slixmpp: Insufficient Certificate Validation — GLSA 202305-07

A vulnerability has been discovered in slixmpp which can result in successful man-in-the-middle attacks.

Affected packages

Package 	dev-python/slixmpp on all architectures
Affected versions 	< 1.8.3
Unaffected versions 	>= 1.8.3

Background

slixmpp is a Python 3 library for XMPP.

Description

slixmpp does not validate hostnames in certificates used by connected servers.

Impact

An attacker could perform a man-in-the-middle attack on users' connections to servers with slixmpp.

Workaround

There is no known workaround at this time.

Resolution

All slixmpp users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --upgrade --verbose ">=dev-python/slixmpp-1.8.3"
 

References

    CVE-2022-45197