Bug 20962

Summary: gajim new security issue CVE-2016-10376
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Source RPM: gajim-0.16.7-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-05-28 19:31:22 CEST 
A CVE has been assigned for a security issue in gajim:
http://openwall.com/lists/oss-security/2017/05/28/1

Mageia 5 is also affected.
David Walser 2017-05-28 19:31:29 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-06-01 23:44:33 CEST 
fixed in cauldron

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 Nicolas Lécureuil 2017-06-01 23:46:41 CEST 
pushed in updates_testing

src.rpm:  gajim-0.16.5-1.1.mga5

Assignee: mageia => qa-bugs

Comment 3 David Walser 2017-06-02 03:09:31 CEST 
Advisory:
========================

Updated gajim packages fix security vulnerabilities:

Gajim unconditionally implements the "XEP-0146: Remote Controlling Clients"
extension, which may be abused by malicious XMPP servers to, or example,
extract plaintext from OTR encrypted sessions (CVE-2016-10376).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10376
http://openwall.com/lists/oss-security/2017/05/28/1
========================

Updated packages in core/updates_testing:
========================
gajim-0.16.5-1.1.mga5

from gajim-0.16.5-1.1.mga5.src.rpm
Comment 4 Herman Viaene 2017-06-03 13:41:58 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues
gajim launches OK from CLI, but then .....
Tried to use its wizard to create a jabber account, but got nowhere. Various listed servers were not reachable, on other I got "not acceptable".
Finaly used google to find out: this got me to jabber.hot.chilli.eu website where I could create an account (using same username and password! as with the wizard).
Then I could get gajim to connect, But it lacks some facility to search for someone to connect with if you don't know the jabbername. So that was the end of testing. Searching for previous updates just shows more problems in the past.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-06-09 21:33:53 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 5 Dave Hodgins 2017-06-10 02:56:35 CEST 
x86-64. Created an account at dismail.de. Didn't test any further.

Validating the update.

Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-10 09:02:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0166.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED