| Summary: | gajim new security issue CVE-2015-8688 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, davidwhodgins, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/671445/ | ||
| Whiteboard: | advisory MGA5-64-OK | ||
| Source RPM: | gajim-0.16-0.beta1.4.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-01-11 21:19:04 CET
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated gajim package fixes security vulnerability: Gajim before 0.16.5 doesnât verify the origin of roster pushes thus allowing third parties to modify the roster via a man-in-the-middle attack (CVE-2015-8688). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8688 http://gultsch.de/gajim_roster_push_and_message_interception.html ======================== Updated packages in core/updates_testing: ======================== gajim-0.16.5-1.mga5 from gajim-0.16.5-1.mga5.src.rpm Assignee:
bugsquad =>
qa-bugs Fedora has issued an advisory for this today (January 14): https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175503.html
Dave Hodgins
2016-01-19 22:29:28 CET
CC:
(none) =>
davidwhodgins Trying M5 x64 I wish I knew something about what Jabber is about... Installed issued: gajim-0.16-0.beta1.4.mga5 which pulled in a few Python extras. Found (via https://xmpp.net/directory.php) a sensible looking site http://jabber.apinc.org/ which helpfully suggested using the Jabber client itself to 'join up' citing serverID im.apinc.org . Which I did, it worked; then tried sending messages to myself which got bounced sort of "unable to find server". BTAIM I updated to: gajim-0.16.5-1.mga5 after which it did not start at all. From console: $ gajim Gajim needs python-nbxmpp >= 0.5.3 to run. Quiting... So it looks as if something needs adding to the update. CC:
(none) =>
lewyssmith Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated gajim package fixes security vulnerability: Gajim before 0.16.5 doesnât verify the origin of roster pushes thus allowing third parties to modify the roster via a man-in-the-middle attack (CVE-2015-8688). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8688 http://gultsch.de/gajim_roster_push_and_message_interception.html ======================== Updated packages in core/updates_testing: ======================== python-nbxmpp-0.5.3-1.mga5 gajim-0.16.5-1.mga5 from SRPMS: python-nbxmpp-0.5.3-1.mga5.src.rpm gajim-0.16.5-1.mga5.src.rpm Whiteboard:
advisory feedback =>
advisory Testing M5 x64 Updating also to: python-nbxmpp-0.5.3-1.mga5 [thanks David] enabled Gajim to work (or not) the same as previously, so I am counting it OK. FWIW The error I got when trying to send messages to myself was: "error while sending <title> ( remote-server-not-found )". Whiteboard:
advisory =>
advisory MGA5-64-OK
Dave Hodgins
2016-02-05 03:49:37 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0046.html Status:
NEW =>
RESOLVED |