Bug#857546: profanity: Server certificates are not verified
Followup-For: Bug #857546 Hi, libstrophe has got a fix on 4. July 2017 and I've submitted a corresponding bug reported [1]. So thanks to Dmitry Podgorny (pasis) there is no need anymore to make a package for a forked version. Hopefully development continues on the original libstrophe. Regards, Andrey [1] https://bugs.debian.org/870053
Bug#857546: profanity: Server certificates are not verified
Hi Tomasz, Tomasz Buchert writes: > it seems unlikely that we will be able to fix this for stretch. This > would require a new package upload and this is already a > no-go. Personally I think that forking libstrophe in the first place > was not a great idea, but I may lack some context. Ok, is there no policy to allow a new package upload if it fixes a serious security issue? > I don't know what will be the best to proceed. Maybe we can clearly > specify in the manpage/--help/during-the-first-run that profanity does > not verify cert chains and the user is responsible for providing a safe > channel, via SSH tunnel or similar, for example? Sounds good. Are there plans then to package libmesode? An updated profanity that is built against libmesode could then be provided in Stretch Backports. Best regards, Wolfgang -- Website: https://fossencdi.org OpenPGP: 0F30 D1A0 2F73 F70A 6FEE 048E 5816 A24C 1075 7FC4 Key download: https://wiedmeyer.de/keys/ww.asc signature.asc Description: PGP signature
Bug#857546: profanity: Server certificates are not verified
On 12/03/17 13:53, Wolfgang Wiedmeyer wrote: > Package: profanity > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > Profanity is not built against libmesode[1]. Libmesode is a fork of > libstrophe that allows to validate the certificate chain. Upstream bug > #280 provides more information[2]. Libmesode doesn't seem to be packaged > yet in Debian. > > If Profanity does not verify the xmpp server's certificate using > Debian's store of known CA certificates, users' passwords, text messages > and other sensitive information can be intercepted. > > Best regards, > Wolfgang > Hi Wolfgang, it seems unlikely that we will be able to fix this for stretch. This would require a new package upload and this is already a no-go. Personally I think that forking libstrophe in the first place was not a great idea, but I may lack some context. I don't know what will be the best to proceed. Maybe we can clearly specify in the manpage/--help/during-the-first-run that profanity does not verify cert chains and the user is responsible for providing a safe channel, via SSH tunnel or similar, for example? Tomasz signature.asc Description: PGP signature
Bug#857546: profanity: Server certificates are not verified
Package: profanity Severity: grave Tags: security Justification: user security hole Dear Maintainer, Profanity is not built against libmesode[1]. Libmesode is a fork of libstrophe that allows to validate the certificate chain. Upstream bug #280 provides more information[2]. Libmesode doesn't seem to be packaged yet in Debian. If Profanity does not verify the xmpp server's certificate using Debian's store of known CA certificates, users' passwords, text messages and other sensitive information can be intercepted. Best regards, Wolfgang [1] https://github.com/boothj5/libmesode [2] https://github.com/boothj5/profanity/issues/280 -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-grsec-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)