Version in base suite: 0.0~hg20190203.b54e98d5c4a1+dfsg-1 Base version: prosody-modules_0.0~hg20190203.b54e98d5c4a1+dfsg-1 Target version: prosody-modules_0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/prosody-modules/prosody-modules_0.0~hg20190203.b54e98d5c4a1+dfsg-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/prosody-modules/prosody-modules_0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1.dsc changelog | 6 ++++ patches/0003-ldap-improve-checks.patch | 48 +++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 55 insertions(+) diff -Nru prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/changelog prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/changelog --- prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/changelog 2019-02-06 10:02:53.000000000 +0000 +++ prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/changelog 2020-01-28 10:34:19.000000000 +0000 @@ -1,3 +1,9 @@ +prosody-modules (0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1) buster-security; urgency=high + + * fix for CVE-2020-8086 + + -- Victor Seva Tue, 28 Jan 2020 11:34:19 +0100 + prosody-modules (0.0~hg20190203.b54e98d5c4a1+dfsg-1) unstable; urgency=medium * new upstream snapshot diff -Nru prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/0003-ldap-improve-checks.patch prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/0003-ldap-improve-checks.patch --- prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/0003-ldap-improve-checks.patch 1970-01-01 00:00:00.000000000 +0000 +++ prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/0003-ldap-improve-checks.patch 2020-01-28 10:34:19.000000000 +0000 @@ -0,0 +1,48 @@ +From: Victor Seva +Date: Tue, 28 Jan 2020 10:45:37 +0100 +Subject: ldap improve checks + +--- + mod_auth_ldap/mod_auth_ldap.lua | 5 ++++- + mod_auth_ldap2/mod_auth_ldap2.lua | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/mod_auth_ldap/mod_auth_ldap.lua b/mod_auth_ldap/mod_auth_ldap.lua +index 1fe03f4..84ead1e 100644 +--- a/mod_auth_ldap/mod_auth_ldap.lua ++++ b/mod_auth_ldap/mod_auth_ldap.lua +@@ -131,7 +131,10 @@ end + + if ldap_admins then + function provider.is_admin(jid) +- local username = jid_split(jid); ++ local username, user_host = jid_split(jid); ++ if user_host ~= module.host then ++ return false; ++ end + return ldap_do("search", 2, { + base = ldap_base; + scope = ldap_scope; +diff --git a/mod_auth_ldap2/mod_auth_ldap2.lua b/mod_auth_ldap2/mod_auth_ldap2.lua +index c79849e..01b6300 100644 +--- a/mod_auth_ldap2/mod_auth_ldap2.lua ++++ b/mod_auth_ldap2/mod_auth_ldap2.lua +@@ -59,6 +59,10 @@ function provider.get_sasl_handler() + end + + function provider.is_admin(jid) ++ local username, userhost = jsplit(jid); ++ if userhost ~= module.host then ++ return false; ++ end + local admin_config = ldap.getparams().admin; + + if not admin_config then +@@ -66,7 +70,6 @@ function provider.is_admin(jid) + end + + local ld = ldap:getconnection(); +- local username = jsplit(jid); + local filter = ldap.filter.combine_and(admin_config.filter, admin_config.namefield .. '=' .. username); + + return ldap.singlematch { diff -Nru prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/series prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/series --- prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/series 2019-02-05 23:03:06.000000000 +0000 +++ prosody-modules-0.0~hg20190203.b54e98d5c4a1+dfsg/debian/patches/series 2020-01-28 10:34:19.000000000 +0000 @@ -1,2 +1,3 @@ 0001-HA1b-simple-adaptation-to-meet-the-Debian-needs.patch 0002-mod_muc_log_http-remove-link-to-external-resource.patch +0003-ldap-improve-checks.patch