This release fixes a man-in-the-middle attack. You should upgrade.
If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP)
server, this version of Gabble will not connect until you make
one of these configuration changes:
• upgrade the server software to something that supports XMPP 1.0; or
• use an encrypted "old SSL" connection, typically on port 5223
• turn off "Encryption required (TLS/SSL)" (require-encryption)
• fd.o #65036 (CVE-2013-1431): update Wocky to respect the tls-required
flag on legacy Jabber servers (Simon)
• fd.o #63119: improve regression tests' isolation from the session bus
I have just bumped it and I think we can stabilize that version if needed
Works for me. Arches, please stabilize, targets: alpha amd64 ia64 ppc sparc x86. Thanks!
GLSA vote: no
The Wocky module in Telepathy Gabble before 0.16.6 and 0.17.x before 0.17.4,
when connecting to a "legacy Jabber server," does not properly enforce the
WockyConnector:tls-required flag, which allows remote attackers to bypass
TLS verification and perform a man-in-the-middle attacks.
GLSA vote: no.
Closing as [noglsa]