Debian Bug report logs -
#809900
gajim: CVE-2015-8688: Message interception due to unverified origin of roster push
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 4 Jan 2016 19:49:08 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version gajim/0.16-1
Fixed in version gajim/0.16.5-0.1
Done: Norbert Tretkowski <norbert@tretkowski.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#809900; Package src:gajim.
(Mon, 04 Jan 2016 19:49:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Mon, 04 Jan 2016 19:49:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gajim
Version: 0.16-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for gajim.
CVE-2015-8688[0]:
Message interception due to unverified origin of roster push
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8688
[1] http://gultsch.de/gajim_roster_push_and_message_interception.html
[2] https://trac.gajim.org/changeset/af78b7c068904d78c5dfb802826aae99f26a8947/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added indication that bug 809900 blocks 650601
Request was from Tobias Frost <tobi@debian.org>
to control@bugs.debian.org.
(Mon, 04 Jan 2016 23:09:34 GMT) (full text, mbox, link).
Removed indication that bug 809900 blocks 650601
Request was from Tobias Frost <tobi@debian.org>
to control@bugs.debian.org.
(Mon, 04 Jan 2016 23:33:19 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#809900; Package src:gajim.
(Tue, 26 Jan 2016 14:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Tretkowski <norbert@tretkowski.de>:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Tue, 26 Jan 2016 14:51:03 GMT) (full text, mbox, link).
Message #14 received at 809900@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tags 809900 + patch
control: tags 809900 + pending
Dear maintainer,
as promised, I've prepared an NMU for gajim (versioned as 0.16.5-0.1) to
fix a security issue and uploaded it to DELAYED/7.
Please feel free to tell me if I should delay it longer.
Regards,
Norbert
[gajim-0.16.5-0.1-nmu.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) pending.
Request was from Norbert Tretkowski <norbert@tretkowski.de>
to 809900-submit@bugs.debian.org.
(Tue, 26 Jan 2016 14:51:04 GMT) (full text, mbox, link).
Reply sent
to Norbert Tretkowski <norbert@tretkowski.de>:
You have taken responsibility.
(Mon, 01 Feb 2016 21:42:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Feb 2016 21:42:11 GMT) (full text, mbox, link).
Message #21 received at 809900-close@bugs.debian.org (full text, mbox, reply):
Source: gajim
Source-Version: 0.16.5-0.1
We believe that the bug you reported is fixed in the latest version of
gajim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 809900@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <norbert@tretkowski.de> (supplier of updated gajim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Jan 2016 15:19:54 +0100
Source: gajim
Binary: gajim
Architecture: source all
Version: 0.16.5-0.1
Distribution: unstable
Urgency: medium
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Norbert Tretkowski <norbert@tretkowski.de>
Description:
gajim - GTK+-based Jabber client
Closes: 785521 809900
Changes:
gajim (0.16.5-0.1) unstable; urgency=medium
.
* New upstream release. (closes: #785521)
* SECURITY UPDATE: Update to 0.16.5 to fix security issue:
- CVE-2015-8688: Message interception due to unverified origin of roster push
- https://gultsch.de/gajim_roster_push_and_message_interception.html
(closes: #809900)
* debian/patches/fix-manpages.patch: remove deprecated patch, which has been
applied upstream.
* debian/control: require python-nbxmpp (>= 0.5.3)
Checksums-Sha1:
81961c14e3edd167789d6112ef28987382061da6 1878 gajim_0.16.5-0.1.dsc
c51b476cc92dbb10a8439aaf99e99d2b110dde3e 6154103 gajim_0.16.5.orig.tar.gz
a9a51ca2fb4b265e93b02751e682342194c4bd22 7844 gajim_0.16.5-0.1.debian.tar.xz
41c94932c653834807c9c3bd126b83c985a89a77 3052084 gajim_0.16.5-0.1_all.deb
Checksums-Sha256:
88bc97094e57318a19c326b5a022e9e8b01842116cd59bc28c5d4e93b7385295 1878 gajim_0.16.5-0.1.dsc
93bd8f8e04e3ebfbfcbd16e7bb34326fafbc0d9ff62e9719677aff44f608756c 6154103 gajim_0.16.5.orig.tar.gz
2ac74b7e6824689c15cb763fe91351891539ae0b7509000efccfb7df17922d17 7844 gajim_0.16.5-0.1.debian.tar.xz
bbfb497f2be147e461fe0745dc9113cd020699bb698f16e654faf12a621a8ac5 3052084 gajim_0.16.5-0.1_all.deb
Files:
86661ec3baf4168580793407a36b7a88 1878 net optional gajim_0.16.5-0.1.dsc
7667b9ae63e9a713b165085fd61fd0d1 6154103 net optional gajim_0.16.5.orig.tar.gz
5bf12b5e2d4ebb73133f37b411cacc4e 7844 net optional gajim_0.16.5-0.1.debian.tar.xz
4595b24c14014548bcc5c2e0160959fa 3052084 net optional gajim_0.16.5-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWqnKvAAoJEJSVuM9oZokQ8YkP/2pt5xgKGzLB5duNdxn5/9OI
QBVixAvYlWbAsl1aCeEp5yF5puQpZ90/GikMvJhwxcvO0DmjKHYx4urSEYwa032j
XrE9N+9RWRxZTm7/F39qkKyoUVnGyFTKYOq7xJg0Pp3/hBzFOSB0BXEMZ0Z7gu2T
2AChbZKFFpBHtQjC3QdIyV8aBsY/2nYe+jv25FJH0tKfXVe28Hva0WFfckZQGm3b
gUNv+FFRUsaV9ATCf3xUqo3BDvTNyHsBd8/sUynQnq304n8+N22kWQsf4cD6ZuNj
YPoECJ1uGYIcq9LeWtjy27vt9siAF00pM/oXzihpfRPpl4e27sPGIYuv7dFKEohF
fhc4xDzST1LdIo7G3+sTuLD84EztmpaYYeZFG/6vadqvGQZoPE0qzK+U+bfI/gV0
0o+Qa2i2y52DTyb//EUJLvk+reXSMxuB/FrxFMmfWAWQwuI6IX1wPwZKhNGVeGdi
S3Efha6R2EhDhbUN8t19rr0H8Ekc5RX8Vnfq37pIj7dLF/G+SJqb0jMLAHBvj0L+
Ts3NihGu0SbzTEMDXdS2heYRvITSjJH16CG+xYViFEO715SW755T0W15p+h0e0kg
mgsVoTgswNd4kIxPJ+QLgkKWf690cYcrmWMLBmyX8Fzp2U8g7yYiF01Q3JvnCyrX
9CqBNaFAa7Vj4qw0y+Ks
=Jgq1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 06 Mar 2016 07:25:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:14:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon