Your message dated Mon, 03 Apr 2017 11:43:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#859382: unblock: sleekxmpp/1.3.1-6
has caused the Debian Bug report #859382,
regarding unblock: sleekxmpp/1.3.1-6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859382: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859382
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package sleekxmpp
Two bug fixes from upstream 1.3.2 have been taken to patch 1.3.1
against bugs #854739 (CVE-2017-5591, grave) and #851900 (Fails
to connect to servers that only support TLS 1.1 or TLS 1.2,
important).
diff -Nru sleekxmpp-1.3.1/debian/changelog sleekxmpp-1.3.1/debian/changelog
--- sleekxmpp-1.3.1/debian/changelog 2016-12-25 22:28:41.000000000 +0100
+++ sleekxmpp-1.3.1/debian/changelog 2017-04-03 02:04:06.000000000 +0200
@@ -1,3 +1,16 @@
+sleekxmpp (1.3.1-6) unstable; urgency=medium
+
+ * Fix CVE-2017-5591:
+ An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows
+ a remote attacker to impersonate any user, including contacts, in the
+ vulnerable application's display. This allows for various kinds of social
+ engineering attacks. (Closes: #854739)
+ * Use ssl.get_protocol_name() to find out which TLS version is
+ in use (allows the latest TLS versions to be used as well as any future
+ versions). (Closes: #851900)
+
+ -- W. Martin Borgert <[email protected]> Mon, 03 Apr 2017 00:04:06 +0000
+
sleekxmpp (1.3.1-5) unstable; urgency=medium
* use debhelper 9 compat
diff -Nru sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch
sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch
--- sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch
1970-01-01 01:00:00.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch
2017-04-03 02:04:06.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Use ssl.get_protocol_name() to find out which TLS version is
+ in use (allows the latest TLS versions to be used as well as any future
+ versions).
+Author: Chris Snijder <[email protected]>
+Origin: upstream,
https://github.com/fritzy/SleekXMPP/commit/6ebcf6b60d879e31e41bac58ba7db6ea760579b9
+Bug-Debian: https://bugs.debian.org/851900
+Last-Update: 2017-04-02
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sleekxmpp/xmlstream/xmlstream.py
++++ b/sleekxmpp/xmlstream/xmlstream.py
+@@ -839,8 +839,10 @@ def start_tls(self):
+ to be restarted.
+ """
+ log.info("Negotiating TLS")
+- ssl_versions = {3: 'TLS 1.0', 1: 'SSL 3', 2: 'SSL 2/3'}
+- log.info("Using SSL version: %s", ssl_versions[self.ssl_version])
++ log.info(
++ "Using SSL version: %s",
++ ssl.get_protocol_name(self.ssl_version).replace('PROTOCOL_', '',
1)
++ )
+ if self.ca_certs is None:
+ cert_policy = ssl.CERT_NONE
+ else:
diff -Nru sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch
sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch
--- sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch 1970-01-01
01:00:00.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch 2017-04-03
02:04:06.000000000 +0200
@@ -0,0 +1,29 @@
+Description: fix for CVE-2017-5591
+ An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows a
+ remote attacker to impersonate any user, including contacts, in the vulnerable
+ application's display. This allows for various kinds of social engineering
+ attacks.
+Author: mathieui <[email protected]>
+Origin: other,
https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb471
+Bug: https://github.com/fritzy/SleekXMPP/issues/442
+Bug-Debian: https://bugs.debian.org/854739
+Last-Update: 2017-03-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sleekxmpp/plugins/xep_0280/carbons.py
++++ b/sleekxmpp/plugins/xep_0280/carbons.py
+@@ -61,10 +61,12 @@
+ self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2')
+
+ def _handle_carbon_received(self, msg):
+- self.xmpp.event('carbon_received', msg)
++ if msg['from'].bare == self.xmpp.boundjid.bare:
++ self.xmpp.event('carbon_received', msg)
+
+ def _handle_carbon_sent(self, msg):
+- self.xmpp.event('carbon_sent', msg)
++ if msg['from'].bare == self.xmpp.boundjid.bare:
++ self.xmpp.event('carbon_sent', msg)
+
+ def enable(self, ifrom=None, block=True, timeout=None, callback=None):
+ iq = self.xmpp.Iq()
diff -Nru sleekxmpp-1.3.1/debian/patches/series
sleekxmpp-1.3.1/debian/patches/series
--- sleekxmpp-1.3.1/debian/patches/series 2015-12-29 22:44:03.000000000
+0100
+++ sleekxmpp-1.3.1/debian/patches/series 2017-04-03 02:04:06.000000000
+0200
@@ -1 +1,3 @@
+CVE-2017-5591.patch
0001-get-rid-of-embedded-copies-dateutil-gnupg-ordereddic.patch
+002-fix_tls_version_check.patch
unblock sleekxmpp/1.3.1-6
--- End Message ---
--- Begin Message ---
W. Martin Borgert:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package sleekxmpp
>
> Two bug fixes from upstream 1.3.2 have been taken to patch 1.3.1
> against bugs #854739 (CVE-2017-5591, grave) and #851900 (Fails
> to connect to servers that only support TLS 1.1 or TLS 1.2,
> important).
>
> [...]
>
> unblock sleekxmpp/1.3.1-6
>
Unblocked, thanks.
~Niels
--- End Message ---
