Debian Bug report logs -
#867032
jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled
Reported by: Sergey Korobitsin <undertaker@arta.kz>
Date: Mon, 3 Jul 2017 15:12:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version jabberd2/2.4.0-3
Fixed in versions jabberd2/2.4.0-3+deb9u1, jabberd2/2.6.1-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>:
Bug#867032; Package jabberd2.
(Mon, 03 Jul 2017 15:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sergey Korobitsin <undertaker@arta.kz>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>.
(Mon, 03 Jul 2017 15:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jabberd2
Version: 2.4.0-3
Severity: grave
Tags: security
Justification: user security hole
During investigation of some issue on my local jabber server
I've found plenty of records like these in my c2s.log:
Mon Jul 3 20:06:21 2017 [notice] [150] ANONYMOUS authentication succeeded: bf719de629033bbf9c6c1aecec590aa8928c92da@my-server.com 195.208.220.171:55481 TLS
Mon Jul 3 20:07:01 2017 [notice] [166] ANONYMOUS authentication succeeded: bcb1ccc187a88c4d61f5ef14516fc6e69e94cf9a@my-server.com 62.76.74.249:51574 TLS
Mon Jul 3 20:08:20 2017 [notice] [169] ANONYMOUS authentication succeeded: 4349fd92ecf35ac14cd71d9c5133f014a1cf3fb5@my-server.com 195.208.220.171:55722 TLS
and I did not allowed such auth type and usage scenario
for my server. Latest news on https://github.com/jabberd2/jabberd2/releases
told me that was a bug, and it's fixed:
https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch
This bug allows unauthorized usage of jabberd2 server installations
and can possibly lead to a DoS.
I've patched my version of jabberd2 from stable with the patch above,
and prepared one for Debian.
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages jabberd2 depends on:
ii adduser 3.115
ii init-system-helpers 1.48
ii libc6 2.24-11+deb9u1
ii libdb5.3 5.3.28-12+b1
ii libexpat1 2.2.0-2+deb9u1
ii libgsasl7 1.8.0-8+b2
ii libhttp-parser2.1 2.1-2
ii libidn11 1.33-1
ii libldap-2.4-2 2.4.44+dfsg-5
ii libmariadbclient18 10.1.23-9+deb9u1
ii libpam0g 1.1.8-3.6
ii libpq5 9.6.3-3
ii libsqlite3-0 3.16.2-5
ii libssl1.0.2 1.0.2l-2
ii libudns0 0.4-1+b1
ii zlib1g 1:1.2.8.dfsg-5
jabberd2 recommends no packages.
jabberd2 suggests no packages.
-- no debconf information
[fixed-offered-sasl-mechanism-check.patch (text/plain, attachment)]
Added tag(s) patch.
Request was from Sebastien Delafond <seb@debian.org>
to control@bugs.debian.org.
(Mon, 03 Jul 2017 15:15:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>:
Bug#867032; Package jabberd2.
(Tue, 04 Jul 2017 14:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>.
(Tue, 04 Jul 2017 14:39:02 GMT) (full text, mbox, link).
Message #12 received at 867032@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled
Control: tags -1 + upstream fixed-upstream
Hi
On Mon, Jul 03, 2017 at 02:35:45PM +0000, Sergey Korobitsin wrote:
> Package: jabberd2
> Version: 2.4.0-3
> Severity: grave
> Tags: security
> Justification: user security hole
>
> During investigation of some issue on my local jabber server
> I've found plenty of records like these in my c2s.log:
>
> Mon Jul 3 20:06:21 2017 [notice] [150] ANONYMOUS authentication succeeded: bf719de629033bbf9c6c1aecec590aa8928c92da@my-server.com 195.208.220.171:55481 TLS
> Mon Jul 3 20:07:01 2017 [notice] [166] ANONYMOUS authentication succeeded: bcb1ccc187a88c4d61f5ef14516fc6e69e94cf9a@my-server.com 62.76.74.249:51574 TLS
> Mon Jul 3 20:08:20 2017 [notice] [169] ANONYMOUS authentication succeeded: 4349fd92ecf35ac14cd71d9c5133f014a1cf3fb5@my-server.com 195.208.220.171:55722 TLS
>
> and I did not allowed such auth type and usage scenario
> for my server. Latest news on https://github.com/jabberd2/jabberd2/releases
> told me that was a bug, and it's fixed:
>
> https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch
>
> This bug allows unauthorized usage of jabberd2 server installations
> and can possibly lead to a DoS.
>
> I've patched my version of jabberd2 from stable with the patch above,
> and prepared one for Debian.
This issue has been assigned CVE-2017-10807.
Regards,
Salvatore
Changed Bug title to 'jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled' from 'jabberd2 allowing anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 867032-submit@bugs.debian.org.
(Tue, 04 Jul 2017 14:39:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 867032-submit@bugs.debian.org.
(Tue, 04 Jul 2017 14:39:03 GMT) (full text, mbox, link).
