|
Message-ID: <51A76822.3080903@collabora.co.uk> Date: Thu, 30 May 2013 15:54:26 +0100 From: Simon McVittie <simon.mcvittie@...labora.co.uk> To: oss-security@...ts.openwall.com Subject: CVE-2013-1431: telepathy-gabble: TLS bypass via use of legacy Jabber -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Maksim Otstavnov reported a vulnerability in the Wocky submodule used by telepathy-gabble, an XMPP client implementation for the Telepathy framework. A network intermediary could use this vulnerability to bypass TLS verification and perform a man-in-the-middle attack. The Debian security team has allocated CVE-2013-1431 for this vulnerability. This vulnerability is fixed in telepathy-gabble 0.16.6 [0]. All versions since 0.9.x are believed to be vulnerable. The patch described below is likely to apply to all affected versions without modification. If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP) server, fixed versions of telepathy-gabble will not connect to that server until you make one of these configuration changes: • upgrade the server software to something that supports XMPP 1.0; or • use an encrypted "old SSL" connection, typically on port 5223 (old-ssl); or • turn off "Encryption required (TLS/SSL)" (require-encryption). Since the vulnerable code is in a git submodule, distributors with tarball-based builds for telepathy-gabble will need to apply a patch with suitably adjusted paths. A suitable patch[1] is available from the Telepathy bug report[2]. Distributors who will patch the Wocky submodule directly can take the patch from the git commit[3]. In the current development branch, versions 0.17.0 to 0.17.3 are vulnerable; the upcoming 0.17.4 release will fix this vulnerability. Regards, Simon [0] http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz.asc [1] https://bugs.freedesktop.org/attachment.cgi?id=79894 [2] https://bugs.freedesktop.org/show_bug.cgi?id=65036 [3] cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9 -----BEGIN PGP SIGNATURE----- iQIVAwUBUadoIk3o/ypjx8yQAQjp2g//ahF56sVtw5M0z7SVR8HXgXpvgwkoiV9C 9jAdfp12d4fePF0tmUjglnINRCvz1V0qwq40uYTD5i9KDgQ3sRbLJ0ND/AB3kxDn 6/xZnKdRaQrOC9yGoR5ukQcLdsZn92tBBcprLhy6Xb/fOh53ekGNxrlmUACGRR9s yD4m1/5Yhxr2cCxBppcJAQp9Ml1Zk8+aO7TG7GK1dU58r0kDkOqCBei0mwSRVL0V cO1sMyofOw+SOouwXne+XHwxY2/T2LaXq9jqm/hCZGMYwYr2Tg/ttysnkeJ40cNS E2Bx8AUCjwhfNfS2RWZCea2XlyHyzxNMMQV8NsABbvFp4Ab0BVRr7wEazZAJIv88 IGrpzHLndfD/7zxEdDAnurJiHEaypaY6RzFh1vXeb8JMZJfbTlZFYj5GWpQvsX2G zVdiOOkaC/82PqYO8+c+xPXQKdfsMmyTDq6Wz+QC6gyFmUJu6VR4xMC5WR74DmK3 bCG1VDy44d50/IbFBD8iNWhBfPbjEimuIIzwnwSYD8vUuNbbBvMuQwpCbYd9CduP lZSnqkG7xG25Pvx0bbzUtFuZvaT+wxYRo2ggG8WiJ9lRs0x4LvhM/y8WMeBFkt/5 sT9RhAmLzEaUyIreOdK2JgzG0p+FtRAxvBsaVwlDTdSpwBZAK7VCgnPOqmaK+zey eW5Zap6A7wM= =YXtV -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.