Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

mcabber: CVE-2016-9928: remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza

Related Vulnerabilities: CVE-2016-9928   CVE-2015-8688  

Source

Debian Bug report logs - #845258
mcabber: CVE-2016-9928: remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza

version graph

Package: src:mcabber; Maintainer for src:mcabber is Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 21 Nov 2016 20:45:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions mcabber/0.10.1-3, mcabber/0.10.2-1

Fixed in versions mcabber/0.10.1-3+deb7u1, mcabber/0.10.2-1.1, mcabber/1.0.4-1

Done: Franziska Lichtblau <rhalina@old-forest.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Franziska Lichtblau <rhalina@old-forest.org>:
Bug#845258; Package src:mcabber. (Mon, 21 Nov 2016 20:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Franziska Lichtblau <rhalina@old-forest.org>. (Mon, 21 Nov 2016 20:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mcabber: remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza
Date: Mon, 21 Nov 2016 21:40:46 +0100
Source: mcabber
Version: 0.10.2-1
Severity: important
Tags: security upstream fixed-upstream

Hi

See
https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033

This is identical to  CVE-2015-8688 for gajim, but a separate CVE will
be issued. I will update the bug accordingly once issued.

Regards,
Salvatore

Marked as fixed in versions mcabber/0.10.1-3+deb7u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 27 Nov 2016 10:18:04 GMT) (full text, mbox, link).

Marked as found in versions mcabber/0.10.1-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 27 Nov 2016 10:18:05 GMT) (full text, mbox, link).

Severity set to 'grave' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 10 Dec 2016 06:24:02 GMT) (full text, mbox, link).

Changed Bug title to 'mcabber: CVE-2016-9928: remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza' from 'mcabber: remote attacker can modify the roster and intercept messages via a crafted roster-push IQ stanza'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 12 Dec 2016 05:27:03 GMT) (full text, mbox, link).

Reply sent to Christian Hofstaedtler <zeha@debian.org>:
You have taken responsibility. (Thu, 22 Dec 2016 21:15:16 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 22 Dec 2016 21:15:16 GMT) (full text, mbox, link).

Message #18 received at 845258-close@bugs.debian.org (full text, mbox, reply):

From: Christian Hofstaedtler <zeha@debian.org>
To: 845258-close@bugs.debian.org
Subject: Bug#845258: fixed in mcabber 0.10.2-1.1
Date: Thu, 22 Dec 2016 21:11:05 +0000
Source: mcabber
Source-Version: 0.10.2-1.1

