Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package prosody for openSUSE:Factory checked in at 2021-08-18 08:55:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/prosody (Old) and /work/SRC/openSUSE:Factory/.prosody.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "prosody" Wed Aug 18 08:55:55 2021 rev:24 rq:912424 version:0.11.10 Changes: -------- --- /work/SRC/openSUSE:Factory/prosody/prosody.changes 2021-05-15 01:23:55.343080910 +0200 +++ /work/SRC/openSUSE:Factory/.prosody.new.1899/prosody.changes 2021-08-18 08:56:42.482918739 +0200 @@ -1,0 +2,14 @@ +Mon Aug 16 14:00:52 UTC 2021 - Michael Vetter <[email protected]> + +- Update to 0.11.10: + Security: + * MUC: Fix logic for access to affiliation lists CVE-2021-37601 + https://prosody.im/security/advisory_20210722/ + Minor changes: + * prosodyctl: Add ???limits??? to known globals to warn about misplacing it + * util.ip: Fix netmask for link-local address range + * mod_pep: Remove obsolete node restoration code + * util.pubsub: Fix traceback if node data not initialized +- Update is related to: bsc#1188976 CVE-2021-37601 + +------------------------------------------------------------------- Old: ---- prosody-0.11.9.tar.gz prosody-0.11.9.tar.gz.asc New: ---- prosody-0.11.10.tar.gz prosody-0.11.10.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ prosody.spec ++++++ --- /var/tmp/diff_new_pack.AfPzSA/_old 2021-08-18 08:56:42.918918227 +0200 +++ /var/tmp/diff_new_pack.AfPzSA/_new 2021-08-18 08:56:42.922918222 +0200 @@ -18,7 +18,7 @@ %define _piddir /run Name: prosody -Version: 0.11.9 +Version: 0.11.10 Release: 0 Summary: Communications server for Jabber/XMPP License: MIT ++++++ prosody-0.11.9.tar.gz -> prosody-0.11.10.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/.hg_archival.txt new/prosody-0.11.10/.hg_archival.txt --- old/prosody-0.11.9/.hg_archival.txt 2021-05-12 17:22:02.000000000 +0200 +++ new/prosody-0.11.10/.hg_archival.txt 2021-08-03 11:53:04.326141067 +0200 @@ -1,4 +1,4 @@ repo: 3e3171b59028ee70122cfec6ecf98f518f946b59 -node: d0e9ffccdef934af554ea2d4a5beb9a52e9e951d +node: d117b92fd8e459170a98a8dece7f3930f4b6aed7 branch: 0.11 -tag: 0.11.9 +tag: 0.11.10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/plugins/mod_pep.lua new/prosody-0.11.10/plugins/mod_pep.lua --- old/prosody-0.11.9/plugins/mod_pep.lua 2021-05-12 17:22:02.000000000 +0200 +++ new/prosody-0.11.10/plugins/mod_pep.lua 2021-08-03 11:53:04.326141067 +0200 @@ -207,18 +207,6 @@ check_node_config = check_node_config; }); - local nodes, err = known_nodes:get(username); - if nodes then - module:log("debug", "Restoring nodes for user %s", username); - for node in pairs(nodes) do - module:log("debug", "Restoring node %q", node); - service:create(node, true); - end - elseif err then - module:log("error", "Could not restore nodes for %s: %s", username, err); - else - module:log("debug", "No known nodes"); - end services[username] = service; module:add_item("pep-service", { service = service, jid = user_bare }); return service; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/plugins/muc/muc.lib.lua new/prosody-0.11.10/plugins/muc/muc.lib.lua --- old/prosody-0.11.9/plugins/muc/muc.lib.lua 2021-05-12 17:22:02.000000000 +0200 +++ new/prosody-0.11.10/plugins/muc/muc.lib.lua 2021-08-03 11:53:04.326141067 +0200 @@ -976,7 +976,7 @@ -- e.g. an admin can't ask for a list of owners local affiliation_rank = valid_affiliations[affiliation or "none"]; if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank) - or (self:get_whois() == "anyone") then + or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin";); for jid in self:each_affiliation(_aff or "none") do local nick = self:get_registered_nick(jid); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/prosody.release new/prosody-0.11.10/prosody.release --- old/prosody-0.11.9/prosody.release 2021-05-12 18:52:16.000000000 +0200 +++ new/prosody-0.11.10/prosody.release 2021-08-03 11:53:04.326141067 +0200 @@ -1 +1 @@ -0.11.9 +0.11.10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/prosodyctl new/prosody-0.11.10/prosodyctl --- old/prosody-0.11.9/prosodyctl 2021-05-12 17:22:02.000000000 +0200 +++ new/prosody-0.11.10/prosodyctl 2021-08-03 11:53:04.326141067 +0200 @@ -841,7 +841,7 @@ local known_global_options = set.new({ "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings", - "network_backend", "http_default_host", "gc", + "network_backend", "http_default_host", "gc", "limits", "statistics_interval", "statistics", "statistics_config", }); local config = configmanager.getconfig(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/spec/scansion/muc_whois_anyone_member.scs new/prosody-0.11.10/spec/scansion/muc_whois_anyone_member.scs --- old/prosody-0.11.9/spec/scansion/muc_whois_anyone_member.scs 2021-05-12 17:22:02.000000000 +0200 +++ new/prosody-0.11.10/spec/scansion/muc_whois_anyone_member.scs 2021-08-03 11:53:04.326141067 +0200 @@ -1,101 +1,127 @@ # MUC: Allow members to fetch the affiliation lists in open non-anonymous rooms [Client] Romeo - jid: romeo@localhost/MsliYo9C + jid: 4e2pm7er@localhost password: password [Client] Juliet - jid: juliet@localhost/vJrUtY4Z + jid: qnjm5253@localhost + password: password + +[Client] Random + jid: iqizbcus@localhost password: password ----- Romeo connects +Juliet connects + +Random connects + +# Romeo joins and creates the MUC Romeo sends: - <presence to='[email protected]/romeo'> - <x xmlns='http://jabber.org/protocol/muc'/> + <presence to="[email protected]/Romeo"> + <x xmlns="http://jabber.org/protocol/muc"/> </presence> Romeo receives: - <presence from='[email protected]/romeo'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <status code='201'/> - <item jid="${Romeo's JID}" role='moderator' affiliation='owner'/> - <status code='110'/> - </x> + <presence from="[email protected]/Romeo"> + <x xmlns="http://jabber.org/protocol/muc#user"; scansion:strict="false"> + <item affiliation="owner" jid="${Romeo's full JID}" role="moderator"/> + <status code="110"/> + <status code="201"/> + </x> </presence> Romeo receives: - <message from='[email protected]' type='groupchat'> - <subject/> + <message from="[email protected]" type="groupchat"> + <subject/> </message> +# and configures it for private chat Romeo sends: - <iq id='lx3' type='set' to='[email protected]'> - <query xmlns='http://jabber.org/protocol/muc#owner'> - <x type='submit' xmlns='jabber:x:data'> - <field var='FORM_TYPE'> - <value>http://jabber.org/protocol/muc#roomconfig</value> - </field> - <field var='muc#roomconfig_whois'> - <value>anyone</value> - </field> - </x> - </query> + <iq type="set" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" to="[email protected]"> + <query xmlns="http://jabber.org/protocol/muc#owner";> + <x type="submit" xmlns="jabber:x:data"> + <field var="FORM_TYPE"> + <value>http://jabber.org/protocol/muc#roomconfig</value> + </field> + <field var="muc#roomconfig_membersonly"> + <value>1</value> + </field> + <field var="muc#roomconfig_whois"> + <value>anyone</value> + </field> + </x> + </query> </iq> Romeo receives: - <iq from='[email protected]' type='result' id='lx3'/> + <iq from="[email protected]" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" type="result"/> Romeo receives: - <message from='[email protected]' type='groupchat'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <status code='172'/> - </x> + <message from="[email protected]" type="groupchat"> + <x xmlns="http://jabber.org/protocol/muc#user"; scansion:strict="false"> + <status code="104"/> + <status code="172"/> + </x> </message> -Juliet connects +# Juliet is made a member +Romeo sends: + <iq type="set" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="[email protected]"> + <query xmlns="http://jabber.org/protocol/muc#admin";> + <item affiliation="member" jid="${Juliet's JID}"/> + </query> + </iq> +# Juliet can read affiliations Juliet sends: - <presence to='[email protected]/juliet'> - <x xmlns='http://jabber.org/protocol/muc'/> - </presence> - -Juliet receives: - <presence from='[email protected]/romeo'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <item jid="${Romeo's JID}" role='moderator' affiliation='owner'/> - </x> - </presence> - -Juliet receives: - <presence from='[email protected]/juliet'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <status code='100'/> - <item jid="${Juliet's JID}" role='participant' affiliation='none'/> - <status code='110'/> - </x> - </presence> + <iq type="get" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="[email protected]"> + <query xmlns="http://jabber.org/protocol/muc#admin";> + <item affiliation="owner"/> + </query> + </iq> Juliet receives: - <message from='[email protected]' type='groupchat'> - <subject/> - </message> + <iq from="[email protected]" id="32d81574-e1dc-4221-b36d-4c44debb7c19" type="result"> + <query xmlns="http://jabber.org/protocol/muc#admin";> + <item affiliation="owner" jid="${Romeo's JID}"/> + </query> + </iq> Juliet sends: - <iq id='lx2' type='get' to='[email protected]'> - <query xmlns='http://jabber.org/protocol/muc#admin'> - <item affiliation='member'/> - </query> + <iq type="get" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" to="[email protected]"> + <query xmlns="http://jabber.org/protocol/muc#admin";> + <item affiliation="member"/> + </query> </iq> Juliet receives: - <iq from='[email protected]' type='result' id='lx2'> - <query xmlns='http://jabber.org/protocol/muc#admin'/> + <iq from="[email protected]" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" type="result"> + <query xmlns="http://jabber.org/protocol/muc#admin";> + <item affiliation="member" jid="${Juliet's JID}"/> + </query> </iq> +# Others can't read affiliations +Random sends: + <iq type="get" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" to="[email protected]"> + <query xmlns="http://jabber.org/protocol/muc#admin";> + <item affiliation="owner"/> + </query> + </iq> + +Random receives: + <iq from="[email protected]" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" type="error"/> + + Juliet disconnects Romeo disconnects +Random disconnects + +# recording ended on 2021-07-23T12:09:48Z diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/util/ip.lua new/prosody-0.11.10/util/ip.lua --- old/prosody-0.11.9/util/ip.lua 2021-05-12 17:22:02.000000000 +0200 +++ new/prosody-0.11.10/util/ip.lua 2021-08-03 11:53:04.326141067 +0200 @@ -100,7 +100,7 @@ local function v4scope(ip) if match(ip, loopback4, 8) then return 0x2; - elseif match(ip, linklocal4) then + elseif match(ip, linklocal4, 16) then return 0x2; else -- Global unicast return 0xE; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.9/util/pubsub.lua new/prosody-0.11.10/util/pubsub.lua --- old/prosody-0.11.9/util/pubsub.lua 2021-05-12 17:22:02.000000000 +0200 +++ new/prosody-0.11.10/util/pubsub.lua 2021-08-03 11:53:04.326141067 +0200 @@ -555,6 +555,10 @@ return nil, "invalid-item"; end local node_data = self.data[node]; + if not node_data then + -- FIXME how is this possible? #1657 + return nil, "internal-server-error"; + end local ok = node_data:set(id, item); if not ok then return nil, "internal-server-error";
