Summary: | <net-im/prosody-0.9.9: multiple vulnerabilities (CVE-2016-{1231,1232}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Daniel Kenzelmann <gentoo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | klausman, rafaelmartins, zx2c4 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.prosody.im/prosody-0-9-9-security-release/ | ||
Whiteboard: | B4 [cve noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 573158 | ||
Bug Blocks: |
Description
Daniel Kenzelmann
2016-01-08 20:33:53 UTC
Add v0.9.9 to the tree, with KEYWORDS="~amd64 ~arm ~x86". Will send to stabilization in 10 days unless there are bugs/objections. (In reply to Tobias Klausmann from comment #1) > Will send to stabilization in 10 days unless there are bugs/objections. Based on it being a security fix and upstream recommending an upgrade "as soon as possible", could we expedite this please? Arches, please test & mark stable: =net-im/prosody-0.9.9 Any concerns about expedited stable can be raised here or with me personally. (In reply to Tony Vroon from comment #3) > Arches, please test & mark stable: > =net-im/prosody-0.9.9 > > Any concerns about expedited stable can be raised here or with me personally. I am idiot and filed 571764 separately. I have done the stabilization on amd64, x86 and arm are still open. x86 done arm stable, all arches done. CVE-2016-1232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1232): The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack. CVE-2016-1231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1231): Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path. Cleanup complete by maintainer: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b0fbe83 GLSA Vote: No |