Debian Bug report logs -
#900524
prosody: CVE-2018-10847: insufficient stream header validation
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 31 May 2018 19:54:03 UTC
Severity: grave
Tags: security, upstream
Found in versions prosody/0.10.1-1, prosody/0.9.7-2
Fixed in versions prosody/0.10.2-1, prosody/0.9.12-2+deb9u2, prosody/0.9.7-2+deb8u4
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://issues.prosody.im/1147
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Matthew James Wild <mwild1@gmail.com>:
Bug#900524; Package src:prosody.
(Thu, 31 May 2018 19:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Matthew James Wild <mwild1@gmail.com>.
(Thu, 31 May 2018 19:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: prosody
Version: 0.9.7-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 0.10.1-1
Control: forwarded -1 https://issues.prosody.im/1147
Hi,
The following vulnerability was published for prosody.
CVE-2018-10847[0]:
insufficient stream header validation
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10847
[1] https://issues.prosody.im/1147
[2] https://blog.prosody.im/prosody-0-10-2-security-release/
Regards,
Salvatore
Marked as found in versions prosody/0.10.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 31 May 2018 19:54:06 GMT) (full text, mbox, link).
Reply sent
to debacle@debian.org (W. Martin Borgert):
You have taken responsibility.
(Thu, 31 May 2018 21:36:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 31 May 2018 21:36:15 GMT) (full text, mbox, link).
Message #14 received at 900524-close@bugs.debian.org (full text, mbox, reply):
Source: prosody
Source-Version: 0.10.2-1
We believe that the bug you reported is fixed in the latest version of
prosody, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
W. Martin Borgert <debacle@debian.org> (supplier of updated prosody package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 31 May 2018 20:57:00 +0000
Source: prosody
Binary: prosody
Architecture: source amd64
Version: 0.10.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>
Changed-By: W. Martin Borgert <debacle@debian.org>
Description:
prosody - Lightweight Jabber/XMPP server
Closes: 899352 899357 899359 900524
Changes:
prosody (0.10.2-1) unstable; urgency=medium
.
* Team upload.
* Set Debian XMPP team as maintainer.
* Reverting fix for #851669, because it introduced other bugs
(closes: #899352, #899357, #899359).
* New upstream release (Closes: #900524), which fixes
CVE-2018-10847: insufficient stream header validation.
Checksums-Sha1:
c90a216899a7ab1fb4877a5b8e80328b031fe3e3 2359 prosody_0.10.2-1.dsc
1d51e542475c3f3e712eace29537b042c941d6ab 331874 prosody_0.10.2.orig.tar.gz
9f0e064685f8894b60852c9d14f1a37ec8526dca 801 prosody_0.10.2.orig.tar.gz.asc
895b0628ffe0d73cad4adb9251a017a58baa93ed 15160 prosody_0.10.2-1.debian.tar.xz
6250a1d77bd76ec8c115e38d92dcc3422d82346d 46728 prosody-dbgsym_0.10.2-1_amd64.deb
e81bd914d9e89bfd568d0320e1a4918320f6890a 6259 prosody_0.10.2-1_amd64.buildinfo
bf3eb0134b6627acbee6c88521337cb668e02f4a 249680 prosody_0.10.2-1_amd64.deb
Checksums-Sha256:
4127c5741c480db9cfc77e6d6bdbf7af5b95526fff73b1c83354f8be76a3e960 2359 prosody_0.10.2-1.dsc
75b5f035e7a74d5f208eeeaf8419b94a85d09b40252d444cff8033fde3c9768e 331874 prosody_0.10.2.orig.tar.gz
af8b6256ca9ceaec276d5a8ebe0f22c8da6baf0b08981be442445e5c0a508daf 801 prosody_0.10.2.orig.tar.gz.asc
c63dec38aa98b8c2e4b573150517caac28c9be2270a8507c921ac3e6711d31b1 15160 prosody_0.10.2-1.debian.tar.xz
9cbd409976b82c022d5e43896ef7642931a3f199745a931f8d608046afaa9af2 46728 prosody-dbgsym_0.10.2-1_amd64.deb
92f84d9ccb8a65d31e747e1a2580faf6c5318fbd59531c5b17f9559abdb6dc49 6259 prosody_0.10.2-1_amd64.buildinfo
9de5a8ef8cf73814de50f436027ac3c45698e645b8a13c3ba89f75cf0d23aa30 249680 prosody_0.10.2-1_amd64.deb
Files:
00e974c8d720a8b4ea2ac27b0f0735cd 2359 net optional prosody_0.10.2-1.dsc
