Security Information / 2017 / Security Information -- DSA-3943-1 gajim

Debian Security Advisory

DSA-3943-1 gajim -- security update

Date Reported:

14 Aug 2017

Affected Packages:

gajim

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 863445.
In Mitre's CVE dictionary: CVE-2016-10376.

More information:

Gajim, a GTK+-based XMPP/Jabber client, unconditionally implements the "XEP-0146: Remote Controlling Clients" extension, allowing a malicious XMPP server to trigger commands to leak private conversations from encrypted sessions. With this update XEP-0146 support has been disabled by default and made opt-in via the remote_commands option.

For the oldstable distribution (jessie), this problem has been fixed in version 0.16-1+deb8u2.

For the stable distribution (stretch), this problem has been fixed prior to the initial release.

We recommend that you upgrade your gajim packages.