[Pkg-xmpp-devel] Bug#991477: unblock: prosody/0.11.9-2
Adrian Bunk
bunk at debian.org
Sun Jul 25 11:54:22 BST 2021
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package prosody
* fix for https://prosody.im/security/advisory_20210722/
(change by Victor Seva)
Maintainer and security team are in Cc.
-------------- next part --------------
diff -Nru prosody-0.11.9/debian/changelog prosody-0.11.9/debian/changelog
--- prosody-0.11.9/debian/changelog 2021-05-14 10:17:12.000000000 +0300
+++ prosody-0.11.9/debian/changelog 2021-07-23 15:15:58.000000000 +0300
@@ -1,3 +1,9 @@
+prosody (0.11.9-2) unstable; urgency=high
+
+ * fix for https://prosody.im/security/advisory_20210722/
+
+ -- Victor Seva <vseva at debian.org> Fri, 23 Jul 2021 14:15:58 +0200
+
prosody (0.11.9-1) unstable; urgency=high
* New upstream version 0.11.9 addressing several security issues
diff -Nru prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch
--- prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch 1970-01-01 02:00:00.000000000 +0200
+++ prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch 2021-07-23 15:15:58.000000000 +0300
@@ -0,0 +1,22 @@
+From: Victor Seva <linuxmaniac at torreviejawireless.org>
+Date: Fri, 23 Jul 2021 14:14:08 +0200
+Subject: muc: fix for CWE-284
+
+https://prosody.im/security/advisory_20210722/
+---
+ plugins/muc/muc.lib.lua | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua
+index 037baa3..f037c4f 100644
+--- a/plugins/muc/muc.lib.lua
++++ b/plugins/muc/muc.lib.lua
+@@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza)
+ -- e.g. an admin can't ask for a list of owners
+ local affiliation_rank = valid_affiliations[affiliation or "none"];
+ if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank)
+- or (self:get_whois() == "anyone") then
++ or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then
+ local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin");
+ for jid in self:each_affiliation(_aff or "none") do
+ local nick = self:get_registered_nick(jid);
diff -Nru prosody-0.11.9/debian/patches/series prosody-0.11.9/debian/patches/series
--- prosody-0.11.9/debian/patches/series 2021-05-14 10:17:12.000000000 +0300
+++ prosody-0.11.9/debian/patches/series 2021-07-23 15:15:58.000000000 +0300
@@ -3,3 +3,4 @@
0003-buildflags.patch
0004-fix-package.path-of-ejabberd2prosody.patch
0005-use-lua52.patch
+0006-muc-fix-for-CWE-284.patch
More information about the Pkg-xmpp-devel
mailing list