FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

telepathy-gabble -- TLS verification bypass

Affected packages
telepathy-gabble < 0.16.6

Details

VuXML ID a3c2dee5-cdb9-11e2-b9ce-080027019be0
Discovery 2013-05-27
Entry 2013-06-05

Simon McVittie reports:

This release fixes a man-in-the-middle attack.

If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP) server, this version of Gabble will not connect until you make one of these configuration changes:

. upgrade the server software to something that supports XMPP 1.0; or

. use an encrypted "old SSL" connection, typically on port 5223 (old-ssl); or

. turn off "Encryption required (TLS/SSL)" (require-encryption).

References

CVE Name CVE-2013-1431
URL http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html