4cb1ac0db2b739b933ded5038551d7c2 331874 net optional prosody_0.10.2.orig.tar.gz
45621204690b30337df68e2c12617905 801 net optional prosody_0.10.2.orig.tar.gz.asc
2864934a58fae82f69532623ac8bbf39 15160 net optional prosody_0.10.2-1.debian.tar.xz
eb6fd18bb0301e22d757dc2bada0eb6d 46728 debug optional prosody-dbgsym_0.10.2-1_amd64.deb
ad1db41a556f981be99757194ee9c8a1 6259 net optional prosody_0.10.2-1_amd64.buildinfo
a05b1504e9c9d80f7bce272c4608c889 249680 net optional prosody_0.10.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEftHeo0XZoKEY1KdA4+Chwoa5Y+oFAlsQZnoACgkQ4+Chwoa5
Y+pR7w//ZO//36qLRja+6n9NjovQRlbOGyaT/t9CLvPx9k3arNq1Ix0fFuldLuzG
Qw5s+m38ThCenvgqRCNAJg5Z+CKp1zkvkr/nViVlr64pd3DQ6/JJN6+LIH4VhDOf
cqBOE3J7J9Dp0wreZtXE0PtdQ7KXyjhJfrliZ46qzMFYO+xF1KMiSX6gNEWBXTFw
ezpn0yY6PgWktmDWW6edCpd2SzdVH0aP4lr1D6894StYfCeKvPrPFKouk/CdqDDD
7+9SjaTLvkdzYezDuFuL8/0AoGevIPtYfQlnEHArbDHbKpdCl0oCvYlPK7ZffWEt
U4eUXwUXcqYdAdIMRMrWgHbm234o+fNh/b2ym99qK6YZWbp/oINhwcAZw4uADBw6
mEgLudSh0KUpMxmKdvdS5bgpvDm4ETlrvu/pRx1vdNOzsXOxqIpzwVXrAq2BP43x
Ai8N1WVItAXLrHnbpBczxdx5RmsoPb/ZEVV4S2SdxoKl3CJVeFjYPmSccElFuaj2
OsOd2Q8aboyRBu0aEi2EgjM958Mytwts0yV60/zOtoOW7wNFTjCvHZrpuDJjGDu7
d6wx51hDBi39mIbrwZCHPg6+IxlY4gqRBSlFqN6Z6xGtk2ZvjiXfDCq1kPUupMMD
r0MB5uS90eSpDNA7c/q6wLe6e3aJQB1In0Ujr67/K4/Cak8uz4g=
=IhuW
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 03 Jun 2018 11:03:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 03 Jun 2018 11:03:12 GMT) (full text, mbox, link).
Message #19 received at 900524-close@bugs.debian.org (full text, mbox, reply):
Source: prosody
Source-Version: 0.9.12-2+deb9u2
We believe that the bug you reported is fixed in the latest version of
prosody, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated prosody package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 31 May 2018 22:08:52 +0200
Source: prosody
Binary: prosody
Architecture: source
Version: 0.9.12-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Matthew James Wild <mwild1@gmail.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 900524
Description:
prosody - Lightweight Jabber/XMPP server
Changes:
prosody (0.9.12-2+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* mod_c2s: Do not allow the stream 'to' to change across stream restarts
(CVE-2018-10847) (Closes: #900524)
Checksums-Sha1:
8e16c8233efc84afe61481d20371ff88c0a7eb15 2221 prosody_0.9.12-2+deb9u2.dsc
067b8131b3cf6391192ec3fb8c84a456256fd32a 13500 prosody_0.9.12-2+deb9u2.debian.tar.xz
Checksums-Sha256:
760b74b9d6fb037d4459fa99e7fceee10e84eb917fa1399c750c5968f54262f3 2221 prosody_0.9.12-2+deb9u2.dsc
365818acd04f6d0c32832e9c74588652f803745a46e75319b93e86402219ffa4 13500 prosody_0.9.12-2+deb9u2.debian.tar.xz
Files:
530a19ca7a98c8a5c00177dddbd2d7a9 2221 net extra prosody_0.9.12-2+deb9u2.dsc
00bec6712771c4be834860f85930df8a 13500 net extra prosody_0.9.12-2+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsQV0tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuOoP+gMz6Wonm/IN5JnLfrlZT27SigAJ9cbD
+bmMQAPoGX7zI/2GEa/2xOAXaPEqA55KEYvIrd/k8VCQo4jjC1YXyG/J7ToSf+Qo
VGbuKQxT4OSjyLRJgFHZ1FX+ea3yjUOs2C/og56KU+9sQB4A4sDWacvnbaEQWwIg
FfsOan6sP6WIfiEpxtyKL4FNvIbyxGnFNkN912BBO4KU53gtlR/RNMhJYRsoFo6Q
2h4d880bQd+G2xGZh/OyvpvZcspkFjKM7au7OcHTKIWZtdbgAi/cN6DGvGhaADQs
SXKyKkMmAAYycpVJVotWjn/5lthX3UZi2CPNFENtAaQ9Ibtga/4nRsxp6KoVSXuG
XrK9nAwSH4wYNgCd7UqV6UvFv77FIFbdAoypCs3t7oBuvILh4BxnHFq6sqKh7+R0
41iV+i8qb/46xqwsP/4KRD29aF9wL+ufBrkQNsGTHtHELBuiDz+BmNFA6auyjrw9
Lm10VNP3qc9AH3OeRX8J5Mul1AGidRgs5lGk0g+n8GGumW4jeUc1JJRTsQ0B8XmC
4tir+XRzdWVQ/6kgs4mGzm4GSHFHVGX0CUhWAAP/PlpqmmRFwG11hNdnt/GKcuhk
ag+xNDGLLIAJ72gF0+uALMrovAmHF3ZGZRZAhkhkFfy3sOhTna2LGl43enltI8bg
92tuWAAUPOXQ
=QJCE
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 03 Jun 2018 11:36:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 03 Jun 2018 11:36:09 GMT) (full text, mbox, link).
