Status of JM-1531 and JM-1532

Joe_Martin · September 29, 2009, 6:17pm

I’m tryng to determine whether the fixes that were made for JM-1531 and JM-1532 are included in the current download version of Openfire 3.6.4, or whether they will be fixed in Openfire 3.6.5. Appreciate any help to clarify their status.

wroot · September 30, 2009, 7:54am

JM-1531 is included in 3.6.4 release. JM-1532 will be included in 3.6.5 release.

Joe_Martin · September 30, 2009, 11:54am

Thank you. If you’ll permit a couple of follow-on questions:

Do you know when 3.6.5 will be available? Not beta, but production release.
Is the code fix/mitigation action for JM1532 available on the site anywhere? We need to get on with using Openfire and will likely have to go with 3.6.4 if 3.6.5 isn’t coming out any time soon. In order to pass our security accreditation we may need to mitigate the JM-1532 issue by altering the code.

Thanks again. If I should be chatting with someone else, just let me know…don’t want to take up all your time.

wroot · September 30, 2009, 1:42pm

jmart10 wrote:

Do you know when 3.6.5 will be available? Not beta, but production release.

Hard to tell. Official devs has been promising “soon” for weeks now. Today Matt has posted about the license change and again mentioned “soon”. So this can be tomorrow or after a month. Sorry, no better answer. Official devs are not very active with this project anymore and community doesnt have all the powers to do releases. Yet.

Is the code fix/mitigation action for JM1532 available on the site anywhere?

No, as far as i know. I think that you only need recompiled openfire.jar file and i can compile and attach it for you. But i cant quarantee this will work ok. And maybe your security policies won’t allow such patches.

If I should be chatting with someone else, just let me know…don’t want to take up all your time.

This is the right place to ask. Of course, you can try contacting Matt directly and ask about the release date. It’s ok to take my time

Joe_Martin · September 30, 2009, 1:51pm

Thanks for the quick reply. I’ll have to get back to you regarding the recompiled .jar file. Need to check on that with security folks.

Thanks for all your help. Cheers.

akrherz · September 30, 2009, 2:22pm

The fix for JM-1532 can be worked around in older releases by manually setting the ‘register.password’ and ‘xmpp.auth.iqauth’ to false on the admin console server settings. This makes things doubley sure.

daryl

Joe_Martin · September 30, 2009, 2:35pm

Very helpful. Thank you.