Date: Fri, 9 Dec 2016 21:19:06 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Hi Sam Whited discovered that MCabber versions 1.0.3 and before, was vulnerable to an attack identical to Gajim's CVE-2015-8688  which can lead to a malicious actor MITMing a conversation, or adding themselves as an entity on a third parties roster (thereby granting themselves the associated priviledges such as observing when the user is online). The issue was fixed in the 1.0.4 release, with patch found at . Can a CVE be assigned for this issue? Regards, Salvatore  https://gultsch.de/gajim_roster_push_and_message_interception.html  https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw  https://bugs.debian.org/845258
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.