Arch Linux Security Advisory ASA-201706-4 ========================================= Severity: High Date : 2017-06-05 CVE-ID : CVE-2016-1037 Package : gajim Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-284 Summary ======= The package gajim before version 0.16.8-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 0.16.8-1. # pacman -Syu "gajim>=0.16.8-1" The problem has been fixed upstream in version 0.16.8. Workaround ========== None. Description =========== Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. Impact ====== A malicious attacker can extract user session data by leveraging the XEP-0146 (remote controlling clients) feature of the XMPP protocol, which is enabled by default. References ========== https://dev.gajim.org/gajim/gajim/issues/8378 https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc https://security.archlinux.org/CVE-2016-1037