Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 Oct 2014 10:16:06 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://mail.jabber.org/pipermail/operators/2014-October/002438.html
> https://github.com/processone/ejabberd/commit/7bdc1151b11d26d33649c5cce2817b74a4f231a8
> 
> Basically these things often work under a more or less
> "trust-on-first-use"-assumption.
> 
> E.g. the client will check the server config on the first connection
> and use that settings in the future.
> 
> So there is a scenario where this leads to unintended unencrypted
> connections.

Use CVE-2014-8760.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUP9KSAAoJEKllVAevmvms3HIH+wYbM86VpoBrkJEaSlOpw5CI
krwSBSzRhDqw8uXeV6FeGKI7Cy5vmaUDTXoj0z/jVmAjaJB2MCVXYzdeiywA1pcQ
/LCROcb2O80DIC6pHK0VoWPa+4lWpoxYwtVQxexcA7mHL+bym3pjt5Jf/ZmP7Uqe
tPumOEL9xMdL97CAYTeptTLXlxQ1uipQOYIARnxtQ9neWDMxQPV1JQdAQDjJxZoY
ZdjJB2/MNzcARkiHc+njEebIDvnn39yoiGo/5Wlo7N+mJ6oIRn9ritm4aQRkLE71
D+1g3HkjelxXlqMkmXOCimh5r7Euupeyi0L40aLY1ft4Da3sJx/to9eteRzEzJo=
=RSsh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