FreeBSD : telepathy-gabble -- TLS verification bypass (a3c2dee5-cdb9-11e2-b9ce-080027019be0)

medium Nessus Plugin ID 66815

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Simon McVittie reports :

This release fixes a man-in-the-middle attack.

If you use an unencrypted connection to a 'legacy Jabber' (pre-XMPP) server, this version of Gabble will not connect until you make one of these configuration changes :

. upgrade the server software to something that supports XMPP 1.0; or

. use an encrypted 'old SSL' connection, typically on port 5223 (old-ssl); or

. turn off 'Encryption required (TLS/SSL)' (require-encryption).

Solution

Update the affected package.

See Also

https://lists.freedesktop.org/archives/telepathy/2013-May/006449.html

http://www.nessus.org/u?85881a1e

Plugin Details

Severity: Medium

ID: 66815

File Name: freebsd_pkg_a3c2dee5cdb911e2b9ce080027019be0.nasl

Version: 1.7

Type: local

Published: 6/6/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:telepathy-gabble, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 6/5/2013

Vulnerability Publication Date: 5/27/2013

Reference Information

CVE: CVE-2013-1431