Bug 1390134 (CVE-2016-9107)

Summary: CVE-2016-9107 gajim: OTR leaks cleartext when using XHTML
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lemenkov, mschmidt
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-31 16:03:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390136, 1390137    
Bug Blocks:    

Description Andrej Nemec 2016-10-31 09:39:06 UTC 
A cleartext leak vulnerability when using XHTML was found in gajim.

Upstream bug:

https://trac-plugins.gajim.org/ticket/145

Upstream patch:

https://trac-plugins.gajim.org/changeset/c7c2e519ed63377bc943dd01c4661b0fe49321ae
Comment 1 Andrej Nemec 2016-10-31 09:39:49 UTC 
Created gajim tracking bugs for this issue:

Affects: fedora-all [bug 1390136]
Affects: epel-all [bug 1390137]
Comment 2 Michal Schmidt 2016-10-31 16:03:32 UTC 
NOTABUG, because We don't ship the OTR plugin in the package.

Users may install the plugin through the GUI. Then Gajim's plugin installer is responsible for notifying the user about plugin updates. Gajim OTR users probably already have the fixed plugin installed.