From: http://seclists.org/oss-sec/2013/q2/438 And ChangeLog: This release fixes a man-in-the-middle attack. You should upgrade. If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP) server, this version of Gabble will not connect until you make one of these configuration changes: • upgrade the server software to something that supports XMPP 1.0; or • use an encrypted "old SSL" connection, typically on port 5223 (old-ssl); or • turn off "Encryption required (TLS/SSL)" (require-encryption) Fixes: • fd.o #65036 (CVE-2013-1431): update Wocky to respect the tls-required flag on legacy Jabber servers (Simon) • fd.o #63119: improve regression tests' isolation from the session bus (Simon) I have just bumped it and I think we can stabilize that version if needed Reproducible: Always
Works for me. Arches, please stabilize, targets: alpha amd64 ia64 ppc sparc x86. Thanks!
amd64 stable
x86 stable
ppc stable
alpha stable
ia64 stable
sparc stable
GLSA vote: no
CVE-2013-1431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1431): The Wocky module in Telepathy Gabble before 0.16.6 and 0.17.x before 0.17.4, when connecting to a "legacy Jabber server," does not properly enforce the WockyConnector:tls-required flag, which allows remote attackers to bypass TLS verification and perform a man-in-the-middle attacks.
GLSA vote: no. Closing as [noglsa]
