2) The application connects to Jabberd servers that are not fully compliant with the XMPP specifications without encryption, even if the "Require SSL/TLS" setting is configured. This can be exploited to potentially disclose sensitive information transmitted during an XMPP session.
The security issue is reported in versions prior to 2.6.0.
More information at http://developer.pidgin.im/ticket/8131
net-im, can we stabilize 2.6.1 or do you want to backport the patch to 2.5.9?
Just for the record: =2.6.0 is affected by another vulnerability listed at $URL.
I think we should wait for 2.6.1, it adds new deps that are not keyworded on all architectures yet. And has lots of new features, especially video calling.
So I added net-im/pidgin-2.5.9-r1 with the backported fix.
Thanks for the fast response.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly
other versions, does not follow the "require TLS/SSL" preference when
connecting to older Jabber servers that do not follow the XMPP
specification, which causes libpurple to connect to the server
without the expected encryption and allows remote attackers to sniff
Stable for HPPA.
That was the last arch so this bug is ready to be fixed by security team.
Btw, STABLEREQ isn't in KEYWORDS so this bug wasn't in my list.
Let me know if it's not mandatory for security bugs so I can update my bug list.
Ready to vote, I vote NO.
Thanks for pointing out the missing STABLEREQ, the Gentoo Linux Vulnerability Treatment Policy (http://www.gentoo.org/security/en/vulnerability-policy.xml) says:
"once an ebuild is committed, evaluate what keywords are needed for the fix ebuild and get arch-specific teams to test and mark the ebuild stable on their architectures (arch-teams should be cc'd on the bug, as well as releng during release preparation) and set status whiteboard to stable"
It's not mentioned, but I think it is desirable to add it. Maybe the GLVTP should be updated?
(In reply to comment #12)
> Ready to vote, I vote NO.
No further votes necessary, the issue is already drafted. Needless to say, I vote YES.
> Thanks for pointing out the missing STABLEREQ, the Gentoo Linux Vulnerability
> Treatment Policy (http://www.gentoo.org/security/en/vulnerability-policy.xml)
> says: [...]
> It's not mentioned, but I think it is desirable to add it. Maybe the GLVTP
> should be updated?
I just put this in the coordinator guide as I think it rather belongs there.
GLSA 200910-02, thanks everyone.