Patch attached, thanks zash.
hrmpf, wrong patch, even though git should handle that gracefully. This one is right.
diff --git a/extensions/xep-0288.xml b/extensions/xep-0288.xml index b94baf1..6d3b2f6 100755 --- a/extensions/xep-0288.xml +++ b/extensions/xep-0288.xml @@ -220,7 +220,7 @@ C: <db:result from='capulet.lit' to='conference.montague.lit' type='valid'/> <section1 topic='Security Considerations' anchor='security'> <p>This specification introduces no security considerations above and beyond those discussed in <cite>RFC 6120</cite> or <cite>XEP-0220</cite>. <!-- one might explain why not... http://mail.jabber.org/pipermail/xmppwg/2004-February/002026.html --> - Note that the impact of the "unsolicited server dialback" attack described in <cite>XEP-0220</cite> is considerably larger for bidirectional streams, e.g. a vulnerability which allows spoofing might also route messages to the wrong targets. Additionally, dialback elements with a "type" attribute also need to be handled in incoming connections.</p> + Note that bidirectionality may broaden the impact of an attack that allows spoofing of XMPP stanzas (such as the "unsolicited server dialback" attack described in <cite>XEP-0220</cite> or the usage of compromised certificates) by delivering stanzas to the wrong target.</p> </section1> <section1 topic='XMPP Registrar Considerations' anchor='registrar'> <section2 topic='Protocol Namespaces' anchor='registrar-ns'> @@ -242,6 +242,6 @@ C: <db:result from='capulet.lit' to='conference.montague.lit' type='valid'/> <p>This document requires no interaction with &IANA;.</p> </section1> <section1 topic='Acknowledgements' anchor='ack'> - <p>Thanks to Justin Karneges and Torje Henriksen.</p> + <p>Thanks to Justin Karneges, Torje Henriksen and Kim Alvefur.</p> </section1> </xep>
