Debian-LTS has issued an advisory on November 27: https://lwn.net/Alerts/707472/ The Debian bug has a link to the upstream commit to fix the issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11, pterjanAssignee: bugsquad => pkg-bugs
An update to version 1.0.4 for cauldron has been pushed. A fix for MGA5 is in the works.
CC: (none) => mramboVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
Patched package uploaded for Mageia 5. Advisory: ======================== Updated mcabber package fixes security vulnerability: It was discovered that there was a "roster push attack" vulnerability in mcabber, a console-based Jabber (XMPP) client. A remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258 ======================== Updated packages in core/updates_testing: ======================== mcabber-0.10.1-9.1.mga5 mcabber-debuginfo-0.10.1-9.1.mga5 from mcabber-0.10.1-9.1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
CVE request: http://openwall.com/lists/oss-security/2016/12/09/5
(In reply to David Walser from comment #4) > CVE request: > http://openwall.com/lists/oss-security/2016/12/09/5 CVE-2016-9928: http://openwall.com/lists/oss-security/2016/12/11/2 Advisory: ======================== Updated mcabber package fixes security vulnerability: It was discovered that there was a "roster push attack" vulnerability in mcabber, a console-based Jabber (XMPP) client. A remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza (CVE-2016-9928). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9928 https://lwn.net/Alerts/707472/ http://openwall.com/lists/oss-security/2016/12/11/2
Summary: mcabber new roster push attack security issue (similar to CVE-2015-8688 in gajim) => mcabber new roster push attack security issue (similar to CVE-2015-8688 in gajim) (CVE-2016-9928)
MGA5-32 on Acer D620 No installation issues This is a PITA. I have a jabber account , never used it, and password???? Service for lost password consists af me providing info I do not know anymore, and then blocking the account for one week before a password is returned. Firefox shows a warning that the site jabber.org is not safe. Anyway, launching mcabber works (provided you create the .mcabber folder manually; and get a sample config file from the internet). Then it has issues with SSL/TLS etc..... So it launches OK, but I never want to see it again.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Advisory uploaded, mostly from Comment 5, + details from Comment 3.
CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
@Herman re Comment 6: Thanks for a good laugh! Trying M5 x64 BEFORE the update, installed: mcabber-0.10.1-9.mga5.x86_64.rpm and tried it ($ mcabber ; /quit to quit it): 12-30 20:34:10 No configuration file has been found. From its man page: mcabber(1) is a small Jabber (XMPP) console client. For now it needs a configuration file to start, so please copy the sample mcabberrc file and adapt your connection settings. You also need to have an existing Jabber account to use this software, as it cannot (un)register accounts yet. ... FILES The following files can be used by mcabber(1): $HOME/.mcabber/mcabberrc Default configuration file $HOME/.mcabberrc Configuration file used if no other has been found $HOME/.mcabber/histo/ Default directory for storing chat history files So, from its site https://mcabber.com/ downloaded the sample config file: https://mcabber.com/files/mcabberrc.example $ mkdir ~/.mcabber $ mv mcabberrc.example ~/.mcabber/mcabberrc The config file, and the man page, are well documented. $ mcabber [20:56:27] Bad permissions [/home/lewis/.mcabber/mcabberrc] [20:56:27] Permissions have been corrected [20:56:27] Reading /home/lewis/.mcabber/mcabberrc [20:56:27] WARNING: Bad permissions [/home/lewis/.mcabber/] [20:56:27] User JID: yourusername@domain Please enter your Jabber password: Rubbish password, connection failure - of course. It left permissions: drwxr-xr-x 2 lewis lewis 4096 Rha 30 20:42 .mcabber/ -rw------- 1 lewis lewis 24307 Rha 30 20:39 mcabberrc Manually changing ~.mcabber/ to: drwx------ 2 lewis lewis 4096 Rha 30 20:42 .mcabber/ got rid of that permissions complaint. AFTER update to: mcabber-0.10.1-9.1.mga5 $ mcabber [21:13:08] Reading /home/lewis/.mcabber/mcabberrc [21:04:44] User JID: yourusername@domain Please enter your Jabber password: It looks sensible, and responds to anodine /commands. I suspect that anyone conversant with jabber would find this console client rather nice (despite earlier doubts). Am OKing, validating this update.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0433.html
Status: NEW => RESOLVEDResolution: (none) => FIXED