Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package prosody * fix for https://prosody.im/security/advisory_20210722/ (change by Victor Seva) Maintainer and security team are in Cc.
diff -Nru prosody-0.11.9/debian/changelog prosody-0.11.9/debian/changelog --- prosody-0.11.9/debian/changelog 2021-05-14 10:17:12.000000000 +0300 +++ prosody-0.11.9/debian/changelog 2021-07-23 15:15:58.000000000 +0300 @@ -1,3 +1,9 @@ +prosody (0.11.9-2) unstable; urgency=high + + * fix for https://prosody.im/security/advisory_20210722/ + + -- Victor Seva <vs...@debian.org> Fri, 23 Jul 2021 14:15:58 +0200 + prosody (0.11.9-1) unstable; urgency=high * New upstream version 0.11.9 addressing several security issues diff -Nru prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch --- prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch 1970-01-01 02:00:00.000000000 +0200 +++ prosody-0.11.9/debian/patches/0006-muc-fix-for-CWE-284.patch 2021-07-23 15:15:58.000000000 +0300 @@ -0,0 +1,22 @@ +From: Victor Seva <linuxman...@torreviejawireless.org> +Date: Fri, 23 Jul 2021 14:14:08 +0200 +Subject: muc: fix for CWE-284 + +https://prosody.im/security/advisory_20210722/ +--- + plugins/muc/muc.lib.lua | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua +index 037baa3..f037c4f 100644 +--- a/plugins/muc/muc.lib.lua ++++ b/plugins/muc/muc.lib.lua +@@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza) + -- e.g. an admin can't ask for a list of owners + local affiliation_rank = valid_affiliations[affiliation or "none"]; + if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank) +- or (self:get_whois() == "anyone") then ++ or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then + local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin";); + for jid in self:each_affiliation(_aff or "none") do + local nick = self:get_registered_nick(jid); diff -Nru prosody-0.11.9/debian/patches/series prosody-0.11.9/debian/patches/series --- prosody-0.11.9/debian/patches/series 2021-05-14 10:17:12.000000000 +0300 +++ prosody-0.11.9/debian/patches/series 2021-07-23 15:15:58.000000000 +0300 @@ -3,3 +3,4 @@ 0003-buildflags.patch 0004-fix-package.path-of-ejabberd2prosody.patch 0005-use-lua52.patch +0006-muc-fix-for-CWE-284.patch
