Ubuntu
prosody package

CVE-2016-1231 and CVE-2016-1232

Bug #1532943 reported by Felix Geyer on 2016-01-11

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	prosody (Ubuntu)	Fix Released	Medium	Seth Arnold

Bug Description

I'll add debdiffs based on the Debian security update:
https://lists.debian.org/debian-security-announce/2016/msg00007.html

CVE References

Revision history for this message

Felix Geyer (debfx) wrote on 2016-01-11:

trusty-security debdiff Edit (5.6 KiB, text/plain)

Revision history for this message

Felix Geyer (debfx) wrote on 2016-01-11:

wily-security debdiff Edit (5.7 KiB, text/plain)

Revision history for this message

Felix Geyer (debfx) wrote on 2016-01-11:

xenial (0.9.9-1) is already fixed.

Seth Arnold (seth-arnold) on 2016-01-12

Changed in prosody (Ubuntu):
assignee:	nobody → Seth Arnold (seth-arnold)
status:	New → In Progress

Mathew Hodson (mhodson) on 2016-01-12

Changed in prosody (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-13:

This bug was fixed in the package prosody - 0.9.8-1ubuntu0.1

---------------
prosody (0.9.8-1ubuntu0.1) wily-security; urgency=medium

  * SECURITY UPDATE: path traversal vulnerability in mod_http_files
    - debian/patches/0008-CVE-2016-1231.patch
    - CVE-2016-1231
    - LP: #1532943
  * SECURITY UPDATE: use of weak PRNG in generation of dialback secrets
    - debian/patches/0009-CVE-2016-1232.patch
    - CVE-2016-1232
    - LP: #1532943

-- Felix Geyer <email address hidden> Mon, 11 Jan 2016 20:55:43 +0100

Changed in prosody (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-13:

This bug was fixed in the package prosody - 0.9.1-1ubuntu0.1

---------------
prosody (0.9.1-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: path traversal vulnerability in mod_http_files
    - debian/patches/CVE-2016-1231.patch
    - CVE-2016-1231
    - LP: #1532943
  * SECURITY UPDATE: use of weak PRNG in generation of dialback secrets
    - debian/patches/CVE-2016-1232.patch
    - CVE-2016-1232
    - LP: #1532943

-- Felix Geyer <email address hidden> Mon, 11 Jan 2016 19:21:33 +0100

Changed in prosody (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-01-13:

Thanks debfx! I made only slight changes to the changelog to include the CVE number in all four locations, and updated the debian/patches/ filename. Otherwise looked good.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuprosody package

CVE-2016-1231 and CVE-2016-1232

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
prosody package