A security issue in gajim was announced on December 27: http://gultsch.de/gajim_roster_push_and_message_interception.html It was fixed upstream in gajim 0.16.5 on December 28. Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated gajim package fixes security vulnerability: Gajim before 0.16.5 doesnât verify the origin of roster pushes thus allowing third parties to modify the roster via a man-in-the-middle attack (CVE-2015-8688). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8688 http://gultsch.de/gajim_roster_push_and_message_interception.html ======================== Updated packages in core/updates_testing: ======================== gajim-0.16.5-1.mga5 from gajim-0.16.5-1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Fedora has issued an advisory for this today (January 14): https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175503.html
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Trying M5 x64 I wish I knew something about what Jabber is about... Installed issued: gajim-0.16-0.beta1.4.mga5 which pulled in a few Python extras. Found (via https://xmpp.net/directory.php) a sensible looking site http://jabber.apinc.org/ which helpfully suggested using the Jabber client itself to 'join up' citing serverID im.apinc.org . Which I did, it worked; then tried sending messages to myself which got bounced sort of "unable to find server". BTAIM I updated to: gajim-0.16.5-1.mga5 after which it did not start at all. From console: $ gajim Gajim needs python-nbxmpp >= 0.5.3 to run. Quiting... So it looks as if something needs adding to the update.
CC: (none) => lewyssmithWhiteboard: advisory => advisory feedback
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated gajim package fixes security vulnerability: Gajim before 0.16.5 doesnât verify the origin of roster pushes thus allowing third parties to modify the roster via a man-in-the-middle attack (CVE-2015-8688). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8688 http://gultsch.de/gajim_roster_push_and_message_interception.html ======================== Updated packages in core/updates_testing: ======================== python-nbxmpp-0.5.3-1.mga5 gajim-0.16.5-1.mga5 from SRPMS: python-nbxmpp-0.5.3-1.mga5.src.rpm gajim-0.16.5-1.mga5.src.rpm
Whiteboard: advisory feedback => advisory
Testing M5 x64 Updating also to: python-nbxmpp-0.5.3-1.mga5 [thanks David] enabled Gajim to work (or not) the same as previously, so I am counting it OK. FWIW The error I got when trying to send messages to myself was: "error while sending <title> ( remote-server-not-found )".
Whiteboard: advisory => advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0046.html
Status: NEW => RESOLVEDResolution: (none) => FIXED