Prosody 0.9.8 was released including an important security fix: Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059) that libidn can read beyond the boundaries of the provided buffer when an input string contains invalid UTF-8 sequences. Reproducible: Always
our prosody uses system libidn, so I guess this is a duplicate of 541970 *** This bug has been marked as a duplicate of bug 541970 ***
There are other fixes as well in that version, so maybe just change it to a version bump then?
CC'ing maintainers to be sure that my observation is right.
(In reply to Agostino Sarubbo from comment #3) > CC'ing maintainers to be sure that my observation is right. That is correct, Prosody uses the system libidn: $ ldd /usr/lib64/prosody/util/encodings.so ldd: warning: you do not have execution permission for `/usr/lib64/prosody/util/encodings.so' linux-vdso.so.1 (0x00007ffeddd81000) libidn.so.11 => /usr/lib64/libidn.so.11 (0x00007fb4c7142000) libc.so.6 => /lib64/libc.so.6 (0x00007fb4c6da5000) /lib64/ld-linux-x86-64.so.2 (0x00007fb4c758b000) Switching this to a version bump.
Added 0.9.8 to the tree. Will file stabilization bug in 30 days.
Is this DEPEND for openssl really wanted: DEPEND="net-im/jabber-base [...] dev-libs/openssl:0.9.8" This pulls in dev-lib/openssl:0.9.8 in a new slot (i use a newer version) The 0.9.7 ebuild ov prosody uses ">=dev-libs/openssl-0.9.8"
(In reply to Ronny Boesger from comment #6) > Is this DEPEND for openssl really wanted: > > DEPEND="net-im/jabber-base > [...] > dev-libs/openssl:0.9.8" > > > This pulls in dev-lib/openssl:0.9.8 in a new slot (i use a newer version) > > The 0.9.7 ebuild ov prosody uses ">=dev-libs/openssl-0.9.8" My bad. Fixed it to require dev-libs/openssl:=
(In reply to Tobias Klausmann from comment #7) This is not correct. See bug 545156
*** Bug 545552 has been marked as a duplicate of this bug. ***