221014 – net-im/jabberd: Update to 2.6.1 (Fixes security vulnerability: CVE-2017-10807)

Bug 221014 - net-im/jabberd: Update to 2.6.1 (Fixes security vulnerability: CVE-2017-10807)

Summary: net-im/jabberd: Update to 2.6.1 (Fixes security vulnerability: CVE-2017-10807)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Some People
Assignee:	Martin Matuska

URL:
Keywords:	needs-patch, needs-qa, security

Depends on:
Blocks:

Reported:	2017-07-26 08:27 UTC by lampa
Modified:	2017-07-27 09:29 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	koobs: maintainer-feedback? (mm) koobs: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description lampa 2017-07-26 08:27:21 UTC

The Jabberd, before 2.6.1 allows anyone to authenticate SASL
ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled.

Please, update port to 2.6.1.

Comment 1 Kubilay Kocak freebsd_committer

2017-07-26 08:37:54 UTC

Assuming this is for net-im/jabberd (currently 2.5.0), assign to maintainer (mm) accordingly.

Is net-im/jabber port (no maintainer) also vulnerable?

Comment 2 lampa 2017-07-26 08:49:48 UTC

Probably not, it doesn't have SASL at all.

Comment 3 commit-hook freebsd_committer

2017-07-26 14:47:06 UTC

A commit references this bug:

Author: mm
Date: Wed Jul 26 14:46:41 UTC 2017
New revision: 446659
URL: https://svnweb.freebsd.org/changeset/ports/446659

Log:
  Update net-im/jabberd to 2.6.1

  PR:		221014
  Security:	CVE-2017-10807

Changes:
  head/net-im/jabberd/Makefile
  head/net-im/jabberd/distinfo

Comment 4 commit-hook freebsd_committer

2017-07-26 15:07:24 UTC

A commit references this bug:

Author: mm
Date: Wed Jul 26 15:06:28 UTC 2017
New revision: 446661
URL: https://svnweb.freebsd.org/changeset/ports/446661

Log:
  security/vuxml: Add jabberd vulnerability

  PR:		221014
  Security:	CVE-2017-10807

Changes:
  head/security/vuxml/vuln.xml

Comment 5 commit-hook freebsd_committer

2017-07-27 09:28:14 UTC

A commit references this bug:

Author: mm
Date: Thu Jul 27 09:28:08 UTC 2017
New revision: 446727
URL: https://svnweb.freebsd.org/changeset/ports/446727

Log:
  MFH 446659:

  Update net-im/jabberd to 2.6.1

  PR:             221014
  Security:       CVE-2017-10807
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/net-im/jabberd/Makefile
  branches/2017Q3/net-im/jabberd/distinfo