Lucene search

Gentoo FoundationGLSA-201401-02

HistoryJan 06, 2014 - 12:00 a.m.

Gajim: Information disclosure

2014-01-0600:00:00

Gentoo Foundation

security.gentoo.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

61.4%

JSON

Background

Gajim is a Jabber/XMPP client which uses GTK+.

Description

The _ssl_verify_callback() function in tls_nb.py does not properly validate SSL certificates, causing any certificate to be accepted as valid as long as the root CA is valid.

Impact

A remote attacker might employ a specially crafted certificate to conduct man-in-the-middle attacks on SSL connections and potentially disclose sensitive information.

Workaround

There is no known workaround at this time.

Resolution

All Gajim users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=net-im/gajim-0.15.3-r1"

OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-im/gajim< 0.15.3-r1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	net-im/gajim	< 0.15.3-r1	UNKNOWN

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

61.4%

JSON

Related for GLSA-201401-02