Bug 969196 - (CVE-2013-1431) CVE-2013-1431 telepathy-gabble: MitM and TLS verification bypass in Wocky submodule
CVE-2013-1431 telepathy-gabble: MitM and TLS verification bypass in Wocky sub...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 969198
  Show dependency treegraph
Reported: 2013-05-30 17:21 EDT by Vincent Danen
Modified: 2013-06-08 22:25 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-05-30 17:21:37 EDT
It was reported [1],[2] that a vulnerability exists in the Wocky submodule used by telepathy-gabble versions 0.9.x through to 0.16.5.  A malicious remote user could use this vulnerability to bypass TLS verification and perform a man-in-the-middle attack on a user using telepathy-gabble.  This flaw is fixed in the 0.16.6 release (and 0.17.4 development release) and the patch [3] is available for earlier versions.

[1] https://bugs.freedesktop.org/show_bug.cgi?id=65036
[2] http://www.openwall.com/lists/oss-security/2013/05/30/2
[3] cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9
Comment 1 Vincent Danen 2013-05-30 17:22:33 EDT
Created telepathy-gabble tracking bugs for this issue

Affects: fedora-all [bug 969198]
Comment 2 Fedora Update System 2013-06-08 22:25:37 EDT
telepathy-gabble-0.16.6-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.