[guardian-dev] Smack SSL MiTM Vuln and ChatSecure beta fix
Tom Ritter
tom at ritter.vg
Tue Aug 5 18:18:03 EDT 2014
I didn't see any mention of the security fix in the blog post, but it
is in the referenced APK? Do you know when this bug was introduced or
which versions of ChatSecure were vulnerable?
-tom
On 5 August 2014 15:59, Nathan of Guardian <nathan at guardianproject.info> wrote:
>
> Thanks to Georg of Yaxim for his great work on this, both technically
> and in coordinating with us.
>
> https://op-co.de/CVE-2014-5075.html
>
> "Smack is an Open Source XMPP (Jabber) client library for instant
> messaging and presence written in Java. Smack prior to version 4.0.2 is
> vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the
> server certificate matches the hostname of the connection."
>
> https://op-co.de/blog/posts/java_sslsocket_mitm/
>
> Our fix for ChatSecure:Android
> (https://github.com/guardianproject/ChatSecureAndroid/commit/3f150daded7461255b9d51bfc59ff91f8a77ed81)
> is included in the new ChatSecure 13.2.0 beta out today, which is near
> enough to stable, that we recommend an upgrade:
>
> https://guardianproject.info/2014/08/05/chatsecure-13-2-important-beta-update/
>
> +n
>
>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/tom%40ritter.vg
>
> You are subscribed as: tom at ritter.vg
>
More information about the Guardian-dev
mailing list