{"id": "DEBIAN_DLA-881.NASL", "bulletinFamily": "scanner", "title": "Debian DLA-881-1 : ejabberd security update", "description": "It was found that ejabberd does not enforce the starttls_required\nsetting when compression is used, which causes clients to establish\nconnections without encryption.\n\nFor Debian 7 'Wheezy', this problem has been fixed in version\n2.1.10-4+deb7u2.\n\nThis update also disables the insecure SSLv3.\n\nWe recommend that you upgrade your ejabberd packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "published": "2017-04-03T00:00:00", "modified": "2017-04-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/99139", "reporter": "This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://lists.debian.org/debian-lts-announce/2017/04/msg00000.html", "https://packages.debian.org/source/wheezy/ejabberd"], "cvelist": ["CVE-2014-8760"], "type": "nessus", "lastseen": "2021-01-12T09:44:21", "edition": 15, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-8760"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310890881"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14052", "SECURITYVULNS:DOC:31306"]}, {"type": "debian", "idList": ["DEBIAN:DLA-881-1:D3590"]}, {"type": "archlinux", "idList": ["ASA-201410-13"]}, {"type": "nessus", "idList": ["MANDRIVA_MDVSA-2014-207.NASL", "MANDRIVA_MDVSA-2015-175.NASL"]}], "modified": "2021-01-12T09:44:21", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2021-01-12T09:44:21", "rev": 2}, "vulnersScore": 5.2}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-881-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99139);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-8760\");\n script_bugtraq_id(70415);\n\n script_name(english:\"Debian DLA-881-1 : ejabberd security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was found that ejabberd does not enforce the starttls_required\nsetting when compression is used, which causes clients to establish\nconnections without encryption.\n\nFor Debian 7 'Wheezy', this problem has been fixed in version\n2.1.10-4+deb7u2.\n\nThis update also disables the insecure SSLv3.\n\nWe recommend that you upgrade your ejabberd packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/04/msg00000.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/ejabberd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected ejabberd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ejabberd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"ejabberd\", reference:\"2.1.10-4+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "99139", "cpe": ["p-cpe:/a:debian:debian_linux:ejabberd", "cpe:/o:debian:debian_linux:7.0"], "scheme": null}

{"cve": [{"lastseen": "2021-02-02T06:14:35", "description": "ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.", "edition": 6, "cvss3": {}, "published": "2014-10-25T00:55:00", "title": "CVE-2014-8760", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8760"], "modified": "2015-09-10T15:56:00", "cpe": ["cpe:/a:process-one:ejabberd:2.1.12"], "id": "CVE-2014-8760", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8760", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:process-one:ejabberd:2.1.12:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-01-29T20:09:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8760"], "description": "It was found that ejabberd does not enforce the starttls_required\nsetting when compression is used, which causes clients to establish\nconnections without encryption.", "modified": "2020-01-29T00:00:00", "published": "2018-01-17T00:00:00", "id": "OPENVAS:1361412562310890881", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890881", "type": "openvas", "title": "Debian LTS: Security Advisory for ejabberd (DLA-881-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890881\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2014-8760\");\n script_name(\"Debian LTS: Security Advisory for ejabberd (DLA-881-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-17 00:00:00 +0100 (Wed, 17 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/04/msg00000.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"ejabberd on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this problem has been fixed in version\n2.1.10-4+deb7u2.\n\nThis update also disables the insecure SSLv3.\n\nWe recommend that you upgrade your ejabberd packages.\");\n\n script_tag(name:\"summary\", value:\"It was found that ejabberd does not enforce the starttls_required\nsetting when compression is used, which causes clients to establish\nconnections without encryption.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"ejabberd\", ver:\"2.1.10-4+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-07T11:54:46", "description": "Updated ejabberd packages fix security vulnerability :\n\nA flaw was discovered in ejabberd that allows clients to connect with\nan unencrypted connection even if starttls_required is set\n(CVE-2014-8760).", "edition": 25, "published": "2014-10-27T00:00:00", "title": "Mandriva Linux Security Advisory : ejabberd (MDVSA-2014:207)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8760"], "modified": "2014-10-27T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:ejabberd-devel", "p-cpe:/a:mandriva:linux:ejabberd", "p-cpe:/a:mandriva:linux:ejabberd-doc"], "id": "MANDRIVA_MDVSA-2014-207.NASL", "href": "https://www.tenable.com/plugins/nessus/78686", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:207. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78686);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-8760\");\n script_bugtraq_id(70415);\n script_xref(name:\"MDVSA\", value:\"2014:207\");\n\n script_name(english:\"Mandriva Linux Security Advisory : ejabberd (MDVSA-2014:207)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated ejabberd packages fix security vulnerability :\n\nA flaw was discovered in ejabberd that allows clients to connect with\nan unencrypted connection even if starttls_required is set\n(CVE-2014-8760).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0417.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected ejabberd, ejabberd-devel and / or ejabberd-doc\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ejabberd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ejabberd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ejabberd-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"ejabberd-2.1.13-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"ejabberd-devel-2.1.13-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"ejabberd-doc-2.1.13-1.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T11:51:47", "description": "Updated ejabberd packages fix security vulnerability :\n\nA flaw was discovered in ejabberd that allows clients to connect with\nan unencrypted connection even if starttls_required is set\n(CVE-2014-8760).", "edition": 24, "published": "2015-03-31T00:00:00", "title": "Mandriva Linux Security Advisory : ejabberd (MDVSA-2015:175)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8760"], "modified": "2015-03-31T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:2", "p-cpe:/a:mandriva:linux:ejabberd-devel", "p-cpe:/a:mandriva:linux:ejabberd", "p-cpe:/a:mandriva:linux:ejabberd-doc"], "id": "MANDRIVA_MDVSA-2015-175.NASL", "href": "https://www.tenable.com/plugins/nessus/82450", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:175. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82450);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-8760\");\n script_xref(name:\"MDVSA\", value:\"2015:175\");\n\n script_name(english:\"Mandriva Linux Security Advisory : ejabberd (MDVSA-2015:175)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated ejabberd packages fix security vulnerability :\n\nA flaw was discovered in ejabberd that allows clients to connect with\nan unencrypted connection even if starttls_required is set\n(CVE-2014-8760).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0417.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected ejabberd, ejabberd-devel and / or ejabberd-doc\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ejabberd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ejabberd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ejabberd-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"ejabberd-2.1.13-4.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"ejabberd-devel-2.1.13-4.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"ejabberd-doc-2.1.13-4.1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:46", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8760"], "description": "It was discovered that ejabberd does not enforce the starttls_required\nsetting when compression is used, which causes clients to unexpectedly\nestablish connections without encryption.", "modified": "2014-10-27T00:00:00", "published": "2014-10-27T00:00:00", "id": "ASA-201410-13", "href": "https://lists.archlinux.org/pipermail/arch-security/2014-October/000124.html", "type": "archlinux", "title": "ejabberd: circumvention of encryption", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:55", "bulletinFamily": "software", "cvelist": ["CVE-2014-8760"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:207\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : ejabberd\r\n Date : October 24, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated ejabberd packages fix security vulnerability:\r\n \r\n A flaw was discovered in ejabberd that allows clients to connect\r\n with an unencrypted connection even if starttls_required is set\r\n (CVE-2014-8760).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8760\r\n http://advisories.mageia.org/MGASA-2014-0417.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 533346bb2ba902a080d0d3324ca810b0 mbs1/x86_64/ejabberd-2.1.13-1.1.mbs1.x86_64.rpm\r\n 91b2a4281867758dff1a12c46180c655 mbs1/x86_64/ejabberd-devel-2.1.13-1.1.mbs1.x86_64.rpm\r\n 925908a2c562772ba8e712588d7349b4 mbs1/x86_64/ejabberd-doc-2.1.13-1.1.mbs1.x86_64.rpm \r\n 5a685a93b783294db368cf9737f28723 mbs1/SRPMS/ejabberd-2.1.13-1.1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFUSkNOmqjQ0CJFipgRAgRFAKCM09fKC2T8zFPfwOf8qFL3xJVvUgCfWktC\r\nLDrp6MmHQXGQU8VF/xuHCVw=\r\n=Ccu/\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-10-27T00:00:00", "published": "2014-10-27T00:00:00", "id": "SECURITYVULNS:DOC:31306", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31306", "title": "[ MDVSA-2014:207 ] ejabberd", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "cvelist": ["CVE-2014-8760"], "description": "Server does not enforces encryption.", "edition": 1, "modified": "2014-10-27T00:00:00", "published": "2014-10-27T00:00:00", "id": "SECURITYVULNS:VULN:14052", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14052", "title": "ejabberd protection bypass", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:31", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8760"], "description": "Package : ejabberd\nVersion : 2.1.10-4+deb7u2\nCVE ID : CVE-2014-8760\nDebian Bug : 767521 767535\n\nIt was found that ejabberd does not enforce the starttls_required\nsetting when compression is used, which causes clients to establish\nconnections without encryption.\n\nFor Debian 7 "Wheezy", this problem has been fixed in version\n2.1.10-4+deb7u2.\n\nThis update also disables the insecure SSLv3.\n\nWe recommend that you upgrade your ejabberd packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2017-04-01T19:53:25", "published": "2017-04-01T19:53:25", "id": "DEBIAN:DLA-881-1:D3590", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201704/msg00000.html", "title": "[SECURITY] [DLA 881-1] ejabberd security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}