Bug#991477: unblock: prosody/0.11.9-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991477: unblock: prosody/0.11.9-2
From: Adrian Bunk <bunk@debian.org>
Date: Sun, 25 Jul 2021 13:54:22 +0300
Message-id: <[🔎] 162721046287.15876.14723405522966201564.reportbug@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 991477@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package prosody

  * fix for https://prosody.im/security/advisory_20210722/
(change by Victor Seva)

Maintainer and security team are in Cc.

diff -Nru prosody-0.11.9/debian/changelog prosody-0.11.9/debian/changelog
--- prosody-0.11.9/debian/changelog	2021-05-14 10:17:12.000000000 +0300
+++ prosody-0.11.9/debian/changelog	2021-07-23 15:15:58.000000000 +0300
@@ -1,3 +1,9 @@
+prosody (0.11.9-2) unstable; urgency=high
+
+  * fix for https://prosody.im/security/advisory_20210722/
+
+ -- Victor Seva <vseva@debian.org>  Fri, 23 Jul 2021 14:15:58 +0200
+
 prosody (0.11.9-1) unstable; urgency=high
 
   * New upstream version 0.11.9 addressing several security issues
diff -Nru prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch
--- prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch	1970-01-01 02:00:00.000000000 +0200
+++ prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch	2021-07-23 15:15:58.000000000 +0300
@@ -0,0 +1,22 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Fri, 23 Jul 2021 14:14:08 +0200
+Subject: muc: fix for CWE-284
+
+https://prosody.im/security/advisory_20210722/
+---
+ plugins/muc/muc.lib.lua | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua
+index 037baa3..f037c4f 100644
+--- a/plugins/muc/muc.lib.lua
++++ b/plugins/muc/muc.lib.lua
+@@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza)
+ 		-- e.g. an admin can't ask for a list of owners
+ 		local affiliation_rank = valid_affiliations[affiliation or "none"];
+ 		if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank)
+-		or (self:get_whois() == "anyone") then
++		or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then
+ 			local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin";);
+ 			for jid in self:each_affiliation(_aff or "none") do
+ 				local nick = self:get_registered_nick(jid);
diff -Nru prosody-0.11.9/debian/patches/series prosody-0.11.9/debian/patches/series
--- prosody-0.11.9/debian/patches/series	2021-05-14 10:17:12.000000000 +0300
+++ prosody-0.11.9/debian/patches/series	2021-07-23 15:15:58.000000000 +0300
@@ -3,3 +3,4 @@
 0003-buildflags.patch
 0004-fix-package.path-of-ejabberd2prosody.patch
 0005-use-lua52.patch
+0006-muc-fix-for-CWE-284.patch

Reply to:

Follow-Ups:
- Bug#991477: marked as done (unblock: prosody/0.11.9-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#991475: unblock: linux/5.10.46-3 (pre-approval)
Next by Date: Bug#991480: unblock: calamares-settings-debian/11.0.5
Previous by thread: Bug#991475: marked as done (unblock: linux/5.10.46-3)
Next by thread: Bug#991477: marked as done (unblock: prosody/0.11.9-2)
Index(es):
- Date
- Thread