-
jonas’
'tis time
-
jonas’
1) Roll Call
-
moparisthebest
o/
-
jonas’
do we get a Ge0rG and/or a larma?
-
Ge0rG
we have a Ge0rG
-
jonas’
alright, that's a quorum
-
jonas’
2) Agenda Bashing
-
jonas’
nothing apparently
-
jonas’
3) Editor's Update
-
jonas’
nada
-
jonas’
4) Items for Voting
-
jonas’
emptyset
-
jonas’
5) Pending Votes
-
jonas’
Ge0rG ... :)
-
Ge0rG
Yeah, tis me.
-
jonas’
Ge0rG, you are pending on https://github.com/xsf/xeps/pull/1163, removal of GC 1.0 mentions from '45
-
Ge0rG
It looks like the 0045 editorial f'up has been cleaned up, so I'm +1 on #1163
-
jonas’
(expiring this week)
-
jonas’
excellent
-
jonas’
you are also pending on https://xmpp.org/extensions/inbox/muc-affiliations-versioning.html
-
Ge0rG
muc-affiliations-versioning looks good enough for experimental, but I'd rename "since" to "after" to make it less confusable with timestamps
-
jonas’
please raise that feedback on the mailing list
-
Ge0rG
also the namespace attribute debate. I'd prefer a sub-element of the <x/>
-
jonas’
next up: https://github.com/xsf/xeps/pull/1168
-
jonas’
Ge0rG, that was a +1, wasn't it?
-
Ge0rG
jonas’: +1 to muc-affiliations-versioning
-
jonas’
ack
-
Ge0rG
is there a CVE for 0115?
-
Ge0rG
do we even do CVEs for protocol vulnerabilities?
-
jonas’
I don't think that CVEs apply to protocols
-
moparisthebest
there's been 1 that I know of for a library (mellium)
-
jonas’
that would be more like CWEs
-
moparisthebest
I can't get a response out of gajim or pidgin devs so I'm going to try to create CVEs for them I guess...
-
Ge0rG
+1
-
jonas’
+1 to allocating CVEs or +1 to #1168?
-
moparisthebest
they've acknowledged it in MUCs and are trivially vulnerable to undetectable MITM, but no idea on when a fix might arise if ever
-
Ge0rG
+1 to #1168
-
jonas’
ack
-
jonas’
then we've got https://github.com/xsf/xeps/pull/1158 for you, Ge0rG
-
jonas’
(Remove _xmppconnect DNS method from XEP-0156 and add warnings)
-
Ge0rG
+1
-
moparisthebest
(oops I was talking about 1158 anyway...)
-
jonas’
Ge0rG, and finally, https://github.com/xsf/xeps/pull/1159
-
Ge0rG
+1
-
jonas’
ack
-
jonas’
6) Date of Next
-
jonas’
+1w wfm
-
jonas’
Ge0rG, moparisthebest?
-
moparisthebest
+1w wfm
-
Ge0rG
+1W WFM
-
jonas’
excellent
-
jonas’
7) AOB
-
moparisthebest
none here
-
jonas’
I still have the open AOB about A/V council meetings, but I'd like to postpone that until we have full house.
-
jonas’
any other AOB?
-
jonas’
taking the silence as a no
-
jonas’
8) Ite Meeting Est
-
jonas’
thanks all
-
moparisthebest
thanks jonas’ !
-
Ge0rG
thanks jonas’
-
Ge0rG
even if it felt like a criminal interrogation of me only :)
-
jonas’
:D
-
jonas’
I take that as a compilment✎ -
jonas’
I take that as a compliment ✏
-
Ge0rG
Yes, inspector jonas’
-
moparisthebest
haha yes rather rough meeting for Ge0rG :P
-
jonas’
… and do not bring us into temptation …
-
moparisthebest
as a related aside, do you all have experience creating CVEs and know what to put in various boxes like "vendor" etc ?
-
Ge0rG
I've pulled a bunch of those numbers over the years, and it was a different process each time
-
Ge0rG
IIRC there wasn't even anything formal the last times
-
Sam
Vendor is just whomever makes it (I forget the specific problem you were having the other day though, so apologies if I'm restating this); if it's an XEP, it would be the XSF. If it's something else, look up the company or use the name of the project. It might help to look up other CVEs for the same thing and see what's listed
-
jonas’
Ge0rG, moparisthebest, the last CVE I pulled (in january) worked via a webform with mitre again
-
moparisthebest
I got stuck on https://cveform.mitre.org/ "vendor" it has a link to a list of vendors that is broken...
-
moparisthebest
so is vendor "gajim" or "ubuntu, debian, redhat, etc etc" ?
-
jonas’
I think I put in "Prosody" (in january)
-
jonas’
and that was ok
-
jonas’
or did I
-
moparisthebest
I guess I can try that and they can just reject it
-
jonas’
actually it was eventually assigned by distros@, I'm not sure
-
Sam
They won't reject it for a minor problem with the vendor. It's just informational stuff, this part doesn't even really matter. Just put the name of whomever makes the thing.
-
Sam
The vendor would be Gajim, not every possible distro that repackages it if Gajim is the software the vulnerability is in.
-
moparisthebest
I'll give it another shot thank you all :)
-
moparisthebest
> An attacker who can spoof DNS responses can MITM connections to XMPP servers undetectable because the target domain was validated for the wrong domain name in the certificate.
-
moparisthebest
can anyone help on this language? it doesn't sound quite right...
-
moparisthebest
for the suggested CVE text
-
moparisthebest
obviously undetectably*
-
jonas’
s/MITM/intercept/?
-
jonas’
moparisthebest, CWE things are typically a handy reference for this
-
Ge0rG
> An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain.✎ -
Ge0rG
> An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. ✏
-
moparisthebest
so much better, thanks very much Ge0rG
-
Ge0rG
moparisthebest: you're welcome. Years of writing vulnerability reports finally pay off! :D
-
Sam
Mine probably isn't detailed enough, and yours sounds fine to me, but feel free to steal from it: https://nvd.nist.gov/vuln/detail/CVE-2022-24968
-
Ge0rG
Sam: fine and concise
-
moparisthebest
submitted
-
moparisthebest
oof I probably should have put a link to that CVE in references...
-
Sam
You can update it whenever, doesn't need to be perfect on first submission
-
moparisthebest
ah and yours is specific to WebSocket while gajim (depending on version) and libpurple (always) uses BOSH
-
Sam
Yah, transport doesn't matter though; it's the same issue.
-
Sam
more or less.
-
moparisthebest
yep, and it lets an attacker mitm *any* connection attempt even if your server doesn't support xep-156 or websocket or bosh
-
moparisthebest
actually with a small change my xmpp-proxy will let you do this kind of MITM easily...