Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package sleekxmpp Two bug fixes from upstream 1.3.2 have been taken to patch 1.3.1 against bugs #854739 (CVE-2017-5591, grave) and #851900 (Fails to connect to servers that only support TLS 1.1 or TLS 1.2, important). diff -Nru sleekxmpp-1.3.1/debian/changelog sleekxmpp-1.3.1/debian/changelog --- sleekxmpp-1.3.1/debian/changelog 2016-12-25 22:28:41.000000000 +0100 +++ sleekxmpp-1.3.1/debian/changelog 2017-04-03 02:04:06.000000000 +0200 @@ -1,3 +1,16 @@ +sleekxmpp (1.3.1-6) unstable; urgency=medium + + * Fix CVE-2017-5591: + An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows + a remote attacker to impersonate any user, including contacts, in the + vulnerable application's display. This allows for various kinds of social + engineering attacks. (Closes: #854739) + * Use ssl.get_protocol_name() to find out which TLS version is + in use (allows the latest TLS versions to be used as well as any future + versions). (Closes: #851900) + + -- W. Martin Borgert <deba...@debian.org> Mon, 03 Apr 2017 00:04:06 +0000 + sleekxmpp (1.3.1-5) unstable; urgency=medium * use debhelper 9 compat diff -Nru sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch --- sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch 1970-01-01 01:00:00.000000000 +0100 +++ sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch 2017-04-03 02:04:06.000000000 +0200 @@ -0,0 +1,24 @@ +Description: Use ssl.get_protocol_name() to find out which TLS version is + in use (allows the latest TLS versions to be used as well as any future + versions). +Author: Chris Snijder <ch...@greenhost.nl> +Origin: upstream, https://github.com/fritzy/SleekXMPP/commit/6ebcf6b60d879e31e41bac58ba7db6ea760579b9 +Bug-Debian: https://bugs.debian.org/851900 +Last-Update: 2017-04-02 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/sleekxmpp/xmlstream/xmlstream.py ++++ b/sleekxmpp/xmlstream/xmlstream.py +@@ -839,8 +839,10 @@ def start_tls(self): + to be restarted. + """ + log.info("Negotiating TLS") +- ssl_versions = {3: 'TLS 1.0', 1: 'SSL 3', 2: 'SSL 2/3'} +- log.info("Using SSL version: %s", ssl_versions[self.ssl_version]) ++ log.info( ++ "Using SSL version: %s", ++ ssl.get_protocol_name(self.ssl_version).replace('PROTOCOL_', '', 1) ++ ) + if self.ca_certs is None: + cert_policy = ssl.CERT_NONE + else: diff -Nru sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch --- sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch 1970-01-01 01:00:00.000000000 +0100 +++ sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch 2017-04-03 02:04:06.000000000 +0200 @@ -0,0 +1,29 @@ +Description: fix for CVE-2017-5591 + An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows a + remote attacker to impersonate any user, including contacts, in the vulnerable + application's display. This allows for various kinds of social engineering + attacks. +Author: mathieui <git...@mathieui.net> +Origin: other, https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb471 +Bug: https://github.com/fritzy/SleekXMPP/issues/442 +Bug-Debian: https://bugs.debian.org/854739 +Last-Update: 2017-03-23 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/sleekxmpp/plugins/xep_0280/carbons.py ++++ b/sleekxmpp/plugins/xep_0280/carbons.py +@@ -61,10 +61,12 @@ + self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2') + + def _handle_carbon_received(self, msg): +- self.xmpp.event('carbon_received', msg) ++ if msg['from'].bare == self.xmpp.boundjid.bare: ++ self.xmpp.event('carbon_received', msg) + + def _handle_carbon_sent(self, msg): +- self.xmpp.event('carbon_sent', msg) ++ if msg['from'].bare == self.xmpp.boundjid.bare: ++ self.xmpp.event('carbon_sent', msg) + + def enable(self, ifrom=None, block=True, timeout=None, callback=None): + iq = self.xmpp.Iq() diff -Nru sleekxmpp-1.3.1/debian/patches/series sleekxmpp-1.3.1/debian/patches/series --- sleekxmpp-1.3.1/debian/patches/series 2015-12-29 22:44:03.000000000 +0100 +++ sleekxmpp-1.3.1/debian/patches/series 2017-04-03 02:04:06.000000000 +0200 @@ -1 +1,3 @@ +CVE-2017-5591.patch 0001-get-rid-of-embedded-copies-dateutil-gnupg-ordereddic.patch +002-fix_tls_version_check.patch unblock sleekxmpp/1.3.1-6
