Your message dated Sun, 03 Jun 2018 11:32:40 +0000 with message-id <e1fprfy-000byc...@fasolo.debian.org> and subject line Bug#900524: fixed in prosody 0.9.7-2+deb8u4 has caused the Debian Bug report #900524, regarding prosody: CVE-2018-10847: insufficient stream header validation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900524 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: prosody Version: 0.9.7-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 0.10.1-1 Control: forwarded -1 https://issues.prosody.im/1147 Hi, The following vulnerability was published for prosody. CVE-2018-10847[0]: insufficient stream header validation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-10847 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10847 [1] https://issues.prosody.im/1147 [2] https://blog.prosody.im/prosody-0-10-2-security-release/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: prosody Source-Version: 0.9.7-2+deb8u4 We believe that the bug you reported is fixed in the latest version of prosody, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated prosody package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 31 May 2018 22:31:54 +0200 Source: prosody Binary: prosody Architecture: source Version: 0.9.7-2+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Matthew James Wild <mwi...@gmail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 900524 Description: prosody - Lightweight Jabber/XMPP server Changes: prosody (0.9.7-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * mod_c2s: Do not allow the stream 'to' to change across stream restarts (CVE-2018-10847) (Closes: #900524) Checksums-Sha1: 9bc95045d627ed22b4c05aefe243e02e38874361 2165 prosody_0.9.7-2+deb8u4.dsc 78e9e59976321aeac0959b9f67006a7dec05a08a 16160 prosody_0.9.7-2+deb8u4.debian.tar.xz Checksums-Sha256: 905b0f779de4dd650e45549bacf7530901501b0a84467154f74aca410b4ef2f5 2165 prosody_0.9.7-2+deb8u4.dsc 29086e0781c3e89c74869b082b6a70dfb82a3e9174276d37f090087a2b6b414e 16160 prosody_0.9.7-2+deb8u4.debian.tar.xz Files: 94f87627255cf8e2cf0c26521aadc55d 2165 net extra prosody_0.9.7-2+deb8u4.dsc 1ebf6979356932c18386499a45825caf 16160 net extra prosody_0.9.7-2+deb8u4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsQXTBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+9oP/0jn0FnERfr6evGIN02otiMO2NCZL5/7 2PSrBsWySopWa+EiirLC7+0a9ERzU1XzZ3ayRUFuTBQJAzsyY2AL/lJxyeJ4kfUj S1a390dgChRMQXeQDNt2Xv7FMysLeOfhs8b51stoovRKEAmW67P0SN1I+i2UpOvA 82bn/svov1HZ6y0WZ00csUiUYQSPnM8P5HWbMkMowJT1Cb3XMotrtgZFYvmchrjB ArlHEfTzrekdtyzT5Rh4YuoxhOT0Ek+mK7o4dEFNKjZXmp97MpeGe6hkfnj/yHCD Hl4bM+h6dCU0PMIGgSh9h53Ll2tzoDjil4iRGjcfJesMJw3hGzBXmQhQl0GDh3po DAV1+hGbm1jNxla/H1e6ousQuZUnUQnGJGUydCGsgZ2Pj1JioEcVSfj1TVLDhHS0 enWaKxNUGB4aAgu1xzKHNxH/pb/vr+TlW8kXeW7EY7bxMAf8Nz0hsqQrhCtbAWZO TRdhvDYhNIrhIaxlmLI+SVmqzxRxChc6SvFy+bbu3CDgY7bGJfkUxSQ8r7EBD8N0 fKW5gh3SStKv2yqp0HS+4F/RsTW/avCphCwJVykxjwkITrUMN+YtPQF3cMjAMFgK jvvLA1aK/Tsww1VfjKG+Y4lt02BoAUEKDkir2CxRgEyEswMLnX0BQu3pacmfZsKz wchlfAjx8QNX =QWJf -----END PGP SIGNATURE-----
--- End Message ---
