Arch Linux Security Advisory ASA-201601-3 ========================================= Severity: Medium Date : 2016-01-09 CVE-ID : CVE-2015-8688 Package : gajim Type : man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package gajim before version 0.16.5-1 is vulnerable to man-in-the-middle. Resolution ========== Upgrade to 0.16.5-1. # pacman -Syu "gajim>=0.16.5-1" The problem has been fixed upstream in version 0.16.5. Workaround ========== None. Description =========== It was found that gajim doesn't verify the origin of roster pushes thus allowing third parties to modify the roster. This vulnerability allows to intercept messages resulting in man-in-the-middle. Impact ====== A remote attacker is able to intercept messages due to unverified origin of roster resulting in man-in-the-middle. References ========== https://access.redhat.com/security/cve/CVE-2015-8688 http://gultsch.de/gajim_roster_push_and_message_interception.html https://bugs.archlinux.org/task/47647