Date: Tue, 13 Dec 2016 06:53:15 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Hi, On Sun, Dec 11, 2016 at 05:29:13PM -0500, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Sam Whited discovered that MCabber versions 1.0.3 and before, was > > vulnerable to an attack identical to Gajim's CVE-2015-8688 which > > can lead to a malicious actor MITMing a conversation, or adding > > themselves as an entity on a third parties roster (thereby granting > > themselves the associated privileges > > > > https://gultsch.de/gajim_roster_push_and_message_interception.html > > https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw > > https://bugs.debian.org/845258 > > Use CVE-2016-9928. Thanks. > At present, we do not understand whether the behavior of other > mentioned products, such as slixmpp and SleekXMPP, should be > considered a vulnerability. If the situation is essentially "the > product could be improved to make it less likely for third-party code > authors to accidentally create an unsafe interaction," then typically > a CVE ID is not required. > > However, if (for example) there is going to be a DSA for the > python-sleekxmpp and python3-sleekxmpp packages, then we can assign an > ID. As far as we can tell, the python3-slixmpp* packages are not > available in jessie, and poezio is packaged for Fedora but not for any > Debian distribution. Just to confirm, we do not plan to issue a DSA for the above. Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