1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-11-25 02:32:18 -05:00

Merge branch 'compression-vulns' into premerge

This commit is contained in:
Jonas Schäfer 2022-03-08 20:54:44 +01:00
commit e4d3f721c2
3 changed files with 17 additions and 5 deletions

View File

@ -10,7 +10,7 @@
<abstract>This document defines an XMPP protocol extension for negotiating compression of XML streams, especially in situations where standard TLS compression cannot be negotiated. The protocol provides a modular framework that can accommodate a wide range of compression algorithms; the ZLIB compression algorithm is mandatory-to-implement, but implementations may support other algorithms in addition.</abstract> <abstract>This document defines an XMPP protocol extension for negotiating compression of XML streams, especially in situations where standard TLS compression cannot be negotiated. The protocol provides a modular framework that can accommodate a wide range of compression algorithms; the ZLIB compression algorithm is mandatory-to-implement, but implementations may support other algorithms in addition.</abstract>
&LEGALNOTICE; &LEGALNOTICE;
<number>0138</number> <number>0138</number>
<status>Final</status> <status>Obsolete</status>
<type>Standards Track</type> <type>Standards Track</type>
<sig>Standards</sig> <sig>Standards</sig>
<dependencies> <dependencies>
@ -30,6 +30,12 @@
<registry/> <registry/>
&hildjj; &hildjj;
&stpeter; &stpeter;
<revision>
<version>2.1</version>
<date>2022-02-10</date>
<initials>tjb</initials>
<remark><p>Obsolete due to security vulnerability.</p></remark>
</revision>
<revision> <revision>
<version>2.0</version> <version>2.0</version>
<date>2009-05-27</date> <date>2009-05-27</date>
@ -178,8 +184,7 @@
</section1> </section1>
<section1 topic='Security Considerations' anchor='security'> <section1 topic='Security Considerations' anchor='security'>
<p>Stream encryption via TLS (as defined in <cite>RFC 3920</cite>) and stream compression (as defined herein) are not mutually exclusive, but stream encryption via TLS MUST be negotiated before negotiation of stream compression in order to secure the stream.</p> <p>Due to attacks like &CRIME; that apply equally to the zlib method defined here, this method is deemed insecure.</p>
<p>Many of the security considerations related to TLS compression (see Section 6 of <cite>RFC 3749</cite>) also apply to stream compression.</p>
</section1> </section1>
<section1 topic='IANA Considerations' anchor='iana'> <section1 topic='IANA Considerations' anchor='iana'>

View File

@ -10,7 +10,7 @@
<abstract>This document specifies how to use the LZW algorithm in XML stream compression.</abstract> <abstract>This document specifies how to use the LZW algorithm in XML stream compression.</abstract>
&LEGALNOTICE; &LEGALNOTICE;
<number>0229</number> <number>0229</number>
<status>Draft</status> <status>Obsolete</status>
<type>Standards Track</type> <type>Standards Track</type>
<sig>Standards</sig> <sig>Standards</sig>
<dependencies> <dependencies>
@ -21,6 +21,12 @@
<supersededby/> <supersededby/>
<shortname>N/A</shortname> <shortname>N/A</shortname>
&stpeter; &stpeter;
<revision>
<version>1.1</version>
<date>2022-02-10</date>
<initials>tjb</initials>
<remark><p>Obsolete due to security vulnerability.</p></remark>
</revision>
<revision> <revision>
<version>1.0</version> <version>1.0</version>
<date>2007-09-26</date> <date>2007-09-26</date>
@ -70,7 +76,7 @@
</section1> </section1>
<section1 topic='Security Considerations' anchor='security'> <section1 topic='Security Considerations' anchor='security'>
<p>The security considerations specified in <cite>XEP-0138</cite> apply to usage of the LZW algorithm.</p> <p>Due to attacks like &CRIME; that apply equally to the lzw method defined here, this method is deemed insecure.</p>
</section1> </section1>
<section1 topic='IANA Considerations' anchor='iana'> <section1 topic='IANA Considerations' anchor='iana'>

View File

@ -279,6 +279,7 @@ THE SOFTWARE.
<!-- miscellaneous URLs --> <!-- miscellaneous URLs -->
<!ENTITY clark "<span class='ref'><link url='http://www.jclark.com/xml/xmlns.htm'>Clark Notation</link></span> <note>Clark Notation, a syntax to allow universal names written as a URI in curly brackets followed by the local name; developed by James Clark. &lt;<link url='http://www.jclark.com/xml/xmlns.htm'>http://www.jclark.com/xml/xmlns.htm</link>&gt;.</note>" > <!ENTITY clark "<span class='ref'><link url='http://www.jclark.com/xml/xmlns.htm'>Clark Notation</link></span> <note>Clark Notation, a syntax to allow universal names written as a URI in curly brackets followed by the local name; developed by James Clark. &lt;<link url='http://www.jclark.com/xml/xmlns.htm'>http://www.jclark.com/xml/xmlns.htm</link>&gt;.</note>" >
<!ENTITY CRIME "<span class='ref'><link url='https://blog.thijsalkema.de/blog/2014/08/07/https-attacks-and-xmpp-2-crime-and-breach/'>CRIME</link></span>" >
<!-- other organizations --> <!-- other organizations -->