We believe that the bug you reported is fixed in the latest version of
mcabber, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 845258@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hofstaedtler <zeha@debian.org> (supplier of updated mcabber package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Dec 2016 20:22:46 +0000
Source: mcabber
Binary: mcabber
Architecture: source
Version: 0.10.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Franziska Lichtblau <rhalina@old-forest.org>
Changed-By: Christian Hofstaedtler <zeha@debian.org>
Description:
 mcabber    - small Jabber (XMPP) console client
Closes: 845258
Changes:
 mcabber (0.10.2-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply patch to fix CVE-2016-9928. (Closes: #845258)
Checksums-Sha1:
 0d39d7ee4be4e8fd1309efa4517f535bb7bb7694 2011 mcabber_0.10.2-1.1.dsc
 2b0c2ef7ae87fa20c77c7e07ed57cccc5bc80ab6 11548 mcabber_0.10.2-1.1.debian.tar.xz
Checksums-Sha256:
 743fbdc6ad1cf4866a85ade537fec8900f008b1b368256bcc90a363516cd4a04 2011 mcabber_0.10.2-1.1.dsc
 d1eb5ace54586ec2f154c6fcc624ee9b3a5871e8609ae3c5802d52e2f2de4dc4 11548 mcabber_0.10.2-1.1.debian.tar.xz
Files:
 4b7c881e2034e477fe745fb3c1423cd2 2011 net optional mcabber_0.10.2-1.1.dsc
 afd51c6d8d695d44fdebd29504debc05 11548 net optional mcabber_0.10.2-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlhcN3EACgkQXBPW25MF
LgNgdQ/9EDDjOIiqEEsUMn/SJ7d5h4C/pmltks0PrfuC8wLbnmeOux7ZqrsctQ5A
mrMEoVi+DBAzb547iPzy+NzjPe27M0QaIAd3YFsyqr/2ksPLLx5mP01osHqe1Yka
Y9iRPVR5WN6mWO8+3DdOz6Pjd6fsCUc1UopfaOc1B73W6Peh4OZ/5Baad713HZSC
+ILNEDuZ5ajok6UJVczw6+tzFz59w/L/Ux8g38nV3UzHWoI9yMq1cSUyHZeD+jWq
UxVLqyB+nwktvug6NTmm21sJ6cft8sSYhyJeTOYR/qVR+X7Dg0mNcS7fOZdcU5yl
0W3zU3NfG3YRUcPNCnEskFKQz+kuPFlGdPT8ZkXqI7cfl3lEPrFOwqCFQ2sWPlfQ
SUNaO61LO8YNFfBjRscLkc6aPZPcbSayytofYnkk//rE1zvTk6GtXeU6KDoxKHme
hdsc/0CzF1kh59f08Oj5oCAFmupnnVGlBMIsullTpay8avD1H7Pw16rHMML1Uh8F
9mRC7mFZ+KDLBVfTBP7Pd2oyEpNIz8O8OLj2U7ZZUUGnMIboWwcFG96Q+sJf4q+b
oo2jLc7jPtxY3nbWAgKC+VqbI18gdz+H851OIumYutwyafh4aUb1Zv4rhFp0XH+M
XUwjm6apsnO2n21NIQQmDq4x/9Ax0g6MnrEej5nq/YAzsMKuYzI=
=RmcJ
-----END PGP SIGNATURE-----

Reply sent to Franziska Lichtblau <rhalina@old-forest.org>:
You have taken responsibility. (Fri, 23 Dec 2016 21:51:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 23 Dec 2016 21:51:10 GMT) (full text, mbox, link).

Message #23 received at 845258-close@bugs.debian.org (full text, mbox, reply):

From: Franziska Lichtblau <rhalina@old-forest.org>
To: 845258-close@bugs.debian.org
Subject: Bug#845258: fixed in mcabber 1.0.4-1
Date: Fri, 23 Dec 2016 21:50:04 +0000
Source: mcabber
Source-Version: 1.0.4-1

