I’m tryng to determine whether the fixes that were made for JM-1531 and JM-1532 are included in the current download version of Openfire 3.6.4, or whether they will be fixed in Openfire 3.6.5. Appreciate any help to clarify their status.
JM-1531 is included in 3.6.4 release. JM-1532 will be included in 3.6.5 release.
Thank you. If you’ll permit a couple of follow-on questions:
Do you know when 3.6.5 will be available? Not beta, but production release.
Is the code fix/mitigation action for JM1532 available on the site anywhere? We need to get on with using Openfire and will likely have to go with 3.6.4 if 3.6.5 isn’t coming out any time soon. In order to pass our security accreditation we may need to mitigate the JM-1532 issue by altering the code.
Thanks again. If I should be chatting with someone else, just let me know…don’t want to take up all your time.
- Do you know when 3.6.5 will be available? Not beta, but production release.
Hard to tell. Official devs has been promising “soon” for weeks now. Today Matt has posted about the license change and again mentioned “soon”. So this can be tomorrow or after a month. Sorry, no better answer. Official devs are not very active with this project anymore and community doesnt have all the powers to do releases. Yet.
- Is the code fix/mitigation action for JM1532 available on the site anywhere?
No, as far as i know. I think that you only need recompiled openfire.jar file and i can compile and attach it for you. But i cant quarantee this will work ok. And maybe your security policies won’t allow such patches.
If I should be chatting with someone else, just let me know…don’t want to take up all your time.
This is the right place to ask. Of course, you can try contacting Matt directly and ask about the release date. It’s ok to take my time
Thanks for the quick reply. I’ll have to get back to you regarding the recompiled .jar file. Need to check on that with security folks.
Thanks for all your help. Cheers.
The fix for JM-1532 can be worked around in older releases by manually setting the ‘register.password’ and ‘xmpp.auth.iqauth’ to false on the admin console server settings. This makes things doubley sure.
Very helpful. Thank you.