Upstream patch (https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16) does not seem to be readily applicable to our package which is based on an older version (2.3.2 instead of 2.6.0).

Moreover according to the upstream changelog we miss other changes which could be security sensitive, eg.:

* 2.4.0 to 2.5.0 upgrade:
[...]
- Fixed memory leak in pgsql storage driver
- Fixed two double-frees caused by dangling pointers

[...]

* 2.3.6 to 2.4.0 upgrade:
[...]
- Many Coverity Scan and cppcheck detected issues fixed

[...]

* 2.3.4 to 2.3.5 upgrade:
[...]
- Use CSPRNG for dialback keys

[...]

* 2.3.3 to 2.3.4 upgrade:
[...]
- Rewrite TLS ephemeral key + cipher handling
- bcrypt support for PostgreSQL

Source: https://github.com/jabberd2/jabberd2/blob/a3e4a473a74c4090af44de43c353cc66b8c6a113/NEWS



I would thus recommend to update the package to the latest sources.

Michael, I have a building version of the updated package now, updated from a checkout of Devel:Galaxy:Manager:Head/jabberd2.

What are the next steps now?

I would assume that has to be submitted to Devel:Galaxy:Manager:Head, 3.1 and 3.0 to have a testsuite run at least. Should we test anything else? I am not sure the testsuite covers the OSAD case.

I have also seen several patches to the Berkeley DB area in the commit log, so that might even help in bug 1047155 or similar cases. Should we attempt a PTF there?

After that, are there other projects I should submit the change to?

Thanks

Benjamin,

I hope I did everything correctly - please let me know!

https://build.suse.de/request/show/137050
https://build.suse.de/request/show/137053

Marking as RESOLVED for now.

Please don't close security bugs, reassign them to the security team once you're done. Thanks

SUSE-SU-2017:2257-1: An update that solves two vulnerabilities and has 48 fixes is now available.

Category: security (moderate)
Bug References: 1009118,1017513,1019759,1028098,1030898,1031143,1031602,1032324,1032350,1033999,1035728,1037609,1038321,1039458,1039579,1039913,1042199,1042552,1042846,1042975,1043143,1043430,1043795,1043831,1044719,1045152,1045266,1045981,1046176,1046218,1046314,1046865,1047282,1047352,1047513,1047641,1047656,1047680,1047707,1048183,1048968,1049162,1049425,1049471,1049575,1049664,1049665,1050385,1051518,1051719
CVE References: CVE-2017-10807,CVE-2017-7538
Sources used:
SUSE Manager Server 3.1 (src):    cobbler-2.6.6-5.3.1, jabberd-2.6.1-3.3.1, osad-5.11.80.3-2.3.1, rhnpush-5.5.104.3-2.3.2, salt-netapi-client-0.12.0-3.3.1, smdba-1.5.8-0.2.3.1, spacecmd-2.7.8.6-2.3.1, spacewalk-backend-2.7.73.7-2.3.1, spacewalk-branding-2.7.2.7-2.3.1, spacewalk-certs-tools-2.7.0.7-2.3.1, spacewalk-java-2.7.46.5-2.3.1, spacewalk-search-2.7.3.2-2.3.4, spacewalk-utils-2.7.10.5-2.3.1, spacewalk-web-2.7.1.10-2.3.1, susemanager-3.1.8-2.3.1, susemanager-docs_en-3-10.3.1, susemanager-schema-3.1.9-2.3.1, susemanager-sync-data-3.1.6-2.3.1

SUSE-SU-2017:2266-1: An update that solves one vulnerability and has 9 fixes is now available.

Category: security (moderate)
Bug References: 1031143,1032324,1036260,1038321,1039913,1043831,1047282,1047513,1049936,1052039
CVE References: CVE-2017-10807
Sources used:
SUSE Manager Proxy 3.1 (src):    jabberd-2.6.1-3.3.1, osad-5.11.80.3-2.3.1, rhnpush-5.5.104.3-2.3.2, spacewalk-backend-2.7.73.7-2.3.1, spacewalk-certs-tools-2.7.0.7-2.3.1, spacewalk-proxy-2.7.1.4-2.3.1, spacewalk-web-2.7.1.10-2.3.1, spacewalksd-5.0.26.3-2.3.1, supportutils-plugin-susemanager-client-3.1.2-2.3.1, zypp-plugin-spacewalk-0.9.16-2.3.1

SUSE-SU-2017:2267-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1047282
CVE References: CVE-2017-10807
Sources used:
SUSE Manager Server 3.0 (src):    jabberd-2.6.1-4.6.1
SUSE Manager Proxy 3.0 (src):    jabberd-2.6.1-4.6.1

All released AFAICS

released