Bug 10432

Summary: telepathy-gabble new security issue CVE-2013-1431
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/552860/
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-ok
Source RPM: telepathy-gabble-0.17.3-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-06-04 20:44:05 CEST 
Debian has issued an advisory on June 3:
http://www.debian.org/security/2013/dsa-2702

This is fixed upstream in 0.17.4 and 0.16.6:
http://lists.freedesktop.org/archives/telepathy/2013-May/006450.html
http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html

Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

I don't know if you'll be able to find any "legacy Jabber" servers to test this against.  They were pretty easy to set up yourself (I used to run one), but we haven't had that software packaged since Mandrake years ago (and probably Mandriva as well).

Advisory:
========================

Updated telepathy-gabble package fixes security vulnerability:

Maksim Otstavnov discovered that the Wocky submodule used by telepathy-gabble
does not respect the tls-required flag on legacy Jabber servers. A network
intermediary could use this vulnerability to bypass TLS verification and
perform a man-in-the-middle attack.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1431
http://www.debian.org/security/2013/dsa-2702
http://lists.freedesktop.org/archives/telepathy/2013-May/006450.html
http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html
========================

Updated packages in core/updates_testing:
========================
telepathy-gabble-0.16.6-1.mga2
telepathy-gabble-0.17.4-1.mga3

from SRPMS:
telepathy-gabble-0.16.6-1.mga2.src.rpm
telepathy-gabble-0.17.4-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-04 20:44:43 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-06-06 15:41:47 CEST 
For testing just connecting to jabber with empathy using gmail credentials 

Testing complete mga3 32 & 64

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok mga3-32-ok

Comment 2 claire robinson 2013-06-06 15:57:27 CEST 
Testing complete mga2 32 & 64

Validating

Advisory & srpms in comment 0

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3-32-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 3 Nicolas Vigier 2013-06-18 17:12:42 CEST 
http://advisories.mageia.org/MGASA-2013-0170.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:53 CEST

CC: boklm => (none)