Package: gajim Version: 0.16.6-1 Severity: grave Tags: patch security upstream
grave, because introduces a security hole allowing unencrypted access to supposedly encrypted messages Gajim implements unconditionally XEP-0146, which allows other clients to access certain user data. This can be abused by malicious XMPP servers: https://dev.gajim.org/gajim/gajim/issues/8378 It seems, that XMPP experts already plan to deprecate the feature: https://mail.jabber.org/pipermail/standards/2016-August/031335.html Gajim upstream made the feature an opt-in, which is IMHO good enough for now: https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc We just need to apply the change to the Debian package.