Subject: Re: Open Src Instant Messenger Server
To: Steven M. Bellovin <smb@research.att.com>
From: Greg Troxel <gdt@ir.bbn.com>
List: netbsd-users
Date: 01/15/2003 11:00:20
The pkgsrc version does SSL.

And, communications from your server to other servers are not
encrypted, and the other client might not be.
There is some sort of support for gpg (that I have not played with
enough yet) that should do end-end encryption of messages.

Gabber leaks presence to update.jabber.org.  See my pending
bugtraq/vulnwatch post..  I reported this to security-alert, so I
expect that in a day or so audit-packages will flag it.
But for the impatient:

Index: distinfo
===================================================================
RCS file: /NETBSD-CVS/pkgsrc/chat/gabber/distinfo,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 distinfo
--- distinfo	10 Jul 2002 14:16:06 -0000	1.1.1.1
+++ distinfo	7 Jan 2003 18:06:17 -0000
@@ -5,3 +5,4 @@
 SHA1 (patch-aa) = 89bdd406d61d45016ca0a84364eff25e70a707b6
 SHA1 (patch-ab) = 7e45af755011b298295375a8466358cdf2d90dd6
 SHA1 (patch-ac) = bdc8c9539ccc4f44ecd0d5f303c761c9923cb998
+SHA1 (patch-ad) = aba718cde11cee0052f2aec300e56eacb5880b59
Index: patches/patch-ad
===================================================================
RCS file: patches/patch-ad
diff -N patches/patch-ad
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-ad	7 Jan 2003 18:06:17 -0000
@@ -0,0 +1,18 @@
+$NetBSD$
+
+--- src/GabberWin.cc.orig	Sun Feb 10 01:08:09 2002
++++ src/GabberWin.cc
+@@ -415,11 +415,13 @@ void GabberWin::on_session_connected(con
+      if (WelcomeDruid::isRunning())
+ 	 	WelcomeDruid::Connected();
+ 
++#if WANT_PRIVACY_LEAK
+      // Send out autoupdate request
+      string autoupdateJID = "956878967";             // Gabber's clientID on jabbercentral
+      autoupdateJID += "@update.jabber.org/";         // the only place to grab updates right now
+      autoupdateJID += ConfigManager::get_VERSION();  // Gabber's version
+      G_App->getSession() << Presence(autoupdateJID, Presence::ptAvailable);
++#endif
+ 
+      // Grab the Show, Status, and Priority for presence
+      _curShow = indexShow(G_App->getCfg().get_show());