CVE-2015-8688

NameCVE-2015-8688
DescriptionGajim before 0.16.5 allows remote attackers to modify the roster and intercept messages via a crafted roster-push IQ stanza.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-413-1, DSA-3492-1
NVD severitymedium (attack range: remote)
Debian Bugs809900

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gajim (PTS)jessie (security), jessie0.16-1+deb8u2fixed
stretch0.16.6-1.1fixed
buster, sid1.0.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gajimsource(unstable)0.16.5-0.1medium809900
gajimsourcejessie0.16-1+deb8u1mediumDSA-3492-1
gajimsourcesqueeze0.13.4-3+squeeze4mediumDLA-413-1
gajimsourcewheezy0.15.1-4.1+deb7u1mediumDSA-3492-1

Notes

http://gultsch.de/gajim_roster_push_and_message_interception.html
https://trac.gajim.org/changeset/af78b7c068904d78c5dfb802826aae99f26a8947/
Search for package or bug name: Reporting problems