Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 30 May 2013 15:54:26 +0100
From: Simon McVittie <simon.mcvittie@...labora.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE-2013-1431: telepathy-gabble: TLS bypass via use of legacy Jabber

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Maksim Otstavnov reported a vulnerability in the Wocky submodule used by
telepathy-gabble, an XMPP client implementation for the Telepathy
framework. A network intermediary could use this vulnerability to bypass
TLS verification and perform a man-in-the-middle attack. The Debian
security team has allocated CVE-2013-1431 for this vulnerability.

This vulnerability is fixed in telepathy-gabble 0.16.6 [0]. All
versions since 0.9.x are believed to be vulnerable. The patch
described below is likely to apply to all affected versions without
modification.

If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP)
server, fixed versions of telepathy-gabble will not connect to that
server until you make one of these configuration changes:

• upgrade the server software to something that supports XMPP 1.0; or
• use an encrypted "old SSL" connection, typically on port 5223
  (old-ssl); or
• turn off "Encryption required (TLS/SSL)" (require-encryption).

Since the vulnerable code is in a git submodule, distributors with
tarball-based builds for telepathy-gabble will need to apply a patch
with suitably adjusted paths. A suitable patch[1] is available from
the Telepathy bug report[2]. Distributors who will patch the Wocky
submodule directly can take the patch from the git commit[3].

In the current development branch, versions 0.17.0 to 0.17.3 are
vulnerable; the upcoming 0.17.4 release will fix this vulnerability.

Regards,
    Simon

[0]
http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz

http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz.asc
[1] https://bugs.freedesktop.org/attachment.cgi?id=79894
[2] https://bugs.freedesktop.org/show_bug.cgi?id=65036
[3]
cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9
-----BEGIN PGP SIGNATURE-----

iQIVAwUBUadoIk3o/ypjx8yQAQjp2g//ahF56sVtw5M0z7SVR8HXgXpvgwkoiV9C
9jAdfp12d4fePF0tmUjglnINRCvz1V0qwq40uYTD5i9KDgQ3sRbLJ0ND/AB3kxDn
6/xZnKdRaQrOC9yGoR5ukQcLdsZn92tBBcprLhy6Xb/fOh53ekGNxrlmUACGRR9s
yD4m1/5Yhxr2cCxBppcJAQp9Ml1Zk8+aO7TG7GK1dU58r0kDkOqCBei0mwSRVL0V
cO1sMyofOw+SOouwXne+XHwxY2/T2LaXq9jqm/hCZGMYwYr2Tg/ttysnkeJ40cNS
E2Bx8AUCjwhfNfS2RWZCea2XlyHyzxNMMQV8NsABbvFp4Ab0BVRr7wEazZAJIv88
IGrpzHLndfD/7zxEdDAnurJiHEaypaY6RzFh1vXeb8JMZJfbTlZFYj5GWpQvsX2G
zVdiOOkaC/82PqYO8+c+xPXQKdfsMmyTDq6Wz+QC6gyFmUJu6VR4xMC5WR74DmK3
bCG1VDy44d50/IbFBD8iNWhBfPbjEimuIIzwnwSYD8vUuNbbBvMuQwpCbYd9CduP
lZSnqkG7xG25Pvx0bbzUtFuZvaT+wxYRo2ggG8WiJ9lRs0x4LvhM/y8WMeBFkt/5
sT9RhAmLzEaUyIreOdK2JgzG0p+FtRAxvBsaVwlDTdSpwBZAK7VCgnPOqmaK+zey
eW5Zap6A7wM=
=YXtV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.