Merge branch 'compression-vulns' into premerge

xep-0138.xml

@@ -10,7 +10,7 @@
     <abstract>This document defines an XMPP protocol extension for negotiating compression of XML streams, especially in situations where standard TLS compression cannot be negotiated. The protocol provides a modular framework that can accommodate a wide range of compression algorithms; the ZLIB compression algorithm is mandatory-to-implement, but implementations may support other algorithms in addition.</abstract>
     &LEGALNOTICE;
     <number>0138</number>
-    <status>Final</status>
+    <status>Obsolete</status>
     <type>Standards Track</type>
     <sig>Standards</sig>
     <dependencies>
@@ -30,6 +30,12 @@
     <registry/>
     &hildjj;
     &stpeter;
+    <revision>
+      <version>2.1</version>
+      <date>2022-02-10</date>
+      <initials>tjb</initials>
+      <remark><p>Obsolete due to security vulnerability.</p></remark>
+    </revision>
     <revision>
       <version>2.0</version>
       <date>2009-05-27</date>
@@ -178,8 +184,7 @@
   </section1>
 
   <section1 topic='Security Considerations' anchor='security'>
-    <p>Stream encryption via TLS (as defined in <cite>RFC 3920</cite>) and stream compression (as defined herein) are not mutually exclusive, but stream encryption via TLS MUST be negotiated before negotiation of stream compression in order to secure the stream.</p>
-    <p>Many of the security considerations related to TLS compression (see Section 6 of <cite>RFC 3749</cite>) also apply to stream compression.</p>
+    <p>Due to attacks like &CRIME; that apply equally to the zlib method defined here, this method is deemed insecure.</p>
   </section1>
 
   <section1 topic='IANA Considerations' anchor='iana'>

xep-0229.xml

@@ -10,7 +10,7 @@
     <abstract>This document specifies how to use the LZW algorithm in XML stream compression.</abstract>
     &LEGALNOTICE;
     <number>0229</number>
-    <status>Draft</status>
+    <status>Obsolete</status>
     <type>Standards Track</type>
     <sig>Standards</sig>
     <dependencies>
@@ -21,6 +21,12 @@
     <supersededby/>
     <shortname>N/A</shortname>
     &stpeter;
+    <revision>
+      <version>1.1</version>
+      <date>2022-02-10</date>
+      <initials>tjb</initials>
+      <remark><p>Obsolete due to security vulnerability.</p></remark>
+    </revision>
     <revision>
       <version>1.0</version>
       <date>2007-09-26</date>
@@ -70,7 +76,7 @@
   </section1>
 
   <section1 topic='Security Considerations' anchor='security'>
-    <p>The security considerations specified in <cite>XEP-0138</cite> apply to usage of the LZW algorithm.</p>
+    <p>Due to attacks like &CRIME; that apply equally to the lzw method defined here, this method is deemed insecure.</p>
   </section1>
 
   <section1 topic='IANA Considerations' anchor='iana'>

xep.ent

@@ -279,6 +279,7 @@ THE SOFTWARE.
 <!-- miscellaneous URLs -->
 
 <!ENTITY clark "<span class='ref'><link url='http://www.jclark.com/xml/xmlns.htm'>Clark Notation</link></span> <note>Clark Notation, a syntax to allow universal names written as a URI in curly brackets followed by the local name; developed by James Clark. &lt;<link url='http://www.jclark.com/xml/xmlns.htm'>http://www.jclark.com/xml/xmlns.htm</link>&gt;.</note>" >
+<!ENTITY CRIME "<span class='ref'><link url='https://blog.thijsalkema.de/blog/2014/08/07/https-attacks-and-xmpp-2-crime-and-breach/'>CRIME</link></span>" >
 
 <!-- other organizations -->