OpenFire v4.1.0 change log from $URL lists the following vulnerabilities: [OF-941] - CVE-2015-7707 Admin Console Privilege Escalation Vulnerability Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. [OF-942] - CVE-2015-6972 CVE-2015-6973 Admin Console Security Improvements Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp. Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote a ttackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontr ol/permitted-clients.jsp.
@ Maintainer(s): Can we stabilize =net-im/openfire-4.1.0?
Yes, it's ok to stabilise =net-im/openfire-4.1.0
@ Arches, please test and mark stable: =net-im/openfire-4.1.0
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Removed old versions as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ab21af1ea2b469a2de10938bb996d21b209a262
New GLSA request filed.
This issue was resolved and addressed in GLSA 201612-50 at https://security.gentoo.org/glsa/201612-50 by GLSA coordinator Aaron Bauman (b-man).
