Tero Marttila

**Name of the Vulnerable Software and Affected Versions** faye-websocket versions prior to 0.11.0 **Description** The issue is related to a lack of certificate validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start tls` method, which does not implement certificate verification by default. This means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, as it does not confirm the identity of the server it is connected to. The library has been updated to enable TLS verification by default, and two new options have been added to the `Faye::WebSocket::Client` constructor: `tls.root cert file` and `tls.verify peer`. These options allow users to provide a different set of root certificates and turn verification off entirely, respectively. **Recommendations** To resolve the issue, upgrade faye-websocket to version 0.11.0. If you need to use a different set of root certificates, use the `:root cert file` option when creating a new `Faye::WebSocket::Client` instance. If you need to turn verification off entirely, use the `:verify peer` option, but this should be a last resort.

**Name of the Vulnerable Software and Affected Versions** Faye versions prior to 1.4.0 **Description** The issue is related to a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket, which rely on the `EM::Connection#start tls` method in EventMachine. This method does not implement certificate verification by default, making any `https:` or `wss:` connection vulnerable to a man-in-the-middle attack. The first request a Faye client makes is sent via normal HTTP, but later messages may be sent via WebSocket, making it vulnerable to the same problem. This issue is fixed in Faye v1.4.0, which enables verification by default. **Recommendations** For versions prior to 1.4.0, update to Faye v1.4.0 to enable verification by default. As a temporary workaround, consider configuring the `tls` option to verify peers, for example, in Ruby: `client = Faye::Client.new('https://example.com/', tls: { verify peer: true })` or in Node.js: `var client = new faye.Client('https://example.com/', { tls: { ca: fs.readFileSync('path/to/certificate.pem') } });`. If you need to talk to servers whose certificates are not recognised by your default root certificates, add its certificate to your system's root set.

**Name of the Vulnerable Software and Affected Versions** smokeping versions prior to 2.6.8-2+deb7u1 in wheezy smokeping versions prior to 2.6.9-1+deb8u1 in jessie **Description** The issue arises from the Debian build procedure for the smokeping package, which does not properly configure how Apache httpd passes arguments to smokeping cgi. This allows remote attackers to execute arbitrary code via crafted CGI arguments. **Recommendations** For smokeping versions prior to 2.6.8-2+deb7u1 in wheezy, update to version 2.6.8-2+deb7u1 or later. For smokeping versions prior to 2.6.9-1+deb8u1 in jessie, update to version 2.6.9-1+deb8u1 or later.

**Name of the Vulnerable Software and Affected Versions** BitlBee versions prior to 1.2.3 **Description** The issue is related to inconsistent handling of the USTATUS IDENTIFIED state, allowing remote attackers to overwrite and hijack existing accounts via unknown vectors. **Recommendations** For versions prior to 1.2.3, update to version 1.2.3 or later to resolve the issue.