[arch-security] [ASA-201601-3] gajim: man-in-the-middle
anthraxx at archlinux.org
Sat Jan 9 15:50:08 UTC 2016
Arch Linux Security Advisory ASA-201601-3
Date : 2016-01-09
CVE-ID : CVE-2015-8688
Package : gajim
Type : man-in-the-middle
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package gajim before version 0.16.5-1 is vulnerable to
Upgrade to 0.16.5-1.
# pacman -Syu "gajim>=0.16.5-1"
The problem has been fixed upstream in version 0.16.5.
It was found that gajim doesn't verify the origin of roster pushes thus
allowing third parties to modify the roster. This vulnerability allows
to intercept messages resulting in man-in-the-middle.
A remote attacker is able to intercept messages due to unverified origin
of roster resulting in man-in-the-middle.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security