From ${URL} : Gajim unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. Upstream issue: https://dev.gajim.org/gajim/gajim/issues/8378 Upstream patch: https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc References: https://mail.jabber.org/pipermail/standards/2016-August/031335.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
gajim-0.16.6-r1 with the fix is in the tree.
amd64 stable
x86 stable
arm stable
ppc64 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Dropped 0.16.6.
This issue was resolved and addressed in GLSA 201707-14 at https://security.gentoo.org/glsa/201707-14 by GLSA coordinator Thomas Deutschmann (whissi).