| Summary: |
<net-im/gajim-0.16.6-r1: XEP-0146 makes it possible to extract plain-text from OTR sessions (CVE-2016-10376) |
| Product: |
Gentoo Security
|
Reporter: |
Agostino Sarubbo <ago> |
| Component: |
Vulnerabilities | Assignee: |
Gentoo Security <security> |
| Status: |
RESOLVED
FIXED
|
|
|
| Severity: |
minor
|
CC: |
aidecoe
|
| Priority: |
Normal
|
Flags: |
stable-bot:
sanity-check+
|
| Version: |
unspecified | |
|
| Hardware: |
All | |
|
| OS: |
Linux | |
|
| URL: |
https://bugzilla.redhat.com/show_bug.cgi?id=1456363
|
| Whiteboard: |
B3 [glsa cve] |
|
Package list:
|
=net-im/gajim-0.16.6-r1
|
Runtime testing required:
|
Yes
|
|---|
From ${URL} : Gajim unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. Upstream issue: https://dev.gajim.org/gajim/gajim/issues/8378 Upstream patch: https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc References: https://mail.jabber.org/pipermail/standards/2016-August/031335.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.