[Secure-testing-team] Bug#863445: possible to remote extract plain-text from encrypted sessions
W. Martin Borgert
debacle at debian.org
Fri May 26 22:29:34 UTC 2017
Package: gajim
Version: 0.16.6-1
Severity: grave
Tags: patch security upstream
grave, because introduces a security hole allowing unencrypted
access to supposedly encrypted messages
Gajim implements unconditionally XEP-0146, which allows other
clients to access certain user data. This can be abused by
malicious XMPP servers:
https://dev.gajim.org/gajim/gajim/issues/8378
It seems, that XMPP experts already plan to deprecate the
feature:
https://mail.jabber.org/pipermail/standards/2016-August/031335.html
Gajim upstream made the feature an opt-in, which is IMHO good
enough for now:
https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
We just need to apply the change to the Debian package.
More information about the Secure-testing-team
mailing list