Summary: | net-im/prosody-0.9.8 version bump (for added security regarding libidn vulnerability CVE-2015-2059) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Daniel Kenzelmann <gentoo> |
Component: | Current packages | Assignee: | Tobias Klausmann (RETIRED) <klausman> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, jstein, klausman, nemunaire, rafaelmartins, ronny+bugsgentoo, zx2c4 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.prosody.im/prosody-0-9-8-released/ | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Daniel Kenzelmann
2015-03-30 10:17:14 UTC
our prosody uses system libidn, so I guess this is a duplicate of 541970 *** This bug has been marked as a duplicate of bug 541970 *** There are other fixes as well in that version, so maybe just change it to a version bump then? CC'ing maintainers to be sure that my observation is right. (In reply to Agostino Sarubbo from comment #3) > CC'ing maintainers to be sure that my observation is right. That is correct, Prosody uses the system libidn: $ ldd /usr/lib64/prosody/util/encodings.so ldd: warning: you do not have execution permission for `/usr/lib64/prosody/util/encodings.so' linux-vdso.so.1 (0x00007ffeddd81000) libidn.so.11 => /usr/lib64/libidn.so.11 (0x00007fb4c7142000) libc.so.6 => /lib64/libc.so.6 (0x00007fb4c6da5000) /lib64/ld-linux-x86-64.so.2 (0x00007fb4c758b000) Switching this to a version bump. Added 0.9.8 to the tree. Will file stabilization bug in 30 days. Is this DEPEND for openssl really wanted: DEPEND="net-im/jabber-base [...] dev-libs/openssl:0.9.8" This pulls in dev-lib/openssl:0.9.8 in a new slot (i use a newer version) The 0.9.7 ebuild ov prosody uses ">=dev-libs/openssl-0.9.8" (In reply to Ronny Boesger from comment #6) > Is this DEPEND for openssl really wanted: > > DEPEND="net-im/jabber-base > [...] > dev-libs/openssl:0.9.8" > > > This pulls in dev-lib/openssl:0.9.8 in a new slot (i use a newer version) > > The 0.9.7 ebuild ov prosody uses ">=dev-libs/openssl-0.9.8" My bad. Fixed it to require dev-libs/openssl:= (In reply to Tobias Klausmann from comment #7) This is not correct. See bug 545156 *** Bug 545552 has been marked as a duplicate of this bug. *** |