Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Dec 2016 06:53:15 +0100
From: Salvatore Bonaccorso <>
Subject: Re: CVE Request: MCabber: remote attackers can modify the roster and
 intercept messages via a crafted roster-push IQ stanza


On Sun, Dec 11, 2016 at 05:29:13PM -0500, wrote:
> Hash: SHA256
> > Sam Whited discovered that MCabber versions 1.0.3 and before, was
> > vulnerable to an attack identical to Gajim's CVE-2015-8688 which
> > can lead to a malicious actor MITMing a conversation, or adding
> > themselves as an entity on a third parties roster (thereby granting
> > themselves the associated privileges
> > 
> >
> >
> >
> Use CVE-2016-9928.


> At present, we do not understand whether the behavior of other
> mentioned products, such as slixmpp and SleekXMPP, should be
> considered a vulnerability. If the situation is essentially "the
> product could be improved to make it less likely for third-party code
> authors to accidentally create an unsafe interaction," then typically
> a CVE ID is not required.
> However, if (for example) there is going to be a DSA for the
> python-sleekxmpp and python3-sleekxmpp packages, then we can assign an
> ID. As far as we can tell, the python3-slixmpp* packages are not
> available in jessie, and poezio is packaged for Fedora but not for any
> Debian distribution.

Just to confirm, we do not plan to issue a DSA for the above.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