oss-sec mailing list archives
Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required
From: Michael Samuel <mik () miknet net>
Date: Tue, 14 Oct 2014 12:39:48 +1100
On 14 October 2014 00:09, Hanno Böck <hanno () hboeck de> wrote:
I think this deserves a CVE: http://mail.jabber.org/pipermail/operators/2014-October/002438.html
If a client is willing to do that, then an attacker can simply force downgrade the client and connect to the server using TLS. (Assuming client certificates aren't in use) Regards, Michael
Current thread:
- CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required cve-assign (Oct 16)