Subject: [ASA-201702-11] kdenetwork-kopete: content spoofing Arch Linux Security Advisory ASA-201702-11 ========================================== Severity: Medium Date : 2017-02-12 CVE-ID : CVE-2017-5593 Package : kdenetwork-kopete Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-173 Summary ======= The package kdenetwork-kopete before version 16.12.2-2 is vulnerable to content spoofing. Resolution ========== Upgrade to 16.12.2-2. # pacman -Syu "kdenetwork-kopete>=16.12.2-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. Impact ====== A remote attacker might impersonate any user, including contacts, by sending a crafted message. References ========== https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ http://openwall.com/lists/oss-security/2017/02/09/29 https://security.archlinux.org/CVE-2017-5593