Jabberd

Bug #1747893
Activity log

Activity log for bug #1747893

Date	Who	What changed	Old value	New value	Message
2018-02-07 11:35:30	Eugene Crosser	bug			added bug
2018-02-07 11:35:54	Eugene Crosser	information type	Private Security	Public Security
2018-02-07 11:37:16	Eugene Crosser	bug watch added		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867032
2018-02-07 11:37:16	Eugene Crosser	bug task added		debian
2018-02-07 11:37:50	Eugene Crosser	cve linked		2017-10807
2018-02-07 11:47:12	Eugene Crosser	description	Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration: ``` Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: 097569a80f3845d6f94a102ca0222249fec72c91@average.org ::ffff:194.226.137.229:56570 TLS Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: 369e2c61a89bad270f56e2c0cac4f01c9d0ab88e@average.org ::ffff:194.226.137.229:56589 TLS Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: b15ccb46d7197298474fb8d923701271f34b0fb2@average.org ::ffff:194.226.137.229:56592 TLS Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: 3105c6b061a13e9e24bc72ff51f2c2f127d4220d@average.org ::ffff:194.226.137.229:56611 TLS ``` There is Debian bug #867032 for this vulnerability. Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release.	Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration: ``` Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: 097569a80f3845d6f94a102ca0222249fec72c91@average.org ::ffff:194.226.137.229:56570 TLS Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: 369e2c61a89bad270f56e2c0cac4f01c9d0ab88e@average.org ::ffff:194.226.137.229:56589 TLS Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: b15ccb46d7197298474fb8d923701271f34b0fb2@average.org ::ffff:194.226.137.229:56592 TLS Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: 3105c6b061a13e9e24bc72ff51f2c2f127d4220d@average.org ::ffff:194.226.137.229:56611 TLS ``` There is Debian bug #867032 for this vulnerability. Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release. Apparently fixed by this upstream commit: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16
2018-02-07 11:50:32	Eugene Crosser	bug task added		jabberd2 (Ubuntu)
2018-02-07 13:16:14	Bug Watch Updater	debian: status	Unknown	Fix Released
2018-02-07 15:52:32	Steve Beattie	jabberd2: status	New	Incomplete
2018-02-07 15:52:33	Steve Beattie	jabberd2 (Ubuntu): status	New	Incomplete
2018-02-07 15:54:07	Steve Beattie	nominated for series		Ubuntu Trusty
2018-02-07 15:54:07	Steve Beattie	bug task added		jabberd2 (Ubuntu Trusty)
2018-02-07 15:54:07	Steve Beattie	nominated for series		Ubuntu Xenial
2018-02-07 15:54:07	Steve Beattie	bug task added		jabberd2 (Ubuntu Xenial)
2018-02-07 15:54:24	Steve Beattie	jabberd2 (Ubuntu): status	Incomplete	Fix Released