[Operators] ejabberd: compression allows circumvention of encryption

Mathias Ertl mati at fsinf.at
Mon Oct 13 12:46:16 UTC 2014


FYI, I discovered a (IMHO critical) bug in ejabberd that allows clients to
connect with an unencrypted connection even if starttls_required is set.
Clients should normally not do that anyway, but currently (at least some
versions of) Miranda do. The bug affects all versions of ejabberd but is
fixed in master[1] (thanks for the quick fix!).

To stop the bug from affecting you disable compression, ('zlib' in
c2s configuration) and find affected users with:

    ejabberdctl connected_users_info | grep 'c2s_compressed\s'

You may kick affected user sessions and they should be able to reconnect
with encryption and without compression.

For those of you using my packages: Updates will be available shortly.

greetings, Mati

[1] https://github.com/processone/ejabberd/commit/7bdc1151b

I only read plain text mail! I prefer pgp|gpg signed & encrypted mails!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141013/0c506096/attachment.sig>

More information about the Operators mailing list