Ubuntu
ejabberd package

Allows SSLv2 and weak ciphers

Bug #1239307 reported by Felix Geyer
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ejabberd (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned

Bug Description

ejabberd allows connections through SSLv2 and weak ciphers.
It's not possible to change this in the configuration file.

Upstream has fixed this in v2.1.12:
https://github.com/processone/ejabberd/commit/e06c1c49c14c3f56cf4ddae080514f7802669335
https://github.com/processone/ejabberd/commit/d2d51381ec3fea97d0bd968cd7ffed2364b644c6

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for precise

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for quantal

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for raring

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ejabberd - 2.1.10-5ubuntu1

---------------
ejabberd (2.1.10-5ubuntu1) saucy; urgency=low

  * Disable SSLv2 and weak ciphers in the TLS driver.
    - debian/patches/disable-ssl2.patch, patch from Debian
    - debian/patches/disable-insecure-ssl-cyphers.patch, patch from Debian
    - LP: #1239307
 -- Felix Geyer <email address hidden> Sun, 13 Oct 2013 11:58:44 +0200

Changed in ejabberd (Ubuntu Saucy):
status: New → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :

CVE-2013-6169 has been assigned for this so it'd make sense to include it in the changelog if it's going to end up in the archive.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ejabberd - 2.1.10-4ubuntu0.1

---------------
ejabberd (2.1.10-4ubuntu0.1) raring-security; urgency=low

  * SECURITY UPDATE: Disable SSLv2 and weak ciphers in the TLS driver.
    (LP: #1239307)
    - debian/patches/disable-ssl2.patch, patch from Debian
    - debian/patches/disable-insecure-ssl-cyphers.patch, patch from Debian
    - CVE-2013-6169
 -- Felix Geyer <email address hidden> Sun, 13 Oct 2013 13:23:27 +0200

Changed in ejabberd (Ubuntu Raring):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ejabberd - 2.1.10-2ubuntu1.2

---------------
ejabberd (2.1.10-2ubuntu1.2) precise-security; urgency=low

  * SECURITY UPDATE: Disable SSLv2 and weak ciphers in the TLS driver.
    (LP: #1239307)
    - debian/patches/disable-ssl2.patch, patch from Debian
    - debian/patches/disable-insecure-ssl-cyphers.patch, patch from Debian
    - CVE-2013-6169
 -- Felix Geyer <email address hidden> Sun, 13 Oct 2013 13:21:31 +0200

Changed in ejabberd (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ejabberd - 2.1.10-3ubuntu0.1

---------------
ejabberd (2.1.10-3ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Disable SSLv2 and weak ciphers in the TLS driver.
    (LP: #1239307)
    - debian/patches/disable-ssl2.patch, patch from Debian
    - debian/patches/disable-insecure-ssl-cyphers.patch, patch from Debian
    - CVE-2013-6169
 -- Felix Geyer <email address hidden> Sun, 13 Oct 2013 15:31:57 +0200

Changed in ejabberd (Ubuntu Quantal):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Felix!

Marc Deslauriers (mdeslaur)
Changed in ejabberd (Ubuntu Lucid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.