| Summary: | <net-im/prosody-0.11.10: remote information disclosure (CVE-2021-37601) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | minor | CC: | conikost |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://seclists.org/oss-sec/2021/q3/32 https://www.openwall.com/lists/oss-security/2021/07/22/5/1 | ||
| Whiteboard: | B4 [glsa?] | ||
| Package list: |
net-im/prosody-0.11.10
|
Runtime testing required: | No |
Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e4040b95675b3a76a3732b89a8fc1ac07fa16d6 commit 1e4040b95675b3a76a3732b89a8fc1ac07fa16d6 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-08-07 22:19:49 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-08-07 22:19:49 +0000 net-im/prosody: bump to version 0.11.10 Bug: https://bugs.gentoo.org/803590 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-im/prosody/Manifest | 1 + net-im/prosody/prosody-0.11.10.ebuild | 102 ++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) Thanks, please add CC-ARCHES when ready. amd64 stable arm done x86 stable arm64 done all arches done Please cleanup, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45091c462450c5df4ca2511f6cea2569bb9d2024 commit 45091c462450c5df4ca2511f6cea2569bb9d2024 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-08-26 21:08:35 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-08-26 21:08:56 +0000 net-im/prosody: drop old version Bug: https://bugs.gentoo.org/803590 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-im/prosody/Manifest | 1 - net-im/prosody/prosody-0.11.9.ebuild | 102 ----------------------------------- 2 files changed, 103 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09efbc7cf7ecf85e974891d0f7cae1b264c736da commit 09efbc7cf7ecf85e974891d0f7cae1b264c736da Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-01-13 17:10:35 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-01-13 17:10:40 +0000 net-im/prosody: drop 0.11.10, 0.11.11 Bug: https://bugs.gentoo.org/803590 Bug: https://bugs.gentoo.org/831140 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-im/prosody/Manifest | 2 - net-im/prosody/prosody-0.11.10.ebuild | 102 ---------------------------------- net-im/prosody/prosody-0.11.11.ebuild | 102 ---------------------------------- 3 files changed, 206 deletions(-) Unable to check for sanity:
> no match for package: net-im/prosody-0.11.10
|
From URL: **Description** It was discovered that Prosody exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the `whois` room configuration was set to `anyone`. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server. **Affected configurations** All Multi-User chat rooms hosted on an affected Prosody version which are configured to share the real addresses of occupants with all other occupants ("non-anonymous"). The impact is particularly high for rooms which have this option set in combination with "members-only" (to allow only entities which have at least "members" affiliation to take part in the chat). Unfortunately, this configuration is a pre-requisite for using the state-of-the-art OMEMO end-to-end encryption system. **Mitigating factors** A client may choose a sufficiently random name for such private group chats and set it to be not listed publicly. This prevents unaffiliated attackers from exploiting the vulnerability, as long as the address of the room is not leaked. The public jabber chat room search engine has been modified to not return any members-only rooms for now. Please apply the patch at URL. Thanks!