ASA-201706-4 generated external raw

[ASA-201706-4] gajim: information disclosure
Arch Linux Security Advisory ASA-201706-4 ========================================= Severity: High Date : 2017-06-05 CVE-ID : CVE-2016-1037 Package : gajim Type : information disclosure Remote : Yes Link : Summary ======= The package gajim before version 0.16.8-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 0.16.8-1. # pacman -Syu "gajim>=0.16.8-1" The problem has been fixed upstream in version 0.16.8. Workaround ========== None. Description =========== Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. Impact ====== A malicious attacker can extract user session data by leveraging the XEP-0146 (remote controlling clients) feature of the XMPP protocol, which is enabled by default. References ==========