1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-11-21 16:55:07 -05:00

Merge branch 'xep-0115' into premerge

This commit is contained in:
Jonas Schäfer 2022-03-08 20:51:26 +01:00
commit 7bc0785663

View File

@ -34,6 +34,12 @@
<email>jajcus@jajcus.net</email> <email>jajcus@jajcus.net</email>
<jid>jajcus@jabber.bnet.pl</jid> <jid>jajcus@jabber.bnet.pl</jid>
</author> </author>
<revision>
<version>1.6.0</version>
<date>2022-03-08</date>
<initials>ssw</initials>
<remark><p>Mention preimage attacks explicitly</p></remark>
</revision>
<revision> <revision>
<version>1.5.2</version> <version>1.5.2</version>
<date>2020-05-05</date> <date>2020-05-05</date>
@ -602,7 +608,7 @@
&ltwarning; &ltwarning;
</section2> </section2>
<section2 topic='Caps Poisoning' anchor='security-poisoning'> <section2 topic='Caps Poisoning' anchor='security-poisoning'>
<p>Adherence to the method defined in the <link url='#ver'>Verification String</link> section of this document for both generation and processing of the 'ver' attribute helps to guard against poisoning of entity capabilities information by malicious or improperly implemented entities.</p> <p>Adherence to the method defined in the <link url='#ver'>Verification String</link> section of this document for processing of the 'ver' attribute is known to be vulnerable to certain cache poisoning attacks that can not be fixed in a backwards compatible manner <note><link url="https://mail.jabber.org/pipermail/security/2009-July/000812.html">[Security] Trivial preimage attack against the entity capabilities protocol</link>.</note>.</p>
<p>If the value of the 'ver' attribute is a verification string as defined herein (i.e., if the 'ver' attribute is not generated according to the <link url='#legacy'>Legacy Format</link>), inclusion of the 'hash' attribute is REQUIRED. Knowing explicitly that the value of the 'ver' attribute is a verification string enables the recipient to avoid spurious notification of invalid or poisoned hashes.</p> <p>If the value of the 'ver' attribute is a verification string as defined herein (i.e., if the 'ver' attribute is not generated according to the <link url='#legacy'>Legacy Format</link>), inclusion of the 'hash' attribute is REQUIRED. Knowing explicitly that the value of the 'ver' attribute is a verification string enables the recipient to avoid spurious notification of invalid or poisoned hashes.</p>
</section2> </section2>
<section2 topic='Information Exposure' anchor='security-exposure'> <section2 topic='Information Exposure' anchor='security-exposure'>