Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 569936 (CVE-2015-8688) - <net-im/gajim-0.16.5: Gajim Roster Push Attack / Message Interception (CVE-2015-8688)
Summary: <net-im/gajim-0.16.5: Gajim Roster Push Attack / Message Interception (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2015-8688
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://gultsch.de/gajim_roster_push_a...
Whiteboard: B3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-27 20:36 UTC by Hanno Böck
Modified: 2016-12-10 12:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-12-27 20:36:02 UTC
There's a vulnerability in the current version of gajim:
http://gultsch.de/gajim_roster_push_and_message_interception.html

Seems upstream has fixed it in the repo, but no new release yet. Here's the commit:
https://trac.gajim.org/changeset/af78b7c068904d78c5dfb802826aae99f26a8947/
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-12-28 14:50:52 UTC
commit 3d4cc3c71b2e820d2a689311bfa5a11341250033
Author: Justin Lecher <jlec@gentoo.org>
Date:   Mon Dec 28 15:50:14 2015 +0100

    net-im/gajim: Version Bump, fixes CVE-2015-8688

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=569936

    Package-Manager: portage-2.2.26
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d4cc3c71b2e820d2a689311bfa5a11341250033
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-12-28 14:51:24 UTC
@arches, please go ahead.
Comment 3 Agostino Sarubbo gentoo-dev 2015-12-28 16:11:28 UTC
Arches, please test and mark stable:
=net-im/gajim-0.16.5
Target keywords : "amd64 arm ppc ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-28 16:19:37 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-04 06:08:25 UTC
Stable for PPC64.
Comment 6 Markus Meier gentoo-dev 2016-01-07 20:25:15 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-01-17 17:24:41 UTC
ppc stable
Comment 8 Andreas Schürch gentoo-dev 2016-01-18 17:48:20 UTC
x86 done, last arch!
Comment 9 Justin Lecher (RETIRED) gentoo-dev 2016-01-20 15:37:06 UTC
commit d571facf6645dd65748dd1712a4705958a3431ee
Author: Justin Lecher <jlec@gentoo.org>
Date:   Wed Jan 20 16:35:05 2016 +0100

    net-im/gajim: Drop version vulnerable to CVE-2015-8688

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=569936

    Package-Manager: portage-2.2.27
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d571facf6645dd65748dd1712a4705958a3431ee
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:44:37 UTC
Thank you all for you work. 
Closing as [noglsa].