Your message dated Mon, 26 Jul 2021 20:15:37 +0000
with message-id <e1m870j-0002sx...@respighi.debian.org>
and subject line unblock prosody
has caused the Debian Bug report #991477,
regarding unblock: prosody/0.11.9-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
991477: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991477
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package prosody
* fix for https://prosody.im/security/advisory_20210722/
(change by Victor Seva)
Maintainer and security team are in Cc.
diff -Nru prosody-0.11.9/debian/changelog prosody-0.11.9/debian/changelog
--- prosody-0.11.9/debian/changelog 2021-05-14 10:17:12.000000000 +0300
+++ prosody-0.11.9/debian/changelog 2021-07-23 15:15:58.000000000 +0300
@@ -1,3 +1,9 @@
+prosody (0.11.9-2) unstable; urgency=high
+
+ * fix for https://prosody.im/security/advisory_20210722/
+
+ -- Victor Seva <vs...@debian.org> Fri, 23 Jul 2021 14:15:58 +0200
+
prosody (0.11.9-1) unstable; urgency=high
* New upstream version 0.11.9 addressing several security issues
diff -Nru prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch
prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch
--- prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch
1970-01-01 02:00:00.000000000 +0200
+++ prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch
2021-07-23 15:15:58.000000000 +0300
@@ -0,0 +1,22 @@
+From: Victor Seva <linuxman...@torreviejawireless.org>
+Date: Fri, 23 Jul 2021 14:14:08 +0200
+Subject: muc: fix for CWE-284
+
+https://prosody.im/security/advisory_20210722/
+---
+ plugins/muc/muc.lib.lua | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua
+index 037baa3..f037c4f 100644
+--- a/plugins/muc/muc.lib.lua
++++ b/plugins/muc/muc.lib.lua
+@@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin,
stanza)
+ -- e.g. an admin can't ask for a list of owners
+ local affiliation_rank = valid_affiliations[affiliation or
"none"];
+ if (affiliation_rank >= valid_affiliations.admin and
affiliation_rank >= _aff_rank)
+- or (self:get_whois() == "anyone") then
++ or (self:get_members_only() and self:get_whois() == "anyone"
and affiliation_rank >= valid_affiliations.member) then
+ local reply =
st.reply(stanza):query("http://jabber.org/protocol/muc#admin";);
+ for jid in self:each_affiliation(_aff or "none") do
+ local nick = self:get_registered_nick(jid);
diff -Nru prosody-0.11.9/debian/patches/series
prosody-0.11.9/debian/patches/series
--- prosody-0.11.9/debian/patches/series 2021-05-14 10:17:12.000000000
+0300
+++ prosody-0.11.9/debian/patches/series 2021-07-23 15:15:58.000000000
+0300
@@ -3,3 +3,4 @@
0003-buildflags.patch
0004-fix-package.path-of-ejabberd2prosody.patch
0005-use-lua52.patch
+0006-muc-fix-for-CWE-284.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
