CVE-2016-9928: 
Linux Debian vulnerability analysis and mitigation

MCabber versions before 1.0.4 were discovered to be vulnerable to roster push attacks, identified as CVE-2016-9928. This vulnerability was similar to CVE-2015-8688 found in Gajim. The vulnerability was discovered in December 2016 and affected the XMPP messaging functionality of MCabber (CVE Details, Ubuntu Security).

The vulnerability allows remote attackers to intercept communications or add themselves as an entity on a third party's roster by impersonating another user through crafted XMPP packets. The issue stems from MCabber's failure to properly verify the origin of roster push stanzas. The vulnerability has a CVSS 3.1 Base Score of 7.4 (High), with network attack vector, high attack complexity, and no privileges required (Ubuntu Security).

When exploited, the vulnerability allows attackers to perform man-in-the-middle attacks and modify the victim's roster (contact list). An attacker could add themselves to a target's roster under the name of another user, thereby gaining associated privileges and the ability to intercept communications between parties (Debian Bug, Red Hat Bugzilla).

The vulnerability was fixed in MCabber version 1.0.4. Users are advised to upgrade to this version or later. Various Linux distributions have also released security updates to address this vulnerability, including Ubuntu 16.04 ESM (package version 0.10.2-1+deb8u1build0.16.04.1) and Debian 8 'Jessie' (version 0.10.2-1+deb8u1) (Ubuntu USN, Debian LTS).