CVE-2019-16235, CVE-2019-16236, CVE-2019-16237

Bug #1866113 reported by Julian Andres Klode
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dino-im (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

A triplet of security issues.

Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :

Compiled in autopkgtest, installed into lxd container, and tested with the test case for bug 1866115 - which this also includes.

The goal is to build in security, push to proposed to SRU verification, and then push to -security, as we need to get the IV acceptance change out fairly quickly so later dino versions can switch to sending 12-byte IVs w/o breaking compat with bionic users.

Afterwards I'll try to SRU dino 0.1.0 stable release as that includes a ton more (mostly) fixes.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :
Changed in dino-im (Ubuntu Bionic):
status: New → In Progress
Changed in dino-im (Ubuntu):
status: New → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote :

I have installed dino-im from the PPA and tested:

- Group chat
- Catching up with history
- Verification for bug #1866115

Everything seems to work fine.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dino-im - 0.0.git20180130-1ubuntu0.1

---------------
dino-im (0.0.git20180130-1ubuntu0.1) bionic-security; urgency=high

  * Cherry pick upstream security fixes (LP: #1866113)
    - SECURITY UPDATE: Fix check of source of a carbons message (CVE-2019-16235)
    - SECURITY UPDATE: Check roster push authorization (CVE-2019-16236)
    - SECURITY UPDATE: Fix check of source of MAM message (CVE-2019-16237)
  * Accept IV sizes of 12 in addition to 16 to enable reading messages
    sent from clients using 12-byte IVs again (LP: #1866115)

 -- Julian Andres Klode <email address hidden> Wed, 04 Mar 2020 15:20:07 +0100

Changed in dino-im (Ubuntu Bionic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers