Bug 10432 - telepathy-gabble new security issue CVE-2013-1431
Summary: telepathy-gabble new security issue CVE-2013-1431
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/552860/
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-06-04 20:44 CEST by David Walser
Modified: 2014-05-08 18:06 CEST (History)
1 user (show)

See Also:
Source RPM: telepathy-gabble-0.17.3-1.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-06-04 20:44:05 CEST 
Debian has issued an advisory on June 3:
http://www.debian.org/security/2013/dsa-2702

This is fixed upstream in 0.17.4 and 0.16.6:
http://lists.freedesktop.org/archives/telepathy/2013-May/006450.html
http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html

Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

I don't know if you'll be able to find any "legacy Jabber" servers to test this against.  They were pretty easy to set up yourself (I used to run one), but we haven't had that software packaged since Mandrake years ago (and probably Mandriva as well).

Advisory:
========================

Updated telepathy-gabble package fixes security vulnerability:

Maksim Otstavnov discovered that the Wocky submodule used by telepathy-gabble
does not respect the tls-required flag on legacy Jabber servers. A network
intermediary could use this vulnerability to bypass TLS verification and
perform a man-in-the-middle attack.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1431
http://www.debian.org/security/2013/dsa-2702
http://lists.freedesktop.org/archives/telepathy/2013-May/006450.html
http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html
========================

Updated packages in core/updates_testing:
========================
telepathy-gabble-0.16.6-1.mga2
telepathy-gabble-0.17.4-1.mga3

from SRPMS:
telepathy-gabble-0.16.6-1.mga2.src.rpm
telepathy-gabble-0.17.4-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-04 20:44:43 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-06-06 15:41:47 CEST 
For testing just connecting to jabber with empathy using gmail credentials 

Testing complete mga3 32 & 64

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok mga3-32-ok

Comment 2 claire robinson 2013-06-06 15:57:27 CEST 
Testing complete mga2 32 & 64

Validating

Advisory & srpms in comment 0

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3-32-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 3 Nicolas Vigier 2013-06-18 17:12:42 CEST 
http://advisories.mageia.org/MGASA-2013-0170.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:53 CEST

CC: boklm => (none)
Note You need to log in before you can comment on or make changes to this bug.