oss-sec mailing list archives

Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required

From: Michael Samuel <mik () miknet net>
Date: Tue, 14 Oct 2014 12:39:48 +1100

On 14 October 2014 00:09, Hanno Böck <hanno () hboeck de> wrote:

I think this deserves a CVE:
http://mail.jabber.org/pipermail/operators/2014-October/002438.html


If a client is willing to do that, then an attacker can simply force downgrade
the client and connect to the server using TLS. (Assuming client
certificates aren't in use)

Regards,
  Michael

Current thread:

CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)
  - Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 14)
    - Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 14)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required cve-assign (Oct 16)