Control: retitle -1 jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled Control: tags -1 + upstream fixed-upstream
Hi On Mon, Jul 03, 2017 at 02:35:45PM +0000, Sergey Korobitsin wrote: > Package: jabberd2 > Version: 2.4.0-3 > Severity: grave > Tags: security > Justification: user security hole > > During investigation of some issue on my local jabber server > I've found plenty of records like these in my c2s.log: > > Mon Jul 3 20:06:21 2017 [notice] [150] ANONYMOUS authentication succeeded: > bf719de629033bbf9c6c1aecec590aa8928c9...@my-server.com 195.208.220.171:55481 > TLS > Mon Jul 3 20:07:01 2017 [notice] [166] ANONYMOUS authentication succeeded: > bcb1ccc187a88c4d61f5ef14516fc6e69e94c...@my-server.com 62.76.74.249:51574 TLS > Mon Jul 3 20:08:20 2017 [notice] [169] ANONYMOUS authentication succeeded: > 4349fd92ecf35ac14cd71d9c5133f014a1cf3...@my-server.com 195.208.220.171:55722 > TLS > > and I did not allowed such auth type and usage scenario > for my server. Latest news on https://github.com/jabberd2/jabberd2/releases > told me that was a bug, and it's fixed: > > https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch > > This bug allows unauthorized usage of jabberd2 server installations > and can possibly lead to a DoS. > > I've patched my version of jabberd2 from stable with the patch above, > and prepared one for Debian. This issue has been assigned CVE-2017-10807. Regards, Salvatore
