Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 571312 (CVE-2016-1231) - <net-im/prosody-0.9.9: multiple vulnerabilities (CVE-2016-{1231,1232})
Summary: <net-im/prosody-0.9.9: multiple vulnerabilities (CVE-2016-{1231,1232})
Status: RESOLVED FIXED
Alias: CVE-2016-1231
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://blog.prosody.im/prosody-0-9-9-...
Whiteboard: B4 [cve noglsa]
Keywords:
Depends on: CVE-2016-0756
Blocks:
  Show dependency tree
 
Reported: 2016-01-08 20:33 UTC by Daniel Kenzelmann
Modified: 2016-06-30 09:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Kenzelmann 2016-01-08 20:33:53 UTC
http://blog.prosody.im/prosody-0-9-9-security-release/

This release contains important fixes for two security issues recently discovered in Prosody. It also contains various other fixes and improvements we have made since 0.9.8. We strongly recommend that you upgrade your server as soon as possible.

Another important note is that for a number of reasons we have dropped Windows support with this release. If you are affected by this, please contact us directly via email at developers@prosody.im.

A summary of changes:

Security fixes:

    Fix path traversal vulnerability in mod_http_files (CVE-2016-1231)

    Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232)

Bugs:

    Improve handling of CNAME records in DNS

    Fix traceback when deleting a user in some configurations (issue #496)

    MUC: restrict_room_creation could prevent users from joining rooms (issue #458)

    MUC: fix occasional dropping of iq stanzas sent privately between occupants

    Fix a potential memory leak in mod_pep

Additions:

    Add http:list() command to telnet to view active HTTP services

    Simplify IPv4/v6 address selection code for outgoing s2s

    Add support for importing SCRAM hashes from ejabberd



Reproducible: Always
Comment 1 Tobias Klausmann gentoo-dev 2016-01-09 18:22:43 UTC
Add v0.9.9 to the tree, with KEYWORDS="~amd64 ~arm ~x86".

Will send to stabilization in 10 days unless there are bugs/objections.
Comment 2 Tony Vroon gentoo-dev 2016-01-11 13:54:48 UTC
(In reply to Tobias Klausmann from comment #1)
> Will send to stabilization in 10 days unless there are bugs/objections.

Based on it being a security fix and upstream recommending an upgrade "as soon as possible", could we expedite this please?
Comment 3 Tony Vroon gentoo-dev 2016-01-12 09:35:07 UTC
Arches, please test & mark stable:
=net-im/prosody-0.9.9

Any concerns about expedited stable can be raised here or with me personally.
Comment 4 Tobias Klausmann gentoo-dev 2016-01-13 17:20:33 UTC
(In reply to Tony Vroon from comment #3)
> Arches, please test & mark stable:
> =net-im/prosody-0.9.9
> 
> Any concerns about expedited stable can be raised here or with me personally.

I am idiot and filed 571764 separately.

I have done the stabilization on amd64, x86 and arm are still open.
Comment 5 Andreas Schürch gentoo-dev 2016-01-15 13:22:51 UTC
x86 done
Comment 6 Markus Meier gentoo-dev 2016-01-17 11:30:01 UTC
arm stable, all arches done.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 08:58:49 UTC
CVE-2016-1232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1232):
  The mod_dialback module in Prosody before 0.9.9 does not properly generate
  random values for the secret token for server-to-server dialback
  authentication, which makes it easier for attackers to spoof servers via a
  brute force attack.

CVE-2016-1231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1231):
  Directory traversal vulnerability in the HTTP file-serving module
  (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to
  read arbitrary files via a .. (dot dot) in an unspecified path.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-30 09:36:32 UTC
Cleanup complete by maintainer:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b0fbe83

GLSA Vote: No