| Summary: | mcabber new roster push attack security issue (similar to CVE-2015-8688 in gajim) (CVE-2016-9928) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, marja11, mhrambo3501, pterjan, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/707493/ | ||
| Whiteboard: | MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | mcabber-0.10.1-9.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-11-28 20:48:34 CET
David Walser
2016-11-28 20:48:41 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
marja11, pterjan An update to version 1.0.4 for cauldron has been pushed. A fix for MGA5 is in the works. CC:
(none) =>
mrambo Patched package uploaded for Mageia 5. Advisory: ======================== Updated mcabber package fixes security vulnerability: It was discovered that there was a "roster push attack" vulnerability in mcabber, a console-based Jabber (XMPP) client. A remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258 ======================== Updated packages in core/updates_testing: ======================== mcabber-0.10.1-9.1.mga5 mcabber-debuginfo-0.10.1-9.1.mga5 from mcabber-0.10.1-9.1.mga5.src.rpm Assignee:
pkg-bugs =>
qa-bugs CVE request: http://openwall.com/lists/oss-security/2016/12/09/5 (In reply to David Walser from comment #4) > CVE request: > http://openwall.com/lists/oss-security/2016/12/09/5 CVE-2016-9928: http://openwall.com/lists/oss-security/2016/12/11/2 Advisory: ======================== Updated mcabber package fixes security vulnerability: It was discovered that there was a "roster push attack" vulnerability in mcabber, a console-based Jabber (XMPP) client. A remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza (CVE-2016-9928). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9928 https://lwn.net/Alerts/707472/ http://openwall.com/lists/oss-security/2016/12/11/2 Summary:
mcabber new roster push attack security issue (similar to CVE-2015-8688 in gajim) =>
mcabber new roster push attack security issue (similar to CVE-2015-8688 in gajim) (CVE-2016-9928) MGA5-32 on Acer D620 No installation issues This is a PITA. I have a jabber account , never used it, and password???? Service for lost password consists af me providing info I do not know anymore, and then blocking the account for one week before a password is returned. Firefox shows a warning that the site jabber.org is not safe. Anyway, launching mcabber works (provided you create the .mcabber folder manually; and get a sample config file from the internet). Then it has issues with SSL/TLS etc..... So it launches OK, but I never want to see it again. CC:
(none) =>
herman.viaene
Lewis Smith
2016-12-28 11:05:12 CET
Whiteboard:
MGA5-32-OK =>
MGA5-32-OK advisory @Herman re Comment 6: Thanks for a good laugh! Trying M5 x64 BEFORE the update, installed: mcabber-0.10.1-9.mga5.x86_64.rpm and tried it ($ mcabber ; /quit to quit it): 12-30 20:34:10 No configuration file has been found. From its man page: mcabber(1) is a small Jabber (XMPP) console client. For now it needs a configuration file to start, so please copy the sample mcabberrc file and adapt your connection settings. You also need to have an existing Jabber account to use this software, as it cannot (un)register accounts yet. ... FILES The following files can be used by mcabber(1): $HOME/.mcabber/mcabberrc Default configuration file $HOME/.mcabberrc Configuration file used if no other has been found $HOME/.mcabber/histo/ Default directory for storing chat history files So, from its site https://mcabber.com/ downloaded the sample config file: https://mcabber.com/files/mcabberrc.example $ mkdir ~/.mcabber $ mv mcabberrc.example ~/.mcabber/mcabberrc The config file, and the man page, are well documented. $ mcabber [20:56:27] Bad permissions [/home/lewis/.mcabber/mcabberrc] [20:56:27] Permissions have been corrected [20:56:27] Reading /home/lewis/.mcabber/mcabberrc [20:56:27] WARNING: Bad permissions [/home/lewis/.mcabber/] [20:56:27] User JID: yourusername@domain Please enter your Jabber password: Rubbish password, connection failure - of course. It left permissions: drwxr-xr-x 2 lewis lewis 4096 Rha 30 20:42 .mcabber/ -rw------- 1 lewis lewis 24307 Rha 30 20:39 mcabberrc Manually changing ~.mcabber/ to: drwx------ 2 lewis lewis 4096 Rha 30 20:42 .mcabber/ got rid of that permissions complaint. AFTER update to: mcabber-0.10.1-9.1.mga5 $ mcabber [21:13:08] Reading /home/lewis/.mcabber/mcabberrc [21:04:44] User JID: yourusername@domain Please enter your Jabber password: It looks sensible, and responds to anodine /commands. I suspect that anyone conversant with jabber would find this console client rather nice (despite earlier doubts). Am OKing, validating this update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0433.html Status:
NEW =>
RESOLVED |