Debian Security Advisory

DSA-3943-1 gajim -- security update

Date Reported:
14 Aug 2017
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 863445.
In Mitre's CVE dictionary: CVE-2016-10376.
More information:

Gajim, a GTK+-based XMPP/Jabber client, unconditionally implements the "XEP-0146: Remote Controlling Clients" extension, allowing a malicious XMPP server to trigger commands to leak private conversations from encrypted sessions. With this update XEP-0146 support has been disabled by default and made opt-in via the remote_commands option.

For the oldstable distribution (jessie), this problem has been fixed in version 0.16-1+deb8u2.

For the stable distribution (stretch), this problem has been fixed prior to the initial release.

We recommend that you upgrade your gajim packages.