oss-sec mailing list archives

Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required

From: cve-assign () mitre org
Date: Thu, 16 Oct 2014 10:16:06 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://mail.jabber.org/pipermail/operators/2014-October/002438.html
https://github.com/processone/ejabberd/commit/7bdc1151b11d26d33649c5cce2817b74a4f231a8

Basically these things often work under a more or less
"trust-on-first-use"-assumption.

E.g. the client will check the server config on the first connection
and use that settings in the future.

So there is a scenario where this leads to unintended unencrypted
connections.


Use CVE-2014-8760.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUP9KSAAoJEKllVAevmvms3HIH+wYbM86VpoBrkJEaSlOpw5CI
krwSBSzRhDqw8uXeV6FeGKI7Cy5vmaUDTXoj0z/jVmAjaJB2MCVXYzdeiywA1pcQ
/LCROcb2O80DIC6pHK0VoWPa+4lWpoxYwtVQxexcA7mHL+bym3pjt5Jf/ZmP7Uqe
tPumOEL9xMdL97CAYTeptTLXlxQ1uipQOYIARnxtQ9neWDMxQPV1JQdAQDjJxZoY
ZdjJB2/MNzcARkiHc+njEebIDvnn39yoiGo/5Wlo7N+mJ6oIRn9ritm4aQRkLE71
D+1g3HkjelxXlqMkmXOCimh5r7Euupeyi0L40aLY1ft4Da3sJx/to9eteRzEzJo=
=RSsh
-----END PGP SIGNATURE-----

Current thread:

CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)
  - Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 14)
    - Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 14)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required cve-assign (Oct 16)