Package: profanity Severity: grave Tags: security Justification: user security hole
Dear Maintainer, Profanity is not built against libmesode[1]. Libmesode is a fork of libstrophe that allows to validate the certificate chain. Upstream bug #280 provides more information[2]. Libmesode doesn't seem to be packaged yet in Debian. If Profanity does not verify the xmpp server's certificate using Debian's store of known CA certificates, users' passwords, text messages and other sensitive information can be intercepted. Best regards, Wolfgang [1] https://github.com/boothj5/libmesode [2] https://github.com/boothj5/profanity/issues/280 -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-grsec-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)