Bug#520852: marked as done (CVE-2009-0934: Cross-site scripting (XSS) vulnerability in ejabberd)

[Debian Bug Tracking System]

Your message dated Mon, 13 Apr 2009 22:32:11 +0000
with message-id <e1ltuhh-0003oo...@ries.debian.org>
and subject line Bug#520852: fixed in ejabberd 2.0.5-1
has caused the Debian Bug report #520852,
regarding CVE-2009-0934: Cross-site scripting (XSS) vulnerability in ejabberd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
520852: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520852
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ejabberd
Version: 2.0.3-1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ejabberd.

CVE-2009-0934[0]:
| Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4
| allows remote attackers to inject arbitrary web script or HTML via
| unknown vectors related to links and MUC logs.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Note: other versions might be also be affected.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0934
    http://security-tracker.debian.net/tracker/CVE-2009-0934

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: ejabberd
Source-Version: 2.0.5-1

We believe that the bug you reported is fixed in the latest version of
ejabberd, which is due to be installed in the Debian FTP archive:

ejabberd_2.0.5-1.diff.gz
  to pool/main/e/ejabberd/ejabberd_2.0.5-1.diff.gz
ejabberd_2.0.5-1.dsc
  to pool/main/e/ejabberd/ejabberd_2.0.5-1.dsc
ejabberd_2.0.5-1_i386.deb
  to pool/main/e/ejabberd/ejabberd_2.0.5-1_i386.deb
ejabberd_2.0.5.orig.tar.gz
  to pool/main/e/ejabberd/ejabberd_2.0.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Torsten Werner <twer...@debian.org> (supplier of updated ejabberd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 05 Apr 2009 22:53:46 +0200
Source: ejabberd
Binary: ejabberd
Architecture: source i386
Version: 2.0.5-1
Distribution: unstable
Urgency: high
Maintainer: Torsten Werner <twer...@debian.org>
Changed-By: Torsten Werner <twer...@debian.org>
Description: 
 ejabberd   - Distributed, fault-tolerant Jabber/XMPP server written in Erlang
Closes: 516528 518079 520852
Changes: 
 ejabberd (2.0.5-1) unstable; urgency=high
 .
   * new upstream release
     - Fixes 'CVE-2009-0934: Cross-site scripting (XSS) vulnerability in
     ejabberd' (Closes: #520852)
     - Fixes 'starttls hangs' (Closes: #516528, #518079)
   * Disable patch ldaps.patch because it does not apply any more.
   * Refresh all other patches.
Checksums-Sha1: 
 a7c93b2b539632c4427d4263a469e0d9053769ee 1311 ejabberd_2.0.5-1.dsc
 e5b8c4b742fdcc439da9458f94f530604abdfdd5 1796737 ejabberd_2.0.5.orig.tar.gz
 bfaff27c316bdebb3aa434bb127c3265862a701e 53630 ejabberd_2.0.5-1.diff.gz
 0913ccf6e199f82630829667aadc49a27c036de4 1188056 ejabberd_2.0.5-1_i386.deb
Checksums-Sha256: 
 878b6b0bdcce00378cf3b09cdeeef8ac4dc774aec141c5d66c7144392d0fac5e 1311 
ejabberd_2.0.5-1.dsc
 37ef90e2afa2b73a620bf71a096df48d5fde8f1cd669fac83d8c143a1295198c 1796737 
ejabberd_2.0.5.orig.tar.gz
 c6bee73614745b68ca6f5cd161cf0c2f49de888debf1250fb97c32868c49cfb0 53630 
ejabberd_2.0.5-1.diff.gz
 9988a1f73a0a002990046f67cc623b3e557fa8859eeed55d25f816cad3a87602 1188056 
ejabberd_2.0.5-1_i386.deb
Files: 
 ffaaeffe7439df384251e7fbb01ddfce 1311 net optional ejabberd_2.0.5-1.dsc
 2d85b47df969daf0a78ed3b16562d731 1796737 net optional 
ejabberd_2.0.5.orig.tar.gz
 563a11a1adac253dbc1d020d6795bfe1 53630 net optional ejabberd_2.0.5-1.diff.gz
 8d55f958c5af64aa2af1807a54d55388 1188056 net optional ejabberd_2.0.5-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknjufoACgkQfY3dicTPjsPbjQCeK5bGxBYmziD/GBTehvaD/v4b
ozAAnRxeebccox98itsbzNkzTnNNGseU
=sH9V
-----END PGP SIGNATURE-----

--- End Message ---