r36410 - in /desktop/experimental/ekiga/debian: README.security changelog

dedu-guest at users.alioth.debian.org dedu-guest at users.alioth.debian.org
Thu Nov 29 08:25:45 UTC 2012 

Author: dedu-guest
Date: Thu Nov 29 08:25:45 2012
New Revision: 36410

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=36410
Log:
Add README.security containing a warning about stun service

Added:
    desktop/experimental/ekiga/debian/README.security
Modified:
    desktop/experimental/ekiga/debian/changelog

Added: desktop/experimental/ekiga/debian/README.security
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/experimental/ekiga/debian/README.security?rev=36410&op=file
==============================================================================
--- desktop/experimental/ekiga/debian/README.security (added)
+++ desktop/experimental/ekiga/debian/README.security [utf-8] Thu Nov 29 08:25:45 2012
@@ -1,0 +1,20 @@
+I've noticed that ekiga/3.2.7-5+b1 and ekiga/3.9.90, from its first run,
+with default configuration, uses a public STUN service at stun.ekiga.net.
+
+The purpose of that service is to inform the client of its public IP
+address in case it is behind NAT.  That address is given out by the
+client when establishing outgoing SIP calls.
+
+It occurred to me that if the stun.ekiga.net service, or its DNS
+servers, were compromised (or operators untrustworthy), it could instead
+return to a particular client the IP address of a host controlled by the
+attacker.  That host could proxy SIP connections back to the legitimate
+address of the client, and thus be in a position to intercept calls.
+
+This is even documented in RFC 3489 section 12, "Security
+Considerations" as "Attack IV: Eavesdropping".
+
+The use of this particular STUN service is configurable through
+gconf-editor, however it isn't even indicated to the user within ekiga.
+
+Moritz Mühlenhoff <jmm at inutil.org>, nov. 2012

Modified: desktop/experimental/ekiga/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/experimental/ekiga/debian/changelog?rev=36410&op=diff
==============================================================================
--- desktop/experimental/ekiga/debian/changelog [utf-8] (original)
+++ desktop/experimental/ekiga/debian/changelog [utf-8] Thu Nov 29 08:25:45 2012
@@ -2,6 +2,7 @@
 
   [ Eugen Dedu ]
   * New upstream stable release
+  * Add README.security containing a warning about stun service
 
  -- Eugen Dedu <Eugen.Dedu at pu-pm.univ-fcomte.fr>  Mon, 26 Nov 2012 22:43:35 +0100

More information about the pkg-gnome-commits mailing list