XMPP Council - 2022-03-02

  1. pep. has left
  2. larma has joined
  3. neox has left
  4. SouL has joined
  5. larma has left
  6. larma has joined
  7. SouL has left
  8. marc0s has left
  9. marc0s has joined
  10. Tobias has joined
  11. marc0s has left
  12. marc0s has joined
  13. SouL has joined
  14. marc0s has left
  15. marc0s has joined
  16. msavoritias has joined
  17. menel has joined
  18. Ingolf has joined
  19. neox has joined
  20. neox has left
  21. debacle has joined
  22. neox has joined
  23. neox has left
  24. neox has joined
  25. debacle has left
  26. Wojtek has joined
  27. marc0s has left
  28. marc0s has joined
  29. Kev has joined
  30. Wojtek has left
  31. Wojtek has joined
  32. marc0s has left
  33. marc0s has joined
  34. pep. has joined
  35. marc0s has left
  36. marc0s has joined
  37. daniel has left
  38. daniel has joined
  39. Wojtek has left
  40. Wojtek has joined
  41. Wojtek has left
  42. larma has left
  43. larma has joined
  44. me9 has joined
  45. larma has left
  46. Ingolf has left
  47. Ingolf has joined
  48. pep. has left
  49. Ingolf has left
  50. jonas’ 'tis time
  51. jonas’ 1) Roll Call
  52. moparisthebest o/
  53. jonas’ do we get a Ge0rG and/or a larma?
  54. Ge0rG we have a Ge0rG
  55. jonas’ alright, that's a quorum
  56. jonas’ 2) Agenda Bashing
  57. jonas’ nothing apparently
  58. jonas’ 3) Editor's Update
  59. jonas’ nada
  60. jonas’ 4) Items for Voting
  61. jonas’ emptyset
  62. jonas’ 5) Pending Votes
  63. jonas’ Ge0rG ... :)
  64. Ge0rG Yeah, tis me.
  65. jonas’ Ge0rG, you are pending on https://github.com/xsf/xeps/pull/1163, removal of GC 1.0 mentions from '45
  66. Ge0rG It looks like the 0045 editorial f'up has been cleaned up, so I'm +1 on #1163
  67. jonas’ (expiring this week)
  68. jonas’ excellent
  69. jonas’ you are also pending on https://xmpp.org/extensions/inbox/muc-affiliations-versioning.html
  70. Ge0rG muc-affiliations-versioning looks good enough for experimental, but I'd rename "since" to "after" to make it less confusable with timestamps
  71. jonas’ please raise that feedback on the mailing list
  72. Ge0rG also the namespace attribute debate. I'd prefer a sub-element of the <x/>
  73. jonas’ next up: https://github.com/xsf/xeps/pull/1168
  74. jonas’ Ge0rG, that was a +1, wasn't it?
  75. Ge0rG jonas’: +1 to muc-affiliations-versioning
  76. jonas’ ack
  77. Ge0rG is there a CVE for 0115?
  78. Ge0rG do we even do CVEs for protocol vulnerabilities?
  79. jonas’ I don't think that CVEs apply to protocols
  80. moparisthebest there's been 1 that I know of for a library (mellium)
  81. jonas’ that would be more like CWEs
  82. moparisthebest I can't get a response out of gajim or pidgin devs so I'm going to try to create CVEs for them I guess...
  83. Ge0rG +1
  84. daniel has left
  85. jonas’ +1 to allocating CVEs or +1 to #1168?
  86. moparisthebest they've acknowledged it in MUCs and are trivially vulnerable to undetectable MITM, but no idea on when a fix might arise if ever
  87. Ge0rG +1 to #1168
  88. jonas’ ack
  89. jonas’ then we've got https://github.com/xsf/xeps/pull/1158 for you, Ge0rG
  90. jonas’ (Remove _xmppconnect DNS method from XEP-0156 and add warnings)
  91. Ge0rG +1
  92. moparisthebest (oops I was talking about 1158 anyway...)
  93. jonas’ Ge0rG, and finally, https://github.com/xsf/xeps/pull/1159
  94. Ge0rG +1
  95. jonas’ ack
  96. jonas’ 6) Date of Next
  97. larma has joined
  98. jonas’ +1w wfm
  99. jonas’ Ge0rG, moparisthebest?
  100. moparisthebest +1w wfm
  101. Ge0rG +1W WFM
  102. jonas’ excellent
  103. jonas’ 7) AOB
  104. moparisthebest none here
  105. jonas’ I still have the open AOB about A/V council meetings, but I'd like to postpone that until we have full house.
  106. jonas’ any other AOB?