Marked as fixed in versions jabberd2/2.4.0-3+deb9u1.
Request was from Adrian Bunk <bunk@debian.org>
to control@bugs.debian.org.
(Sat, 08 Jul 2017 13:33:03 GMT) (full text, mbox, link).
Marked as fixed in versions jabberd2/2.6.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 09 Jul 2017 09:06:31 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 09 Jul 2017 09:06:32 GMT) (full text, mbox, link).
Notification sent
to Sergey Korobitsin <undertaker@arta.kz>:
Bug acknowledged by developer.
(Sun, 09 Jul 2017 09:06:33 GMT) (full text, mbox, link).
Message sent on
to Sergey Korobitsin <undertaker@arta.kz>:
Bug#867032.
(Sun, 09 Jul 2017 09:06:38 GMT) (full text, mbox, link).
Message #27 received at 867032-submitter@bugs.debian.org (full text, mbox, reply):
close 867032 2.6.1-1
thanks
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 09 Jul 2017 10:51:26 GMT) (full text, mbox, link).
Notification sent
to Sergey Korobitsin <undertaker@arta.kz>:
Bug acknowledged by developer.
(Sun, 09 Jul 2017 10:51:26 GMT) (full text, mbox, link).
Message #32 received at 867032-close@bugs.debian.org (full text, mbox, reply):
Source: jabberd2
Source-Version: 2.4.0-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
jabberd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated jabberd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 04 Jul 2017 16:42:15 +0200
Source: jabberd2
Binary: jabberd2
Architecture: source
Version: 2.4.0-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 867032
Description:
jabberd2 - Jabber instant messenger server
Changes:
jabberd2 (2.4.0-3+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed offered SASL mechanism check (CVE-2017-10807)
Thanks to Sergey Korobitsin for the report. (Closes: #867032)
Checksums-Sha1:
292920f65af032d8a3ff1cb396f79be716966aa4 2395 jabberd2_2.4.0-3+deb9u1.dsc
726794ec1a99da3cca4da4ea4c17ec9f6d05e84e 625496 jabberd2_2.4.0.orig.tar.gz
ec0c4e0041e0e49e1a3b2f367acdeb234a45ec56 17604 jabberd2_2.4.0-3+deb9u1.debian.tar.xz
Checksums-Sha256:
1a58310894ab17247bc0cb37db7a95d7c008af0205805914fed70d0f25698367 2395 jabberd2_2.4.0-3+deb9u1.dsc
d6b0ef9a03fc36b0f66f785c09b3a7a8cacbf0d438e0ac1d6ec6b45029d2f816 625496 jabberd2_2.4.0.orig.tar.gz
a184d5e37cda951b83970f5230fc2172767c740ebc668fc31c3c5ad7ad84ff7e 17604 jabberd2_2.4.0-3+deb9u1.debian.tar.xz
Files:
b64451f377f3ce74b8ddc255959c8ea3 2395 net optional jabberd2_2.4.0-3+deb9u1.dsc
1871f97d86affb0150ad8c3a6691cb46 625496 net optional jabberd2_2.4.0.orig.tar.gz
ac0c5f902aa3ee489adc47ffa085fe25 17604 net optional jabberd2_2.4.0-3+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllccfBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EFbUP/2l7lRGXpqoHjtZ+Q1ox/SCkZ7Wn3BO7
IPGZADl7xhbDUCOG2hRQeKADWs90vovMRCKOmGkbWqWPFDykvw1EQWqqqAXDUXRV
V8Ik0MR55Iu48eYjrSdT81P6Wq4W41b3BNlKh8vgx/9MBP6LV3wwUHvwFOWJ46HN
pGp6LXC4wPTK5Bfior6sSrA9VT3kB+mJ6AkbYwntk5324VrUrUVkKQs5zhr0Sr7k
jJJ4hW7HrWicZm07jgAcS4dMorG1jF4VyO8QMer9vRXztLFlt/k2EnKo7GbjATcW
nyX5U566sbVZivhBHxeIvAVeKUaDwQ6vxtCu7JNeYXrW4nmMDVIPI9p3phA1z2Fg
m9imz9rfdxXaaip0H+2nG5uMOwdAnGwI+b9q+c7Y7E2sDZShfLG7Vpx/YiH9n5h9
stJnyFILiOofuroyq44Ma0S80D7rf00PQCZaGh/KPax7v8aQ9uBwI3ZPz85kS3ac
BQDAib8uYu9TOoZNz35Cmfnr+1m2TqjFhqxaG/hhnVCbAndnBBp2izhnduepXJbq
RZoAUE547SeIfo1UOmbn1/ZSM3dlrfAt6+XwRUdbKi3RIQQsNgRs8ElHpW10m2Gr
F9PFtdVYgtLpYd0SHHa2HuQDKZggeG5QMKDIrQeV4VOQDOWpTEds12P2HzyL4DsP
YeBt0oMGpj5c
=cOcZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 11 Aug 2017 07:26:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:31:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon