El dissabte, 11 de febrer de 2017, a les 13:59:01 CET, Pali Rohár va escriure: > Hello! > > I need to inform you that jabber protocol in Kopete is vulnerable to > CVE-2017-5593 (User Impersonation Vulnerability) due to defect in > underlying Psi xmpp library libiris -- which is part of Kopete source > tree. Note that Kopete is vulnerable even it does not support XEP-0280: > Message Carbons yet (because defect is in libiris).
This shows we should not be embedding libiris, is this something that can be worked on? Cheers, Albert > > All Kopete versions which are part of KDE 16.11.80 (and new) are > affected. > > Backported fix for libiris is now in Application/16.12 branch in commit > https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad > > And so fix will be part of KDE 16.12.3 (Kopete 1.11.3). > > More information at: > https://bugs.kde.org/show_bug.cgi?id=376348 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5593 > http://seclists.org/oss-sec/2017/q1/373 > https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba > 9d8c6077570
