Your message dated Sat, 27 May 2017 00:18:45 +0000
with message-id <e1deprn-000hqh...@fasolo.debian.org>
and subject line Bug#863445: fixed in gajim 0.16.6-1.1
has caused the Debian Bug report #863445,
regarding possible to remote extract plain-text from encrypted sessions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
863445: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863445
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gajim
Version: 0.16.6-1
Severity: grave
Tags: patch security upstream
grave, because introduces a security hole allowing unencrypted
access to supposedly encrypted messages
Gajim implements unconditionally XEP-0146, which allows other
clients to access certain user data. This can be abused by
malicious XMPP servers:
https://dev.gajim.org/gajim/gajim/issues/8378
It seems, that XMPP experts already plan to deprecate the
feature:
https://mail.jabber.org/pipermail/standards/2016-August/031335.html
Gajim upstream made the feature an opt-in, which is IMHO good
enough for now:
https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
We just need to apply the change to the Debian package.
--- End Message ---
--- Begin Message ---
Source: gajim
Source-Version: 0.16.6-1.1
We believe that the bug you reported is fixed in the latest version of
gajim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
W. Martin Borgert <deba...@debian.org> (supplier of updated gajim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 26 May 2017 22:35:49 +0000
Source: gajim
Binary: gajim
Architecture: source all
Version: 0.16.6-1.1
Distribution: unstable
Urgency: high
Maintainer: Tanguy Ortolo <tanguy+deb...@ortolo.eu>
Changed-By: W. Martin Borgert <deba...@debian.org>
Description:
gajim - GTK+-based Jabber client
Closes: 863445
Changes:
gajim (0.16.6-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Apply upstream patch to make XEP-0146 opt-in (Closes: #863445)
Checksums-Sha1:
4740921e7c7b5f5c8c808fa965b3c89d9d74126d 1958 gajim_0.16.6-1.1.dsc
447af57572304ce1f9ceac8570550066deaf40cd 9076 gajim_0.16.6-1.1.debian.tar.xz
3c7401111caac1b51151f4f5b3e1b4491f607105 3037206 gajim_0.16.6-1.1_all.deb
04c84721c690f3a7d913cd09ac602d6fa11f2dcf 7785 gajim_0.16.6-1.1_amd64.buildinfo
Checksums-Sha256:
571f693f0d7a11f152f31710660e60db75103cdbf6a1cd8d15f8fc2595607464 1958
gajim_0.16.6-1.1.dsc
0e7eb11d9200ec35f2785506f366b8ce7ed1e3362c8156d3783c9020badacdaa 9076
gajim_0.16.6-1.1.debian.tar.xz
b346e1e05cd0f2c6f3629697c01836f35c0a48fc9559dcc3360fef89f00b0db0 3037206
gajim_0.16.6-1.1_all.deb
c8b48839c196f30a5c019636726bde88d62c207e12f179a76b4ab068fc81b3fd 7785
gajim_0.16.6-1.1_amd64.buildinfo
Files:
7b9036c685ed827f03b3311d6d2aa04e 1958 net optional gajim_0.16.6-1.1.dsc
c2a799e96aeab4eed4d537cc2f862aaa 9076 net optional
gajim_0.16.6-1.1.debian.tar.xz
5f42e0935f0083a6373587e64f8d4769 3037206 net optional gajim_0.16.6-1.1_all.deb
1014ef12143db863ad843ec05e3562e6 7785 net optional
gajim_0.16.6-1.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEftHeo0XZoKEY1KdA4+Chwoa5Y+oFAlkovdwACgkQ4+Chwoa5
Y+rxKA/+M6odrkdap0+i9+X2aEuMqC/QhvgwDECDwfFyO7zAdt2qda9rEykfPGkF
xwekMnkUFWxDDieJJM7bwypXd/6CqViDrInPwC+g4bKR+w4k1nRkKUc5NEQ4gpDD
k3M1QIQwOL3ZfPwXjwShVWr5DhpzhtzUEIGGsxHZJkEETPgHYKe3C9jFIyXOmpSr
5UPLIskv6pGoCBbcDbxKCOUt3qYSipPsO0HXPFxcEGARUXlsThSNa2DuAoYIroOJ
vS45Oy3HKPdI10sB3HihfWNxUXq1/3Y29wBfKKN1+IFjN1aCogNkcQsBtUzMFTTP
grc+QfZhscyw/mnvsl74u+0aKEKDahZPGY2I+hhpqzw++x2iGACbCF0dfl0jLTQW
6d50CxkKhC5S2xUYAHGwW++3GXlxHXebmNCEsyhupNl+xDPQw5r/H+aMIDke9+oR
qHJhJT3HG71RRkyXOMpFzQIyu7GiqpruWhPlP7m2ZK3S6c6G58rU0Z8z3nzElU+n
TcK9NqVL5/e5fyfQqX2DETAFbiiz4Ej1RUvDKCVEsx9LGFE5Hcp/OY3TxkaLKyUZ
vvrjXj++oykC/DqgViHepkxtegeeFo3f2ygHcxYFZpylD/4mxNmq4Mkr4cAagMQy
90gdDmF+wAdc/UIJpzs1WAMqZz4yxqYZAzz14QABUHjxbepIfAA=
=an33
-----END PGP SIGNATURE-----
--- End Message ---
