Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 547
Alerts This Week
Warning Icon 1 547

Gentoo: GLSA-201707-14 Normal: Gajim Remote Access Risk

gentoo
Calendar Grey July 10, 2017
Dist Gentoo Esm H88
Secure your Gajim installation on Gentoo Linux against information disclosure risks by following these detailed update steps to protect your conversations
A vulnerability in Gajim might allow remote attackers to intercept encrypted communications.

Summary

Gajim unconditionally implements the "XEP-0146: Remote Controlling Clients" extension.

Resolution

All Gajim users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/gajim-0.16.6-r1"

References

[ 1 ] CVE-2016-10376 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10376

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201707-14
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Gajim: Information disclosure
Date: July 10, 2017
Bugs: #620146
ID: 201707-14

Synopsis

A vulnerability in Gajim might allow remote attackers to intercept encrypted communications.

Background

Gajim is a Jabber/XMPP client which uses GTK+.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-im/gajim < 0.16.6-r1 >= 0.16.6-r1

Impact

===== Remote attackers, by enticing a user to connect to a malicious XMPP server, could extract plaintext from Off The Record (OTR) encrypted sessions.

Workaround

There is no known workaround at this time.