group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1747893] Re: jabberd2 before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Steve Beattie <sbeattie@xxxxxxxxxx>
Date: Wed, 07 Feb 2018 15:53:34 -0000
Reply-to: Bug 1747893 <1747893@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

** Changed in: jabberd2
       Status: New => Incomplete

** Changed in: jabberd2 (Ubuntu)
       Status: New => Incomplete

** Also affects: jabberd2 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: jabberd2 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: jabberd2 (Ubuntu)
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1747893

Title:
  jabberd2 before 2.6.1 allows anyone to authenticate using SASL
  ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled

Status in Jabberd:
  Incomplete
Status in jabberd2 package in Ubuntu:
  Fix Released
Status in jabberd2 source package in Trusty:
  New
Status in jabberd2 source package in Xenial:
  New
Status in Debian:
  Fix Released

Bug description:
  Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of
  this report). This version is vulnerable to CVE-2017-10807, namely it
  allows "anonymous" SASL authentication even when that option is
  switched off in the configuration:

  ```
  Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: 097569a80f3845d6f94a102ca0222249fec72c91@xxxxxxxxxxx ::ffff:194.226.137.229:56570 TLS
  Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: 369e2c61a89bad270f56e2c0cac4f01c9d0ab88e@xxxxxxxxxxx ::ffff:194.226.137.229:56589 TLS
  Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: b15ccb46d7197298474fb8d923701271f34b0fb2@xxxxxxxxxxx ::ffff:194.226.137.229:56592 TLS
  Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: 3105c6b061a13e9e24bc72ff51f2c2f127d4220d@xxxxxxxxxxx ::ffff:194.226.137.229:56611 TLS
  ```

  There is Debian bug #867032 for this vulnerability.

  Current upstream versions of jabberd2 are not vulnerable; in
  particular version 2.6.1-1 that ships with artful is _probably_ not
  vulnerable, so this report only applies to the LTS release.

  Apparently fixed by this upstream commit:
  https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16

To manage notifications about this bug go to:
https://bugs.launchpad.net/jabberd2/+bug/1747893/+subscriptions