[Pkg-telepathy-commits] [SCM] telepathy-gabble packaging branch, debian-squeeze, updated. debian/0.9.15-1+squeeze1-1-g44bda80

Simon McVittie smcv at debian.org
Thu May 30 16:08:48 UTC 2013 

The following commit has been merged in the debian-squeeze branch:
commit 44bda807b4f377d362d69be12c2e947319c40594
Author: Simon McVittie <smcv at debian.org>
Date:   Wed May 29 19:42:56 2013 +0100

    Respect the require-encryption flag on legacy Jabber servers
    
    Unlike Debian wheezy, Debian squeeze does not enable this flag by
    default.

diff --git a/debian/changelog b/debian/changelog
index a8042a5..148c1bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+telepathy-gabble (0.9.15-1+squeeze2) squeeze-security; urgency=high
+
+  * CVE-2013-1431: respect the require-encryption flag on legacy Jabber
+    servers
+
+ -- Simon McVittie <smcv at debian.org>  Wed, 29 May 2013 17:48:03 +0100
+
 telepathy-gabble (0.9.15-1+squeeze1) stable-security; urgency=high
 
   * debian/patches/00-jingleinfo.diff: Added to ignore google:jingleinfo
diff --git a/debian/patches/0001-security-respect-tls-required-flag-on-legacy-Jabber-.patch b/debian/patches/0001-security-respect-tls-required-flag-on-legacy-Jabber-.patch
new file mode 100644
index 0000000..89cc326
--- /dev/null
+++ b/debian/patches/0001-security-respect-tls-required-flag-on-legacy-Jabber-.patch
@@ -0,0 +1,31 @@
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Mon, 27 May 2013 13:16:22 +0100
+Subject: CVE-2013-1431: respect tls-required flag on legacy Jabber servers
+
+It's checked elsewhere for XMPP 1.0 servers, which can either
+use "old SSL" or perform STARTTLS. Legacy Jabber can only use
+"old SSL", which is similar to https - connect to a separate port,
+typically 5223, and start speaking SSL - so if the connection was
+ever going to be encrypted, by this point it already would be.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65036
+Reviewed-by: Sjoerd Simons <sjoerd.simons at collabora.co.uk>
+Origin: upstream, 0.16.6
+---
+ wocky/wocky-connector.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/ext/wocky/wocky/wocky-connector.c b/lib/ext/wocky/wocky/wocky-connector.c
+index 133b9fd..3287285 100644
+--- a/lib/ext/wocky/wocky/wocky-connector.c
++++ b/lib/ext/wocky/wocky/wocky-connector.c
+@@ -1135,6 +1135,9 @@ xmpp_init_recv_cb (GObject *source,
+       if (!priv->legacy_support)
+         abort_connect_code (self, WOCKY_CONNECTOR_ERROR_NON_XMPP_V1_SERVER,
+             "Server not XMPP 1.0 Compliant");
++      else if (priv->tls_required && !priv->encrypted)
++        abort_connect_code (data, WOCKY_CONNECTOR_ERROR_TLS_UNAVAILABLE,
++            "TLS requested but server is not XMPP 1.0 compliant (try using \"old SSL\")");
+       else
+         jabber_request_auth (self);
+     }

-- 
telepathy-gabble packaging

More information about the Pkg-telepathy-commits mailing list