Bug 1047282 - (CVE-2017-10807) VUL-0: CVE-2017-10807: jabberd: JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASLANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled.
VUL-0: CVE-2017-10807: jabberd: JabberD 2.x (aka jabberd2) before 2.6.1 allow...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-07-05 07:13 UTC by Marcus Meissner
Modified: 2017-10-25 19:11 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Silvio Moioli 2017-07-10 06:12:58 UTC
Upstream patch (https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16) does not seem to be readily applicable to our package which is based on an older version (2.3.2 instead of 2.6.0).

Moreover according to the upstream changelog we miss other changes which could be security sensitive, eg.:

* 2.4.0 to 2.5.0 upgrade:
- Fixed memory leak in pgsql storage driver
- Fixed two double-frees caused by dangling pointers


* 2.3.6 to 2.4.0 upgrade:
- Many Coverity Scan and cppcheck detected issues fixed


* 2.3.4 to 2.3.5 upgrade:
- Use CSPRNG for dialback keys


* 2.3.3 to 2.3.4 upgrade:
- Rewrite TLS ephemeral key + cipher handling
- bcrypt support for PostgreSQL

Source: https://github.com/jabberd2/jabberd2/blob/a3e4a473a74c4090af44de43c353cc66b8c6a113/NEWS

I would thus recommend to update the package to the latest sources.
Comment 2 Silvio Moioli 2017-07-10 06:17:28 UTC
Michael, I have a building version of the updated package now, updated from a checkout of Devel:Galaxy:Manager:Head/jabberd2.

What are the next steps now?

I would assume that has to be submitted to Devel:Galaxy:Manager:Head, 3.1 and 3.0 to have a testsuite run at least. Should we test anything else? I am not sure the testsuite covers the OSAD case.

I have also seen several patches to the Berkeley DB area in the commit log, so that might even help in bug 1047155 or similar cases. Should we attempt a PTF there?

After that, are there other projects I should submit the change to?

Comment 7 Silvio Moioli 2017-08-04 15:02:34 UTC

I hope I did everything correctly - please let me know!


Marking as RESOLVED for now.
Comment 9 Johannes Segitz 2017-08-07 07:59:31 UTC
Please don't close security bugs, reassign them to the security team once you're done. Thanks
Comment 10 Swamp Workflow Management 2017-08-25 16:15:35 UTC
SUSE-SU-2017:2257-1: An update that solves two vulnerabilities and has 48 fixes is now available.

Category: security (moderate)
Bug References: 1009118,1017513,1019759,1028098,1030898,1031143,1031602,1032324,1032350,1033999,1035728,1037609,1038321,1039458,1039579,1039913,1042199,1042552,1042846,1042975,1043143,1043430,1043795,1043831,1044719,1045152,1045266,1045981,1046176,1046218,1046314,1046865,1047282,1047352,1047513,1047641,1047656,1047680,1047707,1048183,1048968,1049162,1049425,1049471,1049575,1049664,1049665,1050385,1051518,1051719
CVE References: CVE-2017-10807,CVE-2017-7538
Sources used:
SUSE Manager Server 3.1 (src):    cobbler-2.6.6-5.3.1, jabberd-2.6.1-3.3.1, osad-, rhnpush-, salt-netapi-client-0.12.0-3.3.1, smdba-1.5.8-, spacecmd-, spacewalk-backend-, spacewalk-branding-, spacewalk-certs-tools-, spacewalk-java-, spacewalk-search-, spacewalk-utils-, spacewalk-web-, susemanager-3.1.8-2.3.1, susemanager-docs_en-3-10.3.1, susemanager-schema-3.1.9-2.3.1, susemanager-sync-data-3.1.6-2.3.1
Comment 11 Swamp Workflow Management 2017-08-25 16:27:02 UTC
SUSE-SU-2017:2266-1: An update that solves one vulnerability and has 9 fixes is now available.

Category: security (moderate)
Bug References: 1031143,1032324,1036260,1038321,1039913,1043831,1047282,1047513,1049936,1052039
CVE References: CVE-2017-10807
Sources used:
SUSE Manager Proxy 3.1 (src):    jabberd-2.6.1-3.3.1, osad-, rhnpush-, spacewalk-backend-, spacewalk-certs-tools-, spacewalk-proxy-, spacewalk-web-, spacewalksd-, supportutils-plugin-susemanager-client-3.1.2-2.3.1, zypp-plugin-spacewalk-0.9.16-2.3.1
Comment 12 Swamp Workflow Management 2017-08-25 16:27:51 UTC
SUSE-SU-2017:2267-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1047282
CVE References: CVE-2017-10807
Sources used:
SUSE Manager Server 3.0 (src):    jabberd-2.6.1-4.6.1
SUSE Manager Proxy 3.0 (src):    jabberd-2.6.1-4.6.1
Comment 13 Leonardo Chiquitto 2017-08-29 10:30:33 UTC
All released AFAICS
Comment 14 Marcus Meissner 2017-10-25 19:11:44 UTC