RE: [SECURITY] [DSA 2702-1] telepathy-gabble security update
Not installed
-----Original Message-----
From: Salvatore Bonaccorso [mailto:carnil@master.debian.org] On Behalf Of Salvatore Bonaccorso
Sent: Monday, June 03, 2013 2:41 PM
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 2702-1] telepathy-gabble security update
Importance: High
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2702-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
June 03, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : telepathy-gabble
Vulnerability : TLS verification bypass
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-1431
Maksim Otstavnov discovered that the Wocky submodule used by
telepathy-gabble, the Jabber/XMPP connection manager for the Telepathy
framework, does not respect the tls-required flag on legacy Jabber
servers. A network intermediary could use this vulnerability to bypass
TLS verification and perform a man-in-the-middle attack.
For the oldstable distribution (squeeze), this problem has been fixed in
version 0.9.15-1+squeeze2.
For the stable distribution (wheezy), this problem has been fixed in
version 0.16.5-1+deb7u1.
For the testing distribution (jessie) and the unstable distribution
(sid), this problem has been fixed in version 0.16.6-1.
We recommend that you upgrade your telepathy-gabble packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRrN7oAAoJEHidbwV/2GP+w7UQAPdyY+3efgaylM7RFwzpI46R
zoGZBdjOBNwjKMIKRC2T77R8UOk5IAHCxTTW0SPI4gfbAktIP+w9TTMd5KnpIyH3
7ATwATgEVbtaNdLLLlGd5mBy3GbJ/FbshJcpk8K5vKMGMgQDrzLO87N+zW4XwTda
JuaRl0s9n7enFADtDNZggYX/2KFNft2t4FVHJFjN3kX64oeTJ+E77oeD2J+pt5+T
Dv+MlL2+cmE0jNzKIEvRQ8fudNCeHlfkfAT24vxlHUnj/JXxl9jxtGFiFDurvc7j
5d18QvvJAL2MtcTxMqbdeiYW3Xf2aVKg/E+a9DfEqM6DHEKwNy8+rezvAuB4Evlv
6PTA5y8+L0ML2jgYGdyVYT9QKcLmbrXRJEB12x7qF/nDEi2Hem+I5lhwe9pxGAZV
TVO99XWUZ4ynS8NSMCnGOlwBy7hQlTP/DHlAlSRv9M+rcjyAPNXZXXKQXsA1e8f6
K7xYlhzde1mjBjWL+qaaNyaBYpNsczjFwHs3BZVeWHzXtIp8UkRs8/Q1GUbE9q80
OyFgFMIViY4Th1Gasvf6Whnkf0oysm1DdIyor1lvDphnTRYFl+KVumaTYyTtyq19
reOK8uK4+R+809xa7uX3a0bZbTbPD3IAKfyf1ohUnUW+RgAKelMgCw1E2msfa/XT
uUo0CA7JK1ajStmkolxg
=nfk7
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/E1UjZgV-000672-0m@master.debian.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Reply to: