oss-sec mailing list archives
Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required
From: cve-assign () mitre org
Date: Thu, 16 Oct 2014 10:16:06 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://mail.jabber.org/pipermail/operators/2014-October/002438.html https://github.com/processone/ejabberd/commit/7bdc1151b11d26d33649c5cce2817b74a4f231a8 Basically these things often work under a more or less "trust-on-first-use"-assumption. E.g. the client will check the server config on the first connection and use that settings in the future. So there is a scenario where this leads to unintended unencrypted connections.
Use CVE-2014-8760. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUP9KSAAoJEKllVAevmvms3HIH+wYbM86VpoBrkJEaSlOpw5CI krwSBSzRhDqw8uXeV6FeGKI7Cy5vmaUDTXoj0z/jVmAjaJB2MCVXYzdeiywA1pcQ /LCROcb2O80DIC6pHK0VoWPa+4lWpoxYwtVQxexcA7mHL+bym3pjt5Jf/ZmP7Uqe tPumOEL9xMdL97CAYTeptTLXlxQ1uipQOYIARnxtQ9neWDMxQPV1JQdAQDjJxZoY ZdjJB2/MNzcARkiHc+njEebIDvnn39yoiGo/5Wlo7N+mJ6oIRn9ritm4aQRkLE71 D+1g3HkjelxXlqMkmXOCimh5r7Euupeyi0L40aLY1ft4Da3sJx/to9eteRzEzJo= =RSsh -----END PGP SIGNATURE-----
Current thread:
- CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required cve-assign (Oct 16)