I didn't see any mention of the security fix in the blog post, but it is in the referenced APK? Do you know when this bug was introduced or which versions of ChatSecure were vulnerable?
-tom On 5 August 2014 15:59, Nathan of Guardian <[email protected]> wrote: > > Thanks to Georg of Yaxim for his great work on this, both technically > and in coordinating with us. > > https://op-co.de/CVE-2014-5075.html > > "Smack is an Open Source XMPP (Jabber) client library for instant > messaging and presence written in Java. Smack prior to version 4.0.2 is > vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the > server certificate matches the hostname of the connection." > > https://op-co.de/blog/posts/java_sslsocket_mitm/ > > Our fix for ChatSecure:Android > (https://github.com/guardianproject/ChatSecureAndroid/commit/3f150daded7461255b9d51bfc59ff91f8a77ed81) > is included in the new ChatSecure 13.2.0 beta out today, which is near > enough to stable, that we recommend an upgrade: > > https://guardianproject.info/2014/08/05/chatsecure-13-2-important-beta-update/ > > +n > > > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/tom%40ritter.vg > > You are subscribed as: [email protected] > _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
