix-parsing-split-https-requests.patch,
     fix-odbc-escaping.patch
Checksums-Sha1: 
 c7a6e14c8cab5884363c51df3e857e83bdbbc48f 1417 ejabberd_2.1.11-1.dsc
 538a4724f1d2c7c9c064b42b91042b08c2235d44 10655030 ejabberd_2.1.11-1.tar.gz
 ec2d31713da947181a58c164d45b7955d6e60cc0 1487404 ejabberd_2.1.11-1_amd64.deb
Checksums-Sha256: 
 79dc6d9ef471d3fbda2af77c1bb05ae1c630f4fc18371368164a73dc1ceb8881 1417 ejabberd_2.1.11-1.dsc
 f79efa857647779523e1a2614db6a26a66c63a20c085d148dca4d6c7a2e91cd5 10655030 ejabberd_2.1.11-1.tar.gz
 95b81a0625267ae1c706d10aca12cdb2b83370c594fc0f2d6a4ed87048770687 1487404 ejabberd_2.1.11-1_amd64.deb
Files: 
 29217f8b6cf65335ac249cd40affefe1 1417 net optional ejabberd_2.1.11-1.dsc
 f7c24d8af747db19ee61dae48647c411 10655030 net optional ejabberd_2.1.11-1.tar.gz
 1cb071a479c3049231e09d05ba9a4b2f 1487404 net optional ejabberd_2.1.11-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBCAAGBQJSZ2W8AAoJEDH85+fdB5RhYf8H/AxIIKufPyy5t/FBStdDg5YV
eEsd1jY7rmla6gWB2Wm2unerT3kep+eQ/yw1bVr5d60URhRlvsOem4bRvQ/F4VUx
sf4Zg4FHW0BzRDMkRM3FEeQ0nbcmxNqXN3+pgVqAKsXYveQKBSWmLJBBrTzX2FM0
Z10bXC0edsuQaRGZaZnBH+v5TExViQXCGHvb9f1ecx4nUdaVxlGd4yqVcPzWzLOi
u4pq0oPz/oDnHkfzimqS54m4RPRSzWT67dnaKw9HXT28DnPNXCNgrWW2uAJp7mmQ
0rnLEBeET+jvqs2Xhg63P7zoqrKCuEuPKExMXQtihfG+BkCb9ee4ZLdWygpSC7E=
=xxCQ
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Dec 2013 07:25:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:51:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.