From the advisory: Openfire is a real time collaboration (RTC) server licensed under the Open Source GPL. It uses the widely adopted open protocol for instant messaging XMPP, also called Jabber. Multiple cross-site scripting vulnerabilities have been found, which may lead to arbitrary remote code execution on the server running the application due to unauthorized upload of Java plugin code.
It's still XSS based.
But "Remote passive compromise: remote execution of arbitrary code by enticing a user to visit a malicious server or using malicious data" fits. ;P
+*openfire-3.6.3 (13 Jan 2009) + + 13 Jan 2009; Robert Buchholz <rbu@gentoo.org> -openfire-3.5.2.ebuild, + -openfire-3.6.0.ebuild, -openfire-3.6.0a.ebuild, +openfire-3.6.3.ebuild: + Proxy commit for jokey: Version bump (bug #248857) for security bug (#254309) + fixing a Cross-Site Scripting vulnerability that can be exploited to execute + arbitrary code on the server. I'll add arches later tonight.
Arches, please test and mark stable: =net-im/openfire-3.6.3 Target keywords : "amd64 x86"
amd64/x86 stable, all arches done.
Ready for vote, I vote YES.
maybe send one glsa together with bug 246008 ?
CVE-2009-0496 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0496): Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) log parameter to (a) logviewer.jsp and (b) log.jsp; (2) search parameter to (c) group-summary.jsp; (3) username parameter to (d) user-properties.jsp; (4) logDir, (5) maxTotalSize, (6) maxFileSize, (7) maxDays, and (8) logTimeout parameters to (e) audit-policy.jsp; (9) propName parameter to (f) server-properties.jsp; and the (10) roomconfig_roomname and (11) roomconfig_roomdesc parameters to (g) muc-room-edit-form.jsp. NOTE: this can be leveraged for arbitrary code execution by using XSS to upload a malicious plugin. CVE-2009-0497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0497): Directory traversal vulnerability in log.jsp in Ignite Realtime Openfire 3.6.2 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the log parameter.
YES too, request filed
GLSA 200904-01