Bug 10432 - telepathy-gabble new security issue CVE-2013-1431
: telepathy-gabble new security issue CVE-2013-1431
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/552860/
: MGA2TOO has_procedure mga3-64-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-04 20:44 CEST by David Walser
Modified: 2014-05-08 18:06 CEST (History)
1 user (show)

See Also:
Source RPM: telepathy-gabble-0.17.3-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-06-04 20:44:05 CEST
Debian has issued an advisory on June 3:
http://www.debian.org/security/2013/dsa-2702

This is fixed upstream in 0.17.4 and 0.16.6:
http://lists.freedesktop.org/archives/telepathy/2013-May/006450.html
http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html

Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

I don't know if you'll be able to find any "legacy Jabber" servers to test this against.  They were pretty easy to set up yourself (I used to run one), but we haven't had that software packaged since Mandrake years ago (and probably Mandriva as well).

Advisory:
========================

Updated telepathy-gabble package fixes security vulnerability:

Maksim Otstavnov discovered that the Wocky submodule used by telepathy-gabble
does not respect the tls-required flag on legacy Jabber servers. A network
intermediary could use this vulnerability to bypass TLS verification and
perform a man-in-the-middle attack.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1431
http://www.debian.org/security/2013/dsa-2702
http://lists.freedesktop.org/archives/telepathy/2013-May/006450.html
http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html
========================

Updated packages in core/updates_testing:
========================
telepathy-gabble-0.16.6-1.mga2
telepathy-gabble-0.17.4-1.mga3

from SRPMS:
telepathy-gabble-0.16.6-1.mga2.src.rpm
telepathy-gabble-0.17.4-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-06-06 15:41:47 CEST
For testing just connecting to jabber with empathy using gmail credentials 

Testing complete mga3 32 & 64
Comment 2 claire robinson 2013-06-06 15:57:27 CEST
Testing complete mga2 32 & 64

Validating

Advisory & srpms in comment 0

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
Comment 3 Nicolas Vigier 2013-06-18 17:12:42 CEST
http://advisories.mageia.org/MGASA-2013-0170.html

Note You need to log in before you can comment on or make changes to this bug.