- -------------------------------------------------------------------------
Debian Security Advisory DSA-2775-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
October 10, 2013                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ejabberd
Vulnerability  : insecure SSL usage
Problem type   : remote
Debian-specific: no
Debian Bug     : 722105

It was discovered that ejabberd, a Jabber/XMPP server, uses SSLv2 and
weak ciphers for communication, which are considered insecure. The
software offers no runtime configuration options to disable these. This
update disables the use of SSLv2 and weak ciphers.

The updated package for Debian 7 (wheezy) also contains auxiliary
bugfixes originally staged for the next stable point release.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2.1.5-3+squeeze2.

For the stable distribution (wheezy), this problem has been fixed in
version 2.1.10-4+deb7u1.

For the testing distribution (jessie), and unstable distribution (sid),
this problem will be fixed soon.

We recommend that you upgrade your ejabberd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org