Message #24 received at 900524-close@bugs.debian.org (full text, mbox, reply):
Source: prosody
Source-Version: 0.9.7-2+deb8u4
We believe that the bug you reported is fixed in the latest version of
prosody, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated prosody package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 31 May 2018 22:31:54 +0200
Source: prosody
Binary: prosody
Architecture: source
Version: 0.9.7-2+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Matthew James Wild <mwild1@gmail.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 900524
Description:
prosody - Lightweight Jabber/XMPP server
Changes:
prosody (0.9.7-2+deb8u4) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* mod_c2s: Do not allow the stream 'to' to change across stream restarts
(CVE-2018-10847) (Closes: #900524)
Checksums-Sha1:
9bc95045d627ed22b4c05aefe243e02e38874361 2165 prosody_0.9.7-2+deb8u4.dsc
78e9e59976321aeac0959b9f67006a7dec05a08a 16160 prosody_0.9.7-2+deb8u4.debian.tar.xz
Checksums-Sha256:
905b0f779de4dd650e45549bacf7530901501b0a84467154f74aca410b4ef2f5 2165 prosody_0.9.7-2+deb8u4.dsc
29086e0781c3e89c74869b082b6a70dfb82a3e9174276d37f090087a2b6b414e 16160 prosody_0.9.7-2+deb8u4.debian.tar.xz
Files:
94f87627255cf8e2cf0c26521aadc55d 2165 net extra prosody_0.9.7-2+deb8u4.dsc
1ebf6979356932c18386499a45825caf 16160 net extra prosody_0.9.7-2+deb8u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsQXTBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+9oP/0jn0FnERfr6evGIN02otiMO2NCZL5/7
2PSrBsWySopWa+EiirLC7+0a9ERzU1XzZ3ayRUFuTBQJAzsyY2AL/lJxyeJ4kfUj
S1a390dgChRMQXeQDNt2Xv7FMysLeOfhs8b51stoovRKEAmW67P0SN1I+i2UpOvA
82bn/svov1HZ6y0WZ00csUiUYQSPnM8P5HWbMkMowJT1Cb3XMotrtgZFYvmchrjB
ArlHEfTzrekdtyzT5Rh4YuoxhOT0Ek+mK7o4dEFNKjZXmp97MpeGe6hkfnj/yHCD
Hl4bM+h6dCU0PMIGgSh9h53Ll2tzoDjil4iRGjcfJesMJw3hGzBXmQhQl0GDh4po
DAV1+hGbm1jNxla/H1e6ousQuZUnUQnGJGUydCGsgZ2Pj1JioEcVSfj1TVLDhHS0
enWaKxNUGB4aAgu1xzKHNxH/pb/vr+TlW8kXeW7EY7bxMAf8Nz0hsqQrhCtbAWZO
TRdhvDYhNIrhIaxlmLI+SVmqzxRxChc6SvFy+bbu3CDgY7bGJfkUxSQ8r7EBD8N0
fKW5gh4SStKv2yqp0HS+4F/RsTW/avCphCwJVykxjwkITrUMN+YtPQF3cMjAMFgK
jvvLA1aK/Tsww1VfjKG+Y4lt02BoAUEKDkir2CxRgEyEswMLnX0BQu3pacmfZsKz
wchlfAjx8QNX
=QWJf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 09 Aug 2018 07:26:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:09:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon