Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471838 (CVE-2013-1431) - <net-voip/telepathy-gabble-0.16.6:TLS bypass via use of legacy Jabber (CVE-2013-1431)
Summary: <net-voip/telepathy-gabble-0.16.6:TLS bypass via use of legacy Jabber (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2013-1431
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-30 19:09 UTC by Pacho Ramos
Modified: 2014-02-11 18:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2013-05-30 19:09:41 UTC
From:
http://seclists.org/oss-sec/2013/q2/438

And ChangeLog:
This release fixes a man-in-the-middle attack. You should upgrade.

If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP)
server, this version of Gabble will not connect until you make
one of these configuration changes:

• upgrade the server software to something that supports XMPP 1.0; or
• use an encrypted "old SSL" connection, typically on port 5223
  (old-ssl); or
• turn off "Encryption required (TLS/SSL)" (require-encryption)

Fixes:

• fd.o #65036 (CVE-2013-1431): update Wocky to respect the tls-required
  flag on legacy Jabber servers (Simon)

• fd.o #63119: improve regression tests' isolation from the session bus
  (Simon)

I have just bumped it and I think we can stabilize that version if needed 

Reproducible: Always
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-02 21:35:32 UTC
Works for me. Arches, please stabilize, targets: alpha amd64 ia64 ppc sparc x86. Thanks!
Comment 2 Agostino Sarubbo gentoo-dev 2013-07-03 10:30:56 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-07-03 10:31:28 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-04 13:07:24 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-06 17:04:44 UTC
alpha stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-07 15:15:44 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-21 17:55:44 UTC
sparc stable
Comment 8 Sergey Popov gentoo-dev 2013-08-24 08:31:33 UTC
GLSA vote: no
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 22:03:58 UTC
CVE-2013-1431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1431):
  The Wocky module in Telepathy Gabble before 0.16.6 and 0.17.x before 0.17.4,
  when connecting to a "legacy Jabber server," does not properly enforce the
  WockyConnector:tls-required flag, which allows remote attackers to bypass
  TLS verification and perform a man-in-the-middle attacks.
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-11 18:44:07 UTC
GLSA vote: no.

Closing as [noglsa]