Gajim before 0.16.5 doesn't verify the origin of roster pushes thus allowing third parties to modify the roster via a man-in-the-middle attack (CVE-2015-8688).
{ "section": "core" }
"https://advisories.mageia.org/MGASA-2016-0046.json"