On 12/03/17 13:53, Wolfgang Wiedmeyer wrote: > Package: profanity > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > Profanity is not built against libmesode[1]. Libmesode is a fork of > libstrophe that allows to validate the certificate chain. Upstream bug > #280 provides more information[2]. Libmesode doesn't seem to be packaged > yet in Debian. > > If Profanity does not verify the xmpp server's certificate using > Debian's store of known CA certificates, users' passwords, text messages > and other sensitive information can be intercepted. > > Best regards, > Wolfgang >
Hi Wolfgang, it seems unlikely that we will be able to fix this for stretch. This would require a new package upload and this is already a no-go. Personally I think that forking libstrophe in the first place was not a great idea, but I may lack some context. I don't know what will be the best to proceed. Maybe we can clearly specify in the manpage/--help/during-the-first-run that profanity does not verify cert chains and the user is responsible for providing a safe channel, via SSH tunnel or similar, for example? Tomasz
signature.asc
Description: PGP signature
