lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 19:29:34 +0200 (CEST)
From: Thijs Kinkhorst <thijs@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 2775-1] ejabberd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2775-1                   security@...ian.org
http://www.debian.org/security/                           Thijs Kinkhorst
October 10, 2013                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ejabberd
Vulnerability  : insecure SSL usage
Problem type   : remote
Debian-specific: no
Debian Bug     : 722105

It was discovered that ejabberd, a Jabber/XMPP server, uses SSLv2 and
weak ciphers for communication, which are considered insecure. The
software offers no runtime configuration options to disable these. This
update disables the use of SSLv2 and weak ciphers.

The updated package for Debian 7 (wheezy) also contains auxiliary
bugfixes originally staged for the next stable point release.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2.1.5-3+squeeze2.

For the stable distribution (wheezy), this problem has been fixed in
version 2.1.10-4+deb7u1.

For the testing distribution (jessie), and unstable distribution (sid),
this problem will be fixed soon.

We recommend that you upgrade your ejabberd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSVuPYAAoJEFb2GnlAHawE5KQIAI4W5gLNB2Z2qLG53SU25OTr
El4qltM8AXRQGTaacAVTD+0uz83968lDadvyMTeRiXCh2ScrFzJsrNmPrBgYbFb8
TAwtZDvo2sY/fhsSbECO/9LzopWlC5a4ry14xFC2ta5GEfx+z4RW8R5YHvS5bc1U
k3fSK1egJt4T9aW+pNvPLDU27qOxNtyoyE8b1LMWyzFmlE5ePy7lroXpolviSU0D
qMGGTHeZAPDRVzvHZiWoYs2uEkVich7x8lZB2sufrXkvJbwKkqHpnQ9fMx7+RGJe
2vPAqMmmnEWHgMOcYuEVoQD1BMTyDko3sF4D7BDmbYMAPp/KFfYDbnjjpv1sziI=
=fCbm
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists