[guardian-dev] Smack SSL MiTM Vuln and ChatSecure beta fix
Nathan of Guardian
nathan at guardianproject.info
Tue Aug 5 16:59:58 EDT 2014
Thanks to Georg of Yaxim for his great work on this, both technically
and in coordinating with us.
https://op-co.de/CVE-2014-5075.html
"Smack is an Open Source XMPP (Jabber) client library for instant
messaging and presence written in Java. Smack prior to version 4.0.2 is
vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the
server certificate matches the hostname of the connection."
https://op-co.de/blog/posts/java_sslsocket_mitm/
Our fix for ChatSecure:Android
(https://github.com/guardianproject/ChatSecureAndroid/commit/3f150daded7461255b9d51bfc59ff91f8a77ed81)
is included in the new ChatSecure 13.2.0 beta out today, which is near
enough to stable, that we recommend an upgrade:
https://guardianproject.info/2014/08/05/chatsecure-13-2-important-beta-update/
+n
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140805/89be4b11/attachment.sig>
More information about the Guardian-dev
mailing list