Maksim Otstavnov reported a vulnerability in the Wocky submodule used by telepathy-gabble, an XMPP client implementation for the Telepathy framework. A network intermediary could use this vulnerability to bypass TLS verification and perform a man-in-the-middle attack. The Debian security team has allocated CVE-2013-1431 for this vulnerability. This vulnerability is fixed in telepathy-gabble 0.16.6 [0]. All versions since 0.9.x are believed to be vulnerable. The patch described below is likely to apply to all affected versions without modification. If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP) server, fixed versions of telepathy-gabble will not connect to that server until you make one of these configuration changes: upgrade the server software to something that supports XMPP 1.0; or use an encrypted "old SSL" connection, typically on port 5223 (old-ssl); or turn off "Encryption required (TLS/SSL)" (require-encryption). Since the vulnerable code is in a git submodule, distributors with tarball-based builds for telepathy-gabble will need to apply a patch with suitably adjusted paths. A suitable patch[1] is available from the Telepathy bug report[2]. Distributors who will patch the Wocky submodule directly can take the patch from the git commit[3]. In the current development branch, versions 0.17.0 to 0.17.3 are vulnerable; the upcoming 0.17.4 release will fix this vulnerability. Regards, Simon [0] http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz.asc [1] https://bugs.freedesktop.org/attachment.cgi?id=79894 [2] https://bugs.freedesktop.org/show_bug.cgi?id=65036 [3] http://cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9