—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2011-1000 – Schwachstelle in telepathy-gabble
Im Jabber(XMMP)-Verbindungs-Manager des Telepathy-Frameworks werden bei
Updates von google:jingleinfo-Nachrichten die Quellen nicht geprueft.
Dies ermoeglicht einem entfernten Angreifer, Medienstroeme durch einen
Server seiner Wahl umzuleiten und somit Audio/Video-Anrufe abzufangen
und mitzuhoeren.
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket telepathy-gabble,telepathy-glib
Fedora 15
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Michael Groening, DFN-CERT
– —
Michael Groening (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
– ——————————————————————————–
Fedora Update Notification
FEDORA-2011-1284
2011-02-11 04:15:02
– ——————————————————————————–
Name : telepathy-glib
Product : Fedora 15
Version : 0.13.13
Release : 1.fc15
URL : http://telepathy.freedesktop.org/wiki/FrontPage
Summary : GLib bindings for Telepathy
Description :
Telepathy-glib is the glib bindings for the telepathy unified framework
for all forms of real time conversations, including instant messaging, IRC,
voice calls and video calls.
– ——————————————————————————–
Update Information:
Telepathy-Gabble changes, including a security fix:
* fd.o#32390: Gabble now treats a request for a ContactSearch channel with Server set to the empty string as equivalent to not specifying a server, and rejects requests where the JID specified for Server is invalid.
* fd.o#32874: Offline contacts are now assumed to support 1?1 text channels.
* fd.o#34048: Malicious contacts can no longer trick Gabble into relaying audio/video data via a server of their choosing.
* fd.o#32815: fallback-conference-server now defaults to conference.telepathy.im. Thus, if the user’s server doesn’t have a conference component configured, upgrading a 1-1 chat into an ad-hoc conference still works.
* fd.o#11291: support for xep-0092, Software Version.
* fd.o#33471: support for the FileTransfer.URI property.
Telepathy-Glib Enhancements include:
* Many doc fixes, including: TpBaseClientClass is now included; INCOMING_MESSAGES is now explained.
* Compiler flags reordered (clang is order-sensitive) to allow static analysis.
* Account Channel Requests now give you access to the originating TpChannelRequest.
* The speculative debug cache may now be disabled at compile time. tp_debug_sender_add_message_vprintf and tp_debug_sender_add_message_printf added to allow callers who care about optimisation to reduce debug overhead.
– ——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update telepathy-glib’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)
iQEcBAEBAgAGBQJNb3owAAoJEJtyb8U7iGZBOc8IAI0toSh1tOJXuqHe3Vd1w24p
+SP8fwMX1ZnA0HsVuGN6sDkQ9EalQQbjr+9gco2LPq1FJaLazajWMvHFjq8PRvC1
XnvC5/1sGtsAjXL3ssb9xLJ2ES/Gtf3/7/dfSAN9Xxes87z+k5wTOC2yLS74ccz/
rRJ7F2ZMILHNai/CYvz6g4rL/rygU+wsaZWdf+oTagKG19Grp2wDgamcfLv27FGI
V2vpSjx25LQQXzIdQdxrnxQ8TUkeDk+C3FL2n8bR5AhF1Q8E2ga8HInhr42IFMvu
X15opQkoh9N0bXKjTetgtl30y4CNUyhJFLglgYPW2W8oVLT6YQwI5bnZa4RhXaQ=
=BYPR
—–END PGP SIGNATURE—–
