ejabberd prior to 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
Debian Bug report logs -
#767535
CVE-2014-8760
Package:
ejabberd;
Maintainer for ejabberd is Ejabberd Packaging Team <ejabberd@packagesdebianorg>; Source for ejabberd is src:ejabberd (PTS, buildd, popcon)
Reported by: Moritz Muehlenhoff <jmm@debianorg>
Date: Fri, 31 Oct 2014 21:15:01 UTC
Severity: important
Tags: ...