Comment 0 for bug 1747893

Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration:

```
Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56570 TLS
Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56589 TLS
Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56592 TLS
Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56611 TLS
```

There is Debian bug #867032 for this vulnerability.

Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release.