XMPP Service Operators - 2021-09-29

  1. MattJ

    fail2ban RCE flaw, may be relevant for some operators: https://research.securitum.com/fail2ban-remote-code-execution/

  2. Maranda

    huhu

  3. Martin

    > Establishing a secure connection from mdosch.de to creep.im failed. Certificate hash: 7e01f09a320af31fec98101812deaa9cd9fff6b68620a8e0987f07fe3b805600. Error with certificate 1: certificate has expired.

  4. ernst.on.tour

    Maybe the LetsEncrypt-RootCert-Timeline ?

  5. Martin

    > Establishing a secure connection from deshalbfrei.org to mdosch.de failed. Certificate hash: 8b6942031fb060cd574bb87fc86d2f28bdfcac7f37696d28591c8ac49e0f8e09. Error with certificate 1: certificate has expired.

  6. ij

    Martin, deshalbfrei.org seems to suffer from the same issue I experienced the last days… maybe there are some expired certs installed on that ejabberd server that were signed with the old CA chain… ejabberd maybe pics the CA from the first (expired) chain and uses that also for the other fullchain.pems, invalidating same… but just a guess… however, deleting those old certs worked for me (plus restarting ejabberd instead of reload-config)

  7. Ellenor Bjornsd.

    i should write a better fail2ban with blackjack and hookers

  8. Ellenor Bjornsd.

    i should write a better fail2ban with blackjack and cookies

  9. moparisthebest

    That's an awesome RCE

  10. Ellenor Bjornsd.

    Is it mitigated if you use a sendmail-compatible submission agent directly?

  11. moparisthebest

    Ellenor Bjornsd.: You aren't using https://www.geoghegan.ca/pfbadhost.html ?

  12. Ellenor Bjornsd.

    I don't use any such solution