1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
PublicDateAtUSN: 2013-05-30
Candidate: CVE-2013-1431
PublicDate: 2013-09-23
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1431
http://www.openwall.com/lists/oss-security/2013/05/30
http://www.debian.org/security/2013/dsa-2702
http://www.ubuntu.com/usn/usn-1873-1
Description:
The Wocky module in Telepathy Gabble before 0.16.6 and 0.17.x before
0.17.4, when connecting to a "legacy Jabber server," does not properly
enforce the WockyConnector:tls-required flag, which allows remote attackers
to bypass TLS verification and perform a man-in-the-middle attacks.
Ubuntu-Description:
Notes:
Bugs:
https://bugs.freedesktop.org/show_bug.cgi?id=65036
Priority: medium
Discovered-by: Maksim Otstavnov
Assigned-to: mdeslaur
Patches_telepathy-gabble:
upstream: http://cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9
upstream: http://cgit.freedesktop.org/telepathy/telepathy-gabble/commit/?id=c1d101558de76e3ebacd05fb032764a126d28468 (related?)
upstream: http://cgit.freedesktop.org/telepathy/telepathy-gabble/commit/?id=1e99c77f8d8a686c4c1714a959c062bda6dc0c44 (test)
upstream_telepathy-gabble: released (0.16.6-1)
lucid_telepathy-gabble: ignored (reached end-of-life)
precise_telepathy-gabble: released (0.16.0-0ubuntu3.1)
quantal_telepathy-gabble: released (0.16.1-2ubuntu0.1)
raring_telepathy-gabble: released (0.16.5-0ubuntu1.1)
devel_telepathy-gabble: not-affected (0.16.6-1ubuntu1)
|