Version in base suite: 24.12-3+deb13u1 Base version: ejabberd_24.12-3+deb13u1 Target version: ejabberd_24.12-3+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/ejabberd/ejabberd_24.12-3+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/ejabberd/ejabberd_24.12-3+deb13u2.dsc changelog | 7 +++++++ control | 4 ++-- patches/series | 1 + patches/src.ejabberd_s2s_in.patch | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 44 insertions(+), 2 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4vs0to43/ejabberd_24.12-3+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4vs0to43/ejabberd_24.12-3+deb13u2.dsc: no acceptable signature found diff -Nru ejabberd-24.12/debian/changelog ejabberd-24.12/debian/changelog --- ejabberd-24.12/debian/changelog 2025-12-27 22:45:41.000000000 +0000 +++ ejabberd-24.12/debian/changelog 2026-03-15 08:24:05.000000000 +0000 @@ -1,3 +1,10 @@ +ejabberd (24.12-3+deb13u2) trixie; urgency=medium + + [ Holger Weiss ] + * Ignore cert purpose for incoming s2s connections + + -- Philipp Huebner Sun, 15 Mar 2026 09:24:05 +0100 + ejabberd (24.12-3+deb13u1) trixie; urgency=medium * Correctly remove no longer shipped conffile (apparmor profile) diff -Nru ejabberd-24.12/debian/control ejabberd-24.12/debian/control --- ejabberd-24.12/debian/control 2025-12-27 22:45:41.000000000 +0000 +++ ejabberd-24.12/debian/control 2026-03-15 07:50:20.000000000 +0000 @@ -32,7 +32,7 @@ erlang-p1-sqlite3 (>= 1.1.15-2~), erlang-p1-stringprep (>= 1.0.30-2~), erlang-p1-stun (>= 1.2.15), - erlang-p1-tls (>= 1.1.22), + erlang-p1-tls (>= 1.1.22-1+deb13u1), erlang-p1-utils (>= 1.0.26), erlang-p1-xml (>= 1.1.55), erlang-p1-xmpp (>= 1.9.4), @@ -71,7 +71,7 @@ erlang-p1-pkix (>= 1.0.10-2~), erlang-p1-stringprep (>= 1.0.30-2~), erlang-p1-stun (>= 1.2.15), - erlang-p1-tls (>= 1.1.22), + erlang-p1-tls (>= 1.1.22-1+deb13u1), erlang-p1-utils (>= 1.0.26), erlang-p1-xml (>= 1.1.55), erlang-p1-xmpp (>= 1.9.4), diff -Nru ejabberd-24.12/debian/patches/series ejabberd-24.12/debian/patches/series --- ejabberd-24.12/debian/patches/series 2025-12-27 22:45:41.000000000 +0000 +++ ejabberd-24.12/debian/patches/series 2026-03-15 07:50:20.000000000 +0000 @@ -8,3 +8,4 @@ fix-spelling-errors.patch remove_an-trap_macro.patch 133d52d04023d603283a7796c46bc40ffc7cd3c2.patch +src.ejabberd_s2s_in.patch diff -Nru ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch --- ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch 1970-01-01 00:00:00.000000000 +0000 +++ ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch 2026-03-15 07:50:20.000000000 +0000 @@ -0,0 +1,34 @@ +From 8032358dc720c59c799fa2a7e2153e2b3d2ea2a2 Mon Sep 17 00:00:00 2001 +From: Holger Weiss +Date: Sat, 21 Feb 2026 19:35:23 +0100 +Subject: [PATCH] Ignore cert purpose for incoming s2s connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since web browser certificate authority requirements no longer allow for +including the client purpose flag, let s2s listeners ignore certificate +purposes when authenticating incoming connections. + +Based on upstream commit 72bc9b6c7f6afce7aa671a47eee343cc25b0abcb by +Paweł Chmielowski . +--- + src/ejabberd_s2s_in.erl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl +index 1af45a16..8a7817cc 100644 +--- a/src/ejabberd_s2s_in.erl ++++ b/src/ejabberd_s2s_in.erl +@@ -138,7 +138,7 @@ process_closed(#{server := LServer} = State, Reason) -> + %%% xmpp_stream_in callbacks + %%%=================================================================== + tls_options(#{tls_options := TLSOpts, lserver := LServer, server_host := ServerHost}) -> +- ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts). ++ [override_cert_purpose | ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts)]. + + tls_required(#{server_host := ServerHost}) -> + ejabberd_s2s:tls_required(ServerHost). +-- +2.39.5 +