[Secure-testing-team] Bug#857546: profanity: Server certificates are not verified
Wolfgang Wiedmeyer
wreg at wiedmeyer.de
Sun Mar 12 12:53:04 UTC 2017
Package: profanity
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
Profanity is not built against libmesode[1]. Libmesode is a fork of
libstrophe that allows to validate the certificate chain. Upstream bug
#280 provides more information[2]. Libmesode doesn't seem to be packaged
yet in Debian.
If Profanity does not verify the xmpp server's certificate using
Debian's store of known CA certificates, users' passwords, text messages
and other sensitive information can be intercepted.
Best regards,
Wolfgang
[1] https://github.com/boothj5/libmesode
[2] https://github.com/boothj5/profanity/issues/280
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-grsec-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Secure-testing-team
mailing list