602238 – <net-im/mcabber-1.0.4: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza

Bug 602238 - <net-im/mcabber-1.0.4: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza

Summary: <net-im/mcabber-1.0.4: remote attackers can modify the roster and intercept ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2016-12-10 10:40:07 UTC

See:
http://seclists.org/oss-sec/2016/q4/650

This is fixed in 1.0.4, which is already in the tree, but not stable yet.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-10 12:18:37 UTC

This is the same vulnerability seen in Gajim first, see bug 569936 for details.


@ Arches,

please test and mark stable: =net-im/mcabber-1.0.4

Comment 2 Agostino Sarubbo gentoo-dev

2016-12-13 11:07:31 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2016-12-13 11:32:43 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2016-12-13 11:53:25 UTC

GLSA Vote: No

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2016-12-14 10:27:26 UTC

@maintainer, please inform security once the package is cleaned so we can close.  Thanks!

Comment 6 Wolfram Schlich (RETIRED) gentoo-dev

2016-12-15 09:35:44 UTC

@security: the vulnerable version has been removed.