Headline
Debian Security Advisory 5379-1
Debian Linux Security Advisory 5379-1 - Kim Alvefur discovered that insufficient message sender validation in dino-im, a modern XMPP/Jabber client, may result in manipulation of entries in the personal bookmark store without user interaction via a specially crafted message. Additionally an attacker can take advantage of this flaw to change how group chats are displayed or force a user to join or leave an attacker-selected groupchat.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5379-1 [email protected]://www.debian.org/security/ Salvatore BonaccorsoMarch 27, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : dino-imCVE ID : CVE-2023-28686Debian Bug : 1033370Kim Alvefur discovered that insufficient message sender validation indino-im, a modern XMPP/Jabber client, may result in manipulation ofentries in the personal bookmark store without user interaction via aspecially crafted message. Additionally an attacker can take advantageof this flaw to change how group chats are displayed or force a user tojoin or leave an attacker-selected groupchat.For the stable distribution (bullseye), this problem has been fixed inversion 0.2.0-3+deb11u1.We recommend that you upgrade your dino-im packages.For the detailed security status of dino-im please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/dino-imFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQh9+5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RbDw//Z/7169K4r3YYBJIYG6AoQIhkxoTOYoXn9HFy4a9itr7WJGG4tbEXeL8544J+We3WWc4PdoxTPkh3Sb2lX38Fn/6yD5n1Ciszq5zj0k2nMXhylA5Hi46yR0YWwLmIZTcUxNLKum+PqfrCVAzYPmELz1KZ17moO0xkOQXm82mOedGQbsa2Sh1Soh8FVCR/uR8b68bMLopbmEAISgG0aRVWqJFBI700jO67t9dxww50fAVir1m+IIXc0N3r4JSQtm7twwI5JqZgMsW4zUMw2SN31UshuUMKZWt+PF1wXeMWZXrjLtLIlVLWxaDRcLx2azTyazloROjL8X9D0FbLQQhJ3IwiTyzxexLZ9tcWSOslA52bc3NFyyy9IvUowXV4B6ImmVOsuQ47VQzLJ0qOyzYSwfyvx96U5RSOsci73YVbnh2cENQWx6gGfDk6j61ttQeEmAN+qsjocXBpokrq8BOJzTEE/5uzBQO9tykL5O5CtmpV63GjBHyE7kXbqdFZEs+uJDqB4LiVMWoWKXEXYZlEfNigLABH/YriXn2xwRMbCMr8PnCSNpJFcYGjgIUHQcbCwe78ulU3hM1hvtH3rlsw6zV/JpFRYAIhl0A4kzYszEpWH5ZZTF1lW+g9N0pt8ZnwG9HF3rIVij/7ywCQDaqlzkoJUTmrDKcEGcXmvZ8H05E==jDD6-----END PGP SIGNATURE-----Related news
CVE-2023-28686: Insufficient message sender validation in Dino
Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.