Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201706-4 ======================================== Severity: High Date : 2017-06-05 CVE-ID : CVE-2016-1037 Package : gajim Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-284 Summary ====== The package gajim before version 0.16.8-1 is vulnerable to information disclosure. Resolution ========= Upgrade to 0.16.8-1. # pacman -Syu "gajim>=0.16.8-1" The problem has been fixed upstream in version 0.16.8. Workaround ========= None. Description ========== Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. Impact ===== A malicious attacker can extract user session data by leveraging the XEP-0146 (remote controlling clients) feature of the XMPP protocol, which is enabled by default. References ========= https://security.archlinux.org/CVE-2016-1037