diff -u ejabberd-2.1.10/debian/changelog ejabberd-2.1.10/debian/changelog
--- ejabberd-2.1.10/debian/changelog
+++ ejabberd-2.1.10/debian/changelog
@@ -1,3 +1,12 @@
+ejabberd (2.1.10-4ubuntu0.1) raring-security; urgency=low
+
+  * SECURITY UPDATE: Disable SSLv2 and weak ciphers in the TLS driver.
+    - debian/patches/disable-ssl2.patch, patch from Debian
+    - debian/patches/disable-insecure-ssl-cyphers.patch, patch from Debian
+    - LP: #1239307
+
+ -- Felix Geyer <debfx@ubuntu.com>  Sun, 13 Oct 2013 13:23:27 +0200
+
 ejabberd (2.1.10-4) unstable; urgency=low
 
   [ Konstantin Khomoutov ]
diff -u ejabberd-2.1.10/debian/control ejabberd-2.1.10/debian/control
--- ejabberd-2.1.10/debian/control
+++ ejabberd-2.1.10/debian/control
@@ -1,7 +1,8 @@
 Source: ejabberd
 Section: net
 Priority: optional
-Maintainer: Konstantin Khomoutov <flatworm@users.sourceforge.net>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Konstantin Khomoutov <flatworm@users.sourceforge.net>
 Uploaders: Gerfried Fuchs <rhonda@debian.org>
 Build-Depends: debhelper (>= 7.3~), quilt, erlang-base, erlang-asn1, erlang-parsetools, erlang-dev (>= 1:15.b), libexpat1-dev, libssl-dev, zlib1g-dev, libpam0g-dev, po-debconf
 Standards-Version: 3.9.2
diff -u ejabberd-2.1.10/debian/patches/series ejabberd-2.1.10/debian/patches/series
--- ejabberd-2.1.10/debian/patches/series
+++ ejabberd-2.1.10/debian/patches/series
@@ -9,0 +10,2 @@
+disable-ssl2.patch
+disable-insecure-ssl-cyphers.patch
only in patch2:
unchanged:
--- ejabberd-2.1.10.orig/debian/patches/disable-ssl2.patch
+++ ejabberd-2.1.10/debian/patches/disable-ssl2.patch
@@ -0,0 +1,36 @@
+Description: Disable SSLv2 in the TLS driver
+ SSL 2.0 is not used anywhere as it has security problems.
+ Disable it unconditionally both in server and client mode.
+ This does not disable support for SSL 2.0 compatible client
+ hello which still will be accepted in the server mode.
+ .
+ This patch is a backport of changes introduced by the commit
+ e06c1c49c14c3f56cf4ddae080514f7802669335 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -354,6 +354,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+ 	    res = SSL_CTX_check_private_key(ctx);
+ 	    die_unless(res > 0, "SSL_CTX_check_private_key failed");
+ 
++	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
++
+ 	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ 	    SSL_CTX_set_default_verify_paths(ctx);
+ #ifdef SSL_MODE_RELEASE_BUFFERS
+@@ -386,10 +388,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+ 	 SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
+ 
+ 	 if (command == SET_CERTIFICATE_FILE_ACCEPT) {
+-	    SSL_set_options(d->ssl, SSL_OP_NO_TICKET);
+ 	    SSL_set_accept_state(d->ssl);
+ 	 } else {
+-	    SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+ 	    SSL_set_connect_state(d->ssl);
+ 	 }
+ 	 break;
only in patch2:
unchanged:
--- ejabberd-2.1.10.orig/debian/patches/disable-insecure-ssl-cyphers.patch
+++ ejabberd-2.1.10/debian/patches/disable-insecure-ssl-cyphers.patch
@@ -0,0 +1,34 @@
+Description: Disable old and insecure cyphers in TLS driver
+ Disabled:
+ * Export ciphers - broken by design, 40 and 56 bit encryption.
+ * Low encryption ciphers - 56 and 64 bit encryption.
+ * SSLv2 ciphers - some ciphers using MD5 MAC.
+ .
+ This patch is a backport of changes introduced by the commit
+ d2d51381ec3fea97d0bd968cd7ffed2364b644c6 in the upstream Git repository
+ to the ejabberd code base as of version 2.1.12.
+Author: Janusz Dziemidowicz <rraptorr@nails.eu.org>
+Forwarded: not-needed
+Last-Update: 2013-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tls/tls_drv.c
++++ b/src/tls/tls_drv.c
+@@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
+ #define SSL_OP_NO_TICKET 0
+ #endif
+ 
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++
+ /*
+  * R15B changed several driver callbacks to use ErlDrvSizeT and
+  * ErlDrvSSizeT typedefs instead of int.
+@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
+ 
+ 	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+ 
++	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
++
+ 	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ 	    SSL_CTX_set_default_verify_paths(ctx);
+ #ifdef SSL_MODE_RELEASE_BUFFERS