We believe that the bug you reported is fixed in the latest version of
mcabber, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 845258@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Franziska Lichtblau <rhalina@old-forest.org> (supplier of updated mcabber package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 20 Dec 2016 13:50:12 +0100
Source: mcabber
Binary: mcabber
Architecture: source amd64
Version: 1.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Franziska Lichtblau <rhalina@old-forest.org>
Changed-By: Franziska Lichtblau <rhalina@old-forest.org>
Description:
 mcabber    - small Jabber (XMPP) console client
Closes: 845258
Changes:
 mcabber (1.0.4-1) unstable; urgency=medium
 .
   * New upstream version which fixes roster push attacks (CVE-2016-9928,
     closes: #845258)
Checksums-Sha1:
 7fcd68875c11ab49b1b3a0a01cc565aec5958e90 1958 mcabber_1.0.4-1.dsc
 bfb2217a722d5893f585699d137884814991d935 605462 mcabber_1.0.4.orig.tar.bz2
 993aa737f0a2a45224a001163777e4fb381a3c14 4728 mcabber_1.0.4-1.debian.tar.xz
 968c052e00e8ecf404a2ce3799c76e6a9a82405c 396398 mcabber-dbgsym_1.0.4-1_amd64.deb
 ea5d00c807defa2a3f359ce195644428f6c85566 6804 mcabber_1.0.4-1_amd64.buildinfo
 e045b75a7c7128a058e48152744b90654851d6a3 267934 mcabber_1.0.4-1_amd64.deb
Checksums-Sha256:
 0c2639b9a7900bdfd1b9e8aefea7333f887b67a6259976bb2d61bf817e7ec219 1958 mcabber_1.0.4-1.dsc
 63b6bc003fcceba4dc4b273ed1c71643c4f8d95e8696543d53f64a7672b1ce0a 605462 mcabber_1.0.4.orig.tar.bz2
 a42c8dafc9a03af2b57e43453167b7b4c61a6147d63f56b32fd814ce332f2af8 4728 mcabber_1.0.4-1.debian.tar.xz
 73c982eb21f2efcd8c25ce5b0c994bf7653c49517b96098c6b3896fdb08b0497 396398 mcabber-dbgsym_1.0.4-1_amd64.deb
 2c2338ab7bcaa782ef8d3f6daffc9a6fd395f54ca268c57de7e99a9778c3482c 6804 mcabber_1.0.4-1_amd64.buildinfo
 2164fc6fd441f3c688e181d4656ce6e89e6bff7f78e99b96dc17f9adfde3f92a 267934 mcabber_1.0.4-1_amd64.deb
Files:
 6c5d53642277a71fb62bae04c3cc9f0e 1958 net optional mcabber_1.0.4-1.dsc
 81ffa7866458b4853f4f155f09f05fb3 605462 net optional mcabber_1.0.4.orig.tar.bz2
 4b301f6ed3034a833231a15932039921 4728 net optional mcabber_1.0.4-1.debian.tar.xz
 b9da98a4a0cb9bb53bdbef078a258221 396398 debug extra mcabber-dbgsym_1.0.4-1_amd64.deb
 b22755739a86cc56b9db83bb6ac4bb9a 6804 net optional mcabber_1.0.4-1_amd64.buildinfo
 2c194cb7a32f823c8e62970966554c76 267934 net optional mcabber_1.0.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYXZYRAAoJEN7oBD7hfrswHSUQAIUmlG+R6CxTaZVLjQIWGTgW
xLadWjTDNWZJga5J7Gi06mVTvl1/nRvLASUDnc9mOY/28NB9QbcWEwn5jtBDMsx9
edB+yMpEpftixOlRr8j90PKKiVNUL4nHsVPMnmBFDCsiyeeUxU84t7bF3xpsynOF
8HFt8sw3l/GaVQ4jAmqqIcbFYl2OhnZbY/ZPxdudeXl4Zef76cFUddKjOCdN4L5m
CSP7BiYcDaqN/VtCFR+d0OiSHAOuzKa+5skEroiEuvAllSJaFQ4VcwyXZF/NSsHR
7aGeSrjAF5cXiv2bGoLMEDqdVia3gjKGVkzwN7wKeQvLGLvWOMUe9bFfY6g6d4Za
iIossz6O10fKmD7ELndVheQlGGmS3UvAxmDWo8y81rKwyDEeXpuQWsnQF+jdHjk7
0mSOibhajSfPu1V89Mpwd0p/ri+iGoFsjC+37rrgwlLb9CAwBYWWDW/QUhww4m7l
ltzpbiT+CrXmV7GdE28eNeXFyYvmEu//xDuYUkVUKH3PQqmdgqp7OqJbg4McmXPB
yrhRH+LMoc8+lGOLCfHgLhP3CD6NwAoYZULX1my0wbECqp9Z0ivi5EVoqZdn11mT
UjzTEyKCuU2IRMRdLoNzlTMXHln5U3StPe0Qu6u/6aY2qwQBZdY1hPN0F3T0MWzQ
LcvBpOAyA8KB/f2BIJX+
=fBdB
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 18 Jul 2017 07:41:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:21:22 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started