[Pkg-xmpp-devel] Bug#867032: jabberd2 allowing anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled
Salvatore Bonaccorso
carnil at debian.org
Tue Jul 4 14:34:53 UTC 2017
Control: retitle -1 jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled
Control: tags -1 + upstream fixed-upstream
Hi
On Mon, Jul 03, 2017 at 02:35:45PM +0000, Sergey Korobitsin wrote:
> Package: jabberd2
> Version: 2.4.0-3
> Severity: grave
> Tags: security
> Justification: user security hole
>
> During investigation of some issue on my local jabber server
> I've found plenty of records like these in my c2s.log:
>
> Mon Jul 3 20:06:21 2017 [notice] [150] ANONYMOUS authentication succeeded: bf719de629033bbf9c6c1aecec590aa8928c92da at my-server.com 195.208.220.171:55481 TLS
> Mon Jul 3 20:07:01 2017 [notice] [166] ANONYMOUS authentication succeeded: bcb1ccc187a88c4d61f5ef14516fc6e69e94cf9a at my-server.com 62.76.74.249:51574 TLS
> Mon Jul 3 20:08:20 2017 [notice] [169] ANONYMOUS authentication succeeded: 4349fd92ecf35ac14cd71d9c5133f014a1cf3fb5 at my-server.com 195.208.220.171:55722 TLS
>
> and I did not allowed such auth type and usage scenario
> for my server. Latest news on https://github.com/jabberd2/jabberd2/releases
> told me that was a bug, and it's fixed:
>
> https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch
>
> This bug allows unauthorized usage of jabberd2 server installations
> and can possibly lead to a DoS.
>
> I've patched my version of jabberd2 from stable with the patch above,
> and prepared one for Debian.
This issue has been assigned CVE-2017-10807.
Regards,
Salvatore
More information about the Pkg-xmpp-devel
mailing list