Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 262696 (CVE-2009-0934)

Summary: <net-im/ejabberd-2.0.4: XSS in MUC logs (CVE-2009-0934)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: caleb, net-im
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_204
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2009-03-16 19:15:46 UTC 
Release notes of ejabberd 2.0.4:
http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_204

Cite:
# MUC: Prevent XSS in MUC logs by linkifying only a few known protocols
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-19 00:10:07 UTC 
CVE-2009-0934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0934):
  Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4
  allows remote attackers to inject arbitrary web script or HTML via
  unknown vectors related to links and MUC logs.
Comment 2 Caleb Tennis (RETIRED) gentoo-dev 2009-03-22 18:16:19 UTC 
2.0.4 is now in portage
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-22 18:28:54 UTC 
Arches, please test and mark stable:
=net-im/ejabberd-2.0.4
Target keywords : "amd64 x86"
Comment 4 Markus Meier gentoo-dev 2009-03-23 21:25:36 UTC 
amd64/x86 stable, all arches done.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 21:31:27 UTC 
GLSA voting, please.
I'm tempted to say NO.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-23 21:52:49 UTC 
XSS => no, closing.