Bug 960668 (CVE-2015-8688) - VUL-0: CVE-2015-8688: gajim: Message interception due to unverified origin of roster push
Summary: VUL-0: CVE-2015-8688: gajim: Message interception due to unverified origin of...
Status: RESOLVED FIXED
Alias: CVE-2015-8688
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.1
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/160334/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-05 08:46 UTC by Johannes Segitz
Modified: 2016-01-13 17:10 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-05 08:46:29 UTC 
rh#1295475

gajim doesn’t verify the origin of roster pushes thus allowing third parties to modify the roster: http://gultsch.de/gajim_roster_push_and_message_interception.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1295475
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8688
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8688
Comment 1 Andreas Stieger 2016-01-05 15:26:08 UTC 
openSUSE only: openSUSE:Leap:42.1:Update/gajim
Comment 2 Andreas Stieger 2016-01-05 15:32:58 UTC 
update is running, thanks.
Comment 3 Andreas Stieger 2016-01-13 13:46:01 UTC 
Releasing update.
Comment 4 Swamp Workflow Management 2016-01-13 17:10:58 UTC 
openSUSE-SU-2016:0102-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 960668
CVE References: CVE-2015-8688
Sources used:
openSUSE Leap 42.1 (src):    gajim-0.16.5-4.1