Bug#177103: marked as done (gabber: privacy leak)

Sat, 17 May 2008 06:21:15 -0700 

Your message dated Sat, 17 May 2008 14:13:36 +0100
with message-id <[EMAIL PROTECTED]>
and subject line gabber has been removed from Debian, closing #177103
has caused the Debian Bug report #177103,
regarding gabber: privacy leak
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
177103: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=177103
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: gabber
Version: 0.8.7-2
Severity: normal

In gabber-0.8.7/src/GabberWin.cc   I see this code:

     // Send out autoupdate request
     string autoupdateJID = "956878967";             // Gabber's clientID on 
jabbercentral
     autoupdateJID += "@update.jabber.org/";         // the only place to grab 
updates right now
     autoupdateJID += ConfigManager::get_VERSION();  // Gabber's version
     G_App->getSession() << Presence(autoupdateJID, Presence::ptAvailable);


This is astonishing.  This means even though I may have set up a
private jabber server for me and my friends to use, whoever runs
update.jabber.org can track when I or my friends login (worse) or that
we even exist (bad enough).

This feature should at least be configurable, and default to disabled,
if not removed completely.

This was apparently announced on some security related mailing list
within the past few days, but I haven't been able to find mention of
it in any of the archives.  And this has apparently already been fixed
(removed) in the upstream maintainer's CVS tree.  See the note on the
gabber web page at http://gabber.sourceforge.net/.

                        -Tim Shepard
                         [EMAIL PROTECTED]

--- End Message ---
--- Begin Message --- 
Version: 0.8.8-9.1+rm

The gabber package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/460764 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues
http://Marco.Tondela.org

--- End Message ---

Reply via email to