diff --git a/xep-0223.xml b/xep-0223.xml index 826f3558..25104e5f 100644 --- a/xep-0223.xml +++ b/xep-0223.xml @@ -25,6 +25,12 @@ N/A &stpeter; + + 1.1.1 + 2023-03-23 + ka +

Add notes about checking event origin (in reaction to CVE-2023-28686).

+
1.1 2018-03-28 @@ -245,6 +251,7 @@

Since private data is to be stored in a mechanism originally intended to publish data, it is REQUIRED for entities to ensure that the restrictive <publish-options/> will actually be honored by the server by performing the feature discovery procedure as specified in Determining Support. If an entity using that procedure finds that the server does not support <publish-options/>, it MUST NOT store private data in PubSub, unless it can ensure privacy of the data with other means.

+

The configuration of a local pubsub node does not prevent an attacker or a contact with a misconfigured node from sending pubsub events with the same payload. Therefore clients MUST verify that the ‘from’ attribute on incoming event messages are either missing or equal that of their own account JID.

The Security Considerations specified in XEP-0060 and XEP-0163 need to be taken into account.