ArchLinux: 201601-3: gajim: man-in-the-middle
Summary
It was found that gajim doesn't verify the origin of roster pushes thus allowing third parties to modify the roster. This vulnerability allows to intercept messages resulting in man-in-the-middle.
Resolution
Upgrade to 0.16.5-1.
# pacman -Syu "gajim>=0.16.5-1"
The problem has been fixed upstream in version 0.16.5.
References
https://access.redhat.com/security/cve/CVE-2015-8688 https://gultsch.de/gajim_roster_push_and_message_interception.html https://bugs.archlinux.org/task/47647
Workaround
None.