Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201601-3 ======================================== Severity: Medium Date : 2016-01-09 CVE-ID : CVE-2015-8688 Package : gajim Type : man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package gajim before version 0.16.5-1 is vulnerable to man-in-the-middle. Resolution ========= Upgrade to 0.16.5-1. # pacman -Syu "gajim>=0.16.5-1" The problem has been fixed upstream in version 0.16.5. Workaround ========= None. Description ========== It was found that gajim doesn't verify the origin of roster pushes thus allowing third parties to modify the roster. This vulnerability allows to intercept messages resulting in man-in-the-middle. Impact ===== A remote attacker is able to intercept messages due to unverified origin of roster resulting in man-in-the-middle. References ========= https://access.redhat.com/security/cve/CVE-2015-8688 https://gultsch.de/posts/gajim-roster-push_and-message-interception/ https://bugs.archlinux.org/task/47647