This post will be about how I discovered a (security) bug in an open source project and how it has been handled. I’ll try to update this post or add new ones if the situation changes. However I think it’s good to have something in public, as not everyone is reading all those bugtrackers around.
First a few things:
- Openfire is a Jabber/XMPP server by Jive Software and the Igniterealtime Community. It’s open source and free. Besides ejabberd one of the top Jabber/XMPP servers out there. It has a neat webinterface, etc.
- Empathy. Ubuntu (GNOME??) introduced a new standard messenger, Empathy. It has a Jabber module called “telepathy-gabble” which handles connections and stuff. Basically every user new to Ubuntu will use this messenger in favor of Gajim or PSI (which I would prefer).
I maintain an Openfire server for my family and some friends. It’s not locked down, so it allows outside connections to other Jabber/XMPP users out there, e.g. Google Mail, GMX, web.de, JabJab. As there are only a few users only at the same time, it’s easy to see what outside connection are open currently. (If you don’t know what Jabber is, read on Wikipedia – in short: it’s a decentralized instant messaging protocol)
So recently I discovered my server having more server-to-server connections open than I’d expect. A few of the additional ones are:
- proxy.fsinf.at
- proxy.jabber.minus273.org
- proxy.jabber.planetteamspeak.com
- proxy.jabber.tf-network.de
- proxy.jabjab.de
- proxy.jabster.pl
- proxy.schokokeks.org
- proxy.ubuntu-jabber.net
- proxy.verdammung.org
- proxy.911910.cn
- proxy.vke.ru
Especially the last two can be fun for a server admin. Server-to-server connections to unknown servers in Russia and China. Yay! Fun!
Ok, so what now? Where to start?
Continue reading “Empathy/telepathy-gabble opens unneeded s2s connections [Update 5]” »