[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991477: marked as done (unblock: prosody/0.11.9-2)

Your message dated Mon, 26 Jul 2021 20:15:37 +0000
with message-id <E1m870j-0002sx-4A@respighi.debian.org>
and subject line unblock prosody
has caused the Debian Bug report #991477,
regarding unblock: prosody/0.11.9-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991477: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991477
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package prosody

  * fix for https://prosody.im/security/advisory_20210722/
(change by Victor Seva)

Maintainer and security team are in Cc.

diff -Nru prosody-0.11.9/debian/changelog prosody-0.11.9/debian/changelog
--- prosody-0.11.9/debian/changelog	2021-05-14 10:17:12.000000000 +0300
+++ prosody-0.11.9/debian/changelog	2021-07-23 15:15:58.000000000 +0300
@@ -1,3 +1,9 @@
+prosody (0.11.9-2) unstable; urgency=high
+
+  * fix for https://prosody.im/security/advisory_20210722/
+
+ -- Victor Seva <vseva@debian.org>  Fri, 23 Jul 2021 14:15:58 +0200
+
 prosody (0.11.9-1) unstable; urgency=high
 
   * New upstream version 0.11.9 addressing several security issues
diff -Nru prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch
--- prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch	1970-01-01 02:00:00.000000000 +0200
+++ prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch	2021-07-23 15:15:58.000000000 +0300
@@ -0,0 +1,22 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Fri, 23 Jul 2021 14:14:08 +0200
+Subject: muc: fix for CWE-284
+
+https://prosody.im/security/advisory_20210722/
+---
+ plugins/muc/muc.lib.lua | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua
+index 037baa3..f037c4f 100644
+--- a/plugins/muc/muc.lib.lua
++++ b/plugins/muc/muc.lib.lua
+@@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza)
+ 		-- e.g. an admin can't ask for a list of owners
+ 		local affiliation_rank = valid_affiliations[affiliation or "none"];
+ 		if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank)
+-		or (self:get_whois() == "anyone") then
++		or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then
+ 			local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin";);
+ 			for jid in self:each_affiliation(_aff or "none") do
+ 				local nick = self:get_registered_nick(jid);
diff -Nru prosody-0.11.9/debian/patches/series prosody-0.11.9/debian/patches/series
--- prosody-0.11.9/debian/patches/series	2021-05-14 10:17:12.000000000 +0300
+++ prosody-0.11.9/debian/patches/series	2021-07-23 15:15:58.000000000 +0300
@@ -3,3 +3,4 @@
 0003-buildflags.patch
 0004-fix-package.path-of-ejabberd2prosody.patch
 0005-use-lua52.patch
+0006-muc-fix-for-CWE-284.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: