Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 30 May 2013 15:54:26 +0100
From: Simon McVittie <simon.mcvittie@...labora.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE-2013-1431: telepathy-gabble: TLS bypass via use of legacy Jabber

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Maksim Otstavnov reported a vulnerability in the Wocky submodule used by
telepathy-gabble, an XMPP client implementation for the Telepathy
framework. A network intermediary could use this vulnerability to bypass
TLS verification and perform a man-in-the-middle attack. The Debian
security team has allocated CVE-2013-1431 for this vulnerability.

This vulnerability is fixed in telepathy-gabble 0.16.6 [0]. All
versions since 0.9.x are believed to be vulnerable. The patch
described below is likely to apply to all affected versions without
modification.

If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP)
server, fixed versions of telepathy-gabble will not connect to that
server until you make one of these configuration changes:

• upgrade the server software to something that supports XMPP 1.0; or
• use an encrypted "old SSL" connection, typically on port 5223
  (old-ssl); or
• turn off "Encryption required (TLS/SSL)" (require-encryption).

Since the vulnerable code is in a git submodule, distributors with
tarball-based builds for telepathy-gabble will need to apply a patch
with suitably adjusted paths. A suitable patch[1] is available from
the Telepathy bug report[2]. Distributors who will patch the Wocky
submodule directly can take the patch from the git commit[3].

In the current development branch, versions 0.17.0 to 0.17.3 are
vulnerable; the upcoming 0.17.4 release will fix this vulnerability.

Regards,
    Simon

[0]
http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz

http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz.asc
[1] https://bugs.freedesktop.org/attachment.cgi?id=79894
[2] https://bugs.freedesktop.org/show_bug.cgi?id=65036
[3]
cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9
-----BEGIN PGP SIGNATURE-----

iQIVAwUBUadoIk3o/ypjx8yQAQjp2g//ahF56sVtw5M0z7SVR8HXgXpvgwkoiV9C
9jAdfp12d4fePF0tmUjglnINRCvz1V0qwq40uYTD5i9KDgQ3sRbLJ0ND/AB3kxDn
6/xZnKdRaQrOC9yGoR5ukQcLdsZn92tBBcprLhy6Xb/fOh53ekGNxrlmUACGRR9s
yD4m1/5Yhxr2cCxBppcJAQp9Ml1Zk8+aO7TG7GK1dU58r0kDkOqCBei0mwSRVL0V
cO1sMyofOw+SOouwXne+XHwxY2/T2LaXq9jqm/hCZGMYwYr2Tg/ttysnkeJ40cNS
E2Bx8AUCjwhfNfS2RWZCea2XlyHyzxNMMQV8NsABbvFp4Ab0BVRr7wEazZAJIv88
IGrpzHLndfD/7zxEdDAnurJiHEaypaY6RzFh1vXeb8JMZJfbTlZFYj5GWpQvsX2G
zVdiOOkaC/82PqYO8+c+xPXQKdfsMmyTDq6Wz+QC6gyFmUJu6VR4xMC5WR74DmK3
bCG1VDy44d50/IbFBD8iNWhBfPbjEimuIIzwnwSYD8vUuNbbBvMuQwpCbYd9CduP
lZSnqkG7xG25Pvx0bbzUtFuZvaT+wxYRo2ggG8WiJ9lRs0x4LvhM/y8WMeBFkt/5
sT9RhAmLzEaUyIreOdK2JgzG0p+FtRAxvBsaVwlDTdSpwBZAK7VCgnPOqmaK+zey
eW5Zap6A7wM=
=YXtV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.