We are happy to announce the release of (a)Smack 4.0.0-rc1. This is the first aSmack release that is in sync with Smack’s codebase and therefore marks an important milestone for Smack on Android. It is also the first non-snapshot release that is going to be available on the Maven Central Repositories (SMACK-265).
Smack 4.0.0-rc1 includes some major changes and important improvements including security related fixes. While this is marked as release candidate, users are encouraged to update because some important security bugs have been fixed. Please consult the “Smack 4.0 Readme and Upgrade Guide” for further information regarding the changes between Smack 3.4 and 4.0.
Previous Smack versions suffered from a missing “Basic Constraints” check in ServerTrustManager (SMACK-410): this allowed anyone with a valid CA-signed certificate for any domain to generate a certificate for any other domain that would be accepted by Smack’s ServerTrustManager. Moxie Marlinspike found the same error in IE back in 2002 and wrote a detailed summary about it: http://www.thoughtcrime.org/ie-ssl-chain.txt
We would like to thank Ryan Sleevi of the Google Chrome Security Team for reporting the issue to us.
The fix for Smack was simply removing ServerTrustManager and the related code altogether. ConnectionConfiguration now only has a setting for a custom SSLContext. We shifted the responsibility for TLS certificate validation out of the library to the user, where it belongs. A fixed version of ServerTrustManager may return as an optional module in a future Smack release. Contributions are, as always, welcome.
A second important security vulnerability often found in XMPP implementations was made public by Thijs Alkemad aka xnyhps early this year. Affected implementations did not properly verify the ‘from’ attribute of IQ responses and were therefore vulnerable to spoofed IQ packets. You can read more about it here: http://tools.ietf.org/html/draft-alkemade-xmpp-iq-validation-00
Thijs also reported Smack as vulnerable in SMACK-533 and SMACK-538. Thanks to Lars Noschinski, patches were quickly provided and Smack is now immune.
(a)Smack 4.0.0-rc1 is considered mature. It is marked as release candidate because we have only a small number of people who are testing the current (a)Smack development snapshot. We ask everyone using Smack in some sort of staging, development or non-critical production environment to try 4.0.0-rc1 and report any problems or feedback to the community forums.
Thanks to everyone working on Smack 4.0:
git shortlog -sn 3.4.1…4.0.0-rc1
166 Florian Schmaus
10 Lars Noschinski
4 Georg Lukas
2 Vyacheslav Blinov
1 Daniele Ricci
1 Jason Sipula
Besides the mentioned security issues, Smack 4.0 contains also many new improvments and other bugfixes. An overview of all resolved issues in Smack 4.0.0-rc1 can be found in JIRA
Smack 4.0.0-rc1 can be downloaded from maven central
aSmack 4.0.0-rc1 is avaiable as jar at http://asmack.freakempire.de/4.0.0-rc1/