Debian Security Advisory DSA 2702-1 (telepathy-gabble - TLS verification bypass)

Information

Severity

Severity

Medium

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

6.8

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Solution Type

Solution Type

Vendor Patch

Created

Created

8 years ago

Modified

Modified

6 months ago

Summary

Maksim Otstavnov discovered that the Wocky submodule used by telepathy-gabble, the Jabber/XMPP connection manager for the Telepathy framework, does not respect the tls-required flag on legacy Jabber servers. A network intermediary could use this vulnerability to bypass TLS verification and perform a man-in-the-middle attack.

Affected Software

Affected Software

telepathy-gabble on Debian Linux

Detection Method

Detection Method

This check tests the installed software version using the apt package manager.

Solution

Solution

For the oldstable distribution (squeeze), this problem has been fixed in version 0.9.15-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 0.16.5-1+deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 0.16.6-1. We recommend that you upgrade your telepathy-gabble packages.

Common Vulnerabilities and Exposures (CVE)

Want the latest vulnerabilities news?

Sign up to stay up to date. It is free and always will be.

Processing. Please wait...

We care about the protection of your data. Read our Privacy Policy.