Summary: | <net-im/prosody-0.9.10: Security vulnerability in mod_dialback (CVE-2016-0756) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hauschild.markus, klausman, rafaelmartins, zx2c4 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 571312 |
Description
Kristian Fiskerstrand (RETIRED)
2016-01-27 21:07:28 UTC
Version 0.9.10 is in the tree with testing keywords for amd64, arm and x86. @arches, please stabilize. Been running it for a while with no issues. Stable on amd64. arm stable CVE-2016-0756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0756): The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix. @x86, ping. x86 stable. Maintainer(s), please cleanup. Removed 0.9.{8,9} with commit 3b0fbe83c7219e1bd9fccc4ad7c5fb9cd54fb4fa GLSA Vote: No |