  107. jonas’ taking the silence as a no
  108. jonas’ 8) Ite Meeting Est
  109. jonas’ thanks all
  110. moparisthebest thanks jonas’ !
  111. Ge0rG thanks jonas’
  112. Ge0rG even if it felt like a criminal interrogation of me only :)
  113. jonas’ :D
  114. jonas’ I take that as a compilment
  115. jonas’ I take that as a compliment
  116. Ge0rG Yes, inspector jonas’
  117. moparisthebest haha yes rather rough meeting for Ge0rG :P
  118. jonas’ … and do not bring us into temptation …
  119. moparisthebest as a related aside, do you all have experience creating CVEs and know what to put in various boxes like "vendor" etc ?
  120. Ge0rG I've pulled a bunch of those numbers over the years, and it was a different process each time
  121. Ge0rG IIRC there wasn't even anything formal the last times
  122. Sam Vendor is just whomever makes it (I forget the specific problem you were having the other day though, so apologies if I'm restating this); if it's an XEP, it would be the XSF. If it's something else, look up the company or use the name of the project. It might help to look up other CVEs for the same thing and see what's listed
  123. marc0s has left
  124. jonas’ Ge0rG, moparisthebest, the last CVE I pulled (in january) worked via a webform with mitre again
  125. marc0s has joined
  126. moparisthebest I got stuck on https://cveform.mitre.org/ "vendor" it has a link to a list of vendors that is broken...
  127. marc0s has left
  128. marc0s has joined
  129. marc0s has left
  130. moparisthebest so is vendor "gajim" or "ubuntu, debian, redhat, etc etc" ?
  131. marc0s has joined
  132. me9 has left
  133. jonas’ I think I put in "Prosody" (in january)
  134. jonas’ and that was ok
  135. jonas’ or did I
  136. moparisthebest I guess I can try that and they can just reject it
  137. jonas’ actually it was eventually assigned by distros@, I'm not sure
  138. Sam They won't reject it for a minor problem with the vendor. It's just informational stuff, this part doesn't even really matter. Just put the name of whomever makes the thing.
  139. Sam The vendor would be Gajim, not every possible distro that repackages it if Gajim is the software the vulnerability is in.
  140. moparisthebest I'll give it another shot thank you all :)
  141. daniel has joined
  142. moparisthebest > An attacker who can spoof DNS responses can MITM connections to XMPP servers undetectable because the target domain was validated for the wrong domain name in the certificate.
  143. moparisthebest can anyone help on this language? it doesn't sound quite right...
  144. moparisthebest for the suggested CVE text
  145. moparisthebest obviously undetectably*
  146. jonas’ s/MITM/intercept/?
  147. jonas’ moparisthebest, CWE things are typically a handy reference for this
  148. Ge0rG > An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain.
  149. Ge0rG > An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content.
  150. moparisthebest so much better, thanks very much Ge0rG
  151. Ge0rG moparisthebest: you're welcome. Years of writing vulnerability reports finally pay off! :D
  152. Sam Mine probably isn't detailed enough, and yours sounds fine to me, but feel free to steal from it: https://nvd.nist.gov/vuln/detail/CVE-2022-24968
  153. Ge0rG Sam: fine and concise
  154. moparisthebest submitted
  155. moparisthebest oof I probably should have put a link to that CVE in references...
  156. Sam You can update it whenever, doesn't need to be perfect on first submission
  157. moparisthebest ah and yours is specific to WebSocket while gajim (depending on version) and libpurple (always) uses BOSH
  158. Sam Yah, transport doesn't matter though; it's the same issue.
  159. Sam more or less.
  160. moparisthebest yep, and it lets an attacker mitm *any* connection attempt even if your server doesn't support xep-156 or websocket or bosh
  161. moparisthebest actually with a small change my xmpp-proxy will let you do this kind of MITM easily...
  162. debacle has joined
  163. stpeter has joined
  164. kusoneko has left
  165. kusoneko has joined
  166. menel has left
  167. menel has joined
  168. stpeter has left
  169. pep. has joined
  170. Wojtek has joined
  171. me9 has joined
  172. marc0s has left
  173. marc0s has joined
  174. marc0s has left
  175. marc0s has joined
  176. marc0s has left
  177. marc0s has joined
  178. daniel has left
  179. daniel has joined
  180. me9 has left
  181. marc0s has left
  182. marc0s has joined
  183. Wojtek has left
  184. msavoritias has left
  185. Tobias has left
  186. menel has left
  187. SouL has left
  188. marc0s has left
  189. marc0s has joined
  190. SouL has joined