Debian has issued an advisory on June 3:
This is fixed upstream in 0.17.4 and 0.16.6:
Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.
I don't know if you'll be able to find any "legacy Jabber" servers to test this against. They were pretty easy to set up yourself (I used to run one), but we haven't had that software packaged since Mandrake years ago (and probably Mandriva as well).
Updated telepathy-gabble package fixes security vulnerability:
Maksim Otstavnov discovered that the Wocky submodule used by telepathy-gabble
does not respect the tls-required flag on legacy Jabber servers. A network
intermediary could use this vulnerability to bypass TLS verification and
perform a man-in-the-middle attack.
Updated packages in core/updates_testing:
Steps to Reproduce:
For testing just connecting to jabber with empathy using gmail credentials
Testing complete mga3 32 & 64
MGA2TOO has_procedure mga3-64-ok mga3-32-ok
Testing complete mga2 32 & 64
Advisory & srpms in comment 0
Could sysadmin please push from 2 & 3 core/updates_testing to core/updates
MGA2TOO has_procedure mga3-64-ok mga3-32-ok =>
MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-okCC: