XMPP Council - 2022-03-02

  1. pep. has left

  2. larma has joined

  3. neox has left

  4. SouL has joined

  5. larma has left

  6. larma has joined

  7. SouL has left

  8. marc0s has left

  9. marc0s has joined

  10. Tobias has joined

  11. marc0s has left

  12. marc0s has joined

  13. SouL has joined

  14. marc0s has left

  15. marc0s has joined

  16. msavoritias has joined

  17. menel has joined

  18. Ingolf has joined

  19. neox has joined

  20. neox has left

  21. debacle has joined

  22. neox has joined

  23. neox has left

  24. neox has joined

  25. debacle has left

  26. Wojtek has joined

  27. marc0s has left

  28. marc0s has joined

  29. Kev has joined

  30. Wojtek has left

  31. Wojtek has joined

  32. marc0s has left

  33. marc0s has joined

  34. pep. has joined

  35. marc0s has left

  36. marc0s has joined

  37. daniel has left

  38. daniel has joined

  39. Wojtek has left

  40. Wojtek has joined

  41. Wojtek has left

  42. larma has left

  43. larma has joined

  44. me9 has joined

  45. larma has left

  46. Ingolf has left

  47. Ingolf has joined

  48. pep. has left

  49. Ingolf has left

  50. jonas’

    'tis time

  51. jonas’

    1) Roll Call

  52. moparisthebest


  53. jonas’

    do we get a Ge0rG and/or a larma?

  54. Ge0rG

    we have a Ge0rG

  55. jonas’

    alright, that's a quorum

  56. jonas’

    2) Agenda Bashing

  57. jonas’

    nothing apparently

  58. jonas’

    3) Editor's Update

  59. jonas’


  60. jonas’

    4) Items for Voting

  61. jonas’


  62. jonas’

    5) Pending Votes

  63. jonas’

    Ge0rG ... :)

  64. Ge0rG

    Yeah, tis me.

  65. jonas’

    Ge0rG, you are pending on https://github.com/xsf/xeps/pull/1163, removal of GC 1.0 mentions from '45

  66. Ge0rG

    It looks like the 0045 editorial f'up has been cleaned up, so I'm +1 on #1163

  67. jonas’

    (expiring this week)

  68. jonas’


  69. jonas’

    you are also pending on https://xmpp.org/extensions/inbox/muc-affiliations-versioning.html

  70. Ge0rG

    muc-affiliations-versioning looks good enough for experimental, but I'd rename "since" to "after" to make it less confusable with timestamps

  71. jonas’

    please raise that feedback on the mailing list

  72. Ge0rG

    also the namespace attribute debate. I'd prefer a sub-element of the <x/>

  73. jonas’

    next up: https://github.com/xsf/xeps/pull/1168

  74. jonas’

    Ge0rG, that was a +1, wasn't it?

  75. Ge0rG

    jonas’: +1 to muc-affiliations-versioning

  76. jonas’


  77. Ge0rG

    is there a CVE for 0115?

  78. Ge0rG

    do we even do CVEs for protocol vulnerabilities?

  79. jonas’

    I don't think that CVEs apply to protocols

  80. moparisthebest

    there's been 1 that I know of for a library (mellium)

  81. jonas’

    that would be more like CWEs

  82. moparisthebest

    I can't get a response out of gajim or pidgin devs so I'm going to try to create CVEs for them I guess...

  83. Ge0rG


  84. daniel has left

  85. jonas’

    +1 to allocating CVEs or +1 to #1168?

  86. moparisthebest

    they've acknowledged it in MUCs and are trivially vulnerable to undetectable MITM, but no idea on when a fix might arise if ever

  87. Ge0rG

    +1 to #1168

  88. jonas’


  89. jonas’

    then we've got https://github.com/xsf/xeps/pull/1158 for you, Ge0rG

  90. jonas’

    (Remove _xmppconnect DNS method from XEP-0156 and add warnings)

  91. Ge0rG


  92. moparisthebest

    (oops I was talking about 1158 anyway...)

  93. jonas’

    Ge0rG, and finally, https://github.com/xsf/xeps/pull/1159

  94. Ge0rG


  95. jonas’


  96. jonas’

    6) Date of Next

  97. larma has joined

  98. jonas’

    +1w wfm

  99. jonas’

    Ge0rG, moparisthebest?

  100. moparisthebest

    +1w wfm

  101. Ge0rG

    +1W WFM

  102. jonas’


  103. jonas’

    7) AOB

  104. moparisthebest

    none here

  105. jonas’

    I still have the open AOB about A/V council meetings, but I'd like to postpone that until we have full house.

  106. jonas’

    any other AOB?

  107. jonas’

    taking the silence as a no

  108. jonas’

    8) Ite Meeting Est

  109. jonas’

    thanks all

  110. moparisthebest

    thanks jonas’ !

  111. Ge0rG

    thanks jonas’

  112. Ge0rG

    even if it felt like a criminal interrogation of me only :)

  113. jonas’


  114. jonas’

    I take that as a compilment

  115. jonas’

    I take that as a compliment

  116. Ge0rG

    Yes, inspector jonas’

  117. moparisthebest

    haha yes rather rough meeting for Ge0rG :P

  118. jonas’

    … and do not bring us into temptation …

  119. moparisthebest

    as a related aside, do you all have experience creating CVEs and know what to put in various boxes like "vendor" etc ?

  120. Ge0rG

    I've pulled a bunch of those numbers over the years, and it was a different process each time

  121. Ge0rG

    IIRC there wasn't even anything formal the last times

  122. Sam

    Vendor is just whomever makes it (I forget the specific problem you were having the other day though, so apologies if I'm restating this); if it's an XEP, it would be the XSF. If it's something else, look up the company or use the name of the project. It might help to look up other CVEs for the same thing and see what's listed

  123. marc0s has left

  124. jonas’

    Ge0rG, moparisthebest, the last CVE I pulled (in january) worked via a webform with mitre again

  125. marc0s has joined

  126. moparisthebest

    I got stuck on https://cveform.mitre.org/ "vendor" it has a link to a list of vendors that is broken...

  127. marc0s has left

  128. marc0s has joined

  129. marc0s has left

  130. moparisthebest

    so is vendor "gajim" or "ubuntu, debian, redhat, etc etc" ?

  131. marc0s has joined

  132. me9 has left

  133. jonas’

    I think I put in "Prosody" (in january)

  134. jonas’

    and that was ok

  135. jonas’

    or did I

  136. moparisthebest

    I guess I can try that and they can just reject it

  137. jonas’

    actually it was eventually assigned by distros@, I'm not sure

  138. Sam

    They won't reject it for a minor problem with the vendor. It's just informational stuff, this part doesn't even really matter. Just put the name of whomever makes the thing.

  139. Sam

    The vendor would be Gajim, not every possible distro that repackages it if Gajim is the software the vulnerability is in.

  140. moparisthebest

    I'll give it another shot thank you all :)

  141. daniel has joined

  142. moparisthebest

    > An attacker who can spoof DNS responses can MITM connections to XMPP servers undetectable because the target domain was validated for the wrong domain name in the certificate.

  143. moparisthebest

    can anyone help on this language? it doesn't sound quite right...

  144. moparisthebest

    for the suggested CVE text

  145. moparisthebest

    obviously undetectably*

  146. jonas’


  147. jonas’

    moparisthebest, CWE things are typically a handy reference for this

  148. Ge0rG

    > An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain.

  149. Ge0rG

    > An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content.

  150. moparisthebest

    so much better, thanks very much Ge0rG

  151. Ge0rG

    moparisthebest: you're welcome. Years of writing vulnerability reports finally pay off! :D

  152. Sam

    Mine probably isn't detailed enough, and yours sounds fine to me, but feel free to steal from it: https://nvd.nist.gov/vuln/detail/CVE-2022-24968

  153. Ge0rG

    Sam: fine and concise

  154. moparisthebest


  155. moparisthebest

    oof I probably should have put a link to that CVE in references...

  156. Sam

    You can update it whenever, doesn't need to be perfect on first submission

  157. moparisthebest

    ah and yours is specific to WebSocket while gajim (depending on version) and libpurple (always) uses BOSH

  158. Sam

    Yah, transport doesn't matter though; it's the same issue.

  159. Sam

    more or less.

  160. moparisthebest

    yep, and it lets an attacker mitm *any* connection attempt even if your server doesn't support xep-156 or websocket or bosh

  161. moparisthebest

    actually with a small change my xmpp-proxy will let you do this kind of MITM easily...

  162. debacle has joined

  163. stpeter has joined

  164. kusoneko has left

  165. kusoneko has joined

  166. menel has left

  167. menel has joined

  168. stpeter has left

  169. pep. has joined

  170. Wojtek has joined

  171. me9 has joined

  172. marc0s has left

  173. marc0s has joined

  174. marc0s has left

  175. marc0s has joined

  176. marc0s has left

  177. marc0s has joined

  178. daniel has left

  179. daniel has joined

  180. me9 has left

  181. marc0s has left

  182. marc0s has joined

  183. Wojtek has left

  184. msavoritias has left

  185. Tobias has left

  186. menel has left

  187. SouL has left

  188. marc0s has left

  189. marc0s has joined

  190. SouL has joined