Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 602238

Summary: <net-im/mcabber-1.0.4: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: wschlich
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=569936
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2016-12-10 10:40:07 UTC 
See:
http://seclists.org/oss-sec/2016/q4/650

This is fixed in 1.0.4, which is already in the tree, but not stable yet.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-10 12:18:37 UTC 
This is the same vulnerability seen in Gajim first, see bug 569936 for details.


@ Arches,

please test and mark stable: =net-im/mcabber-1.0.4
Comment 2 Agostino Sarubbo gentoo-dev 2016-12-13 11:07:31 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-12-13 11:32:43 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 11:53:25 UTC 
GLSA Vote: No
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-12-14 10:27:26 UTC 
@maintainer, please inform security once the package is cleaned so we can close.  Thanks!
Comment 6 Wolfram Schlich (RETIRED) gentoo-dev 2016-12-15 09:35:44 UTC 
@security: the vulnerable version has been removed.