From nobody Sat Apr 19 09:09:58 2025 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zfm6t3NxZz5t4sm; Sat, 19 Apr 2025 09:09:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Zfm6t2Zq9z42Ws; Sat, 19 Apr 2025 09:09:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1745053798; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ozr/ceyN5kloEAm8LAvwiULtOhe2p/bH2vQ0tGa9zNs=; b=HABYmnQ1Or9eMpDM63FNjjGM1zOMH73XKZCkWE7nwrt+eQOANXv8KKNm9F7NjDH9vY1i7Q DnDQz+PfSkgmYgzEtVdN98plYd+1xk7WJeV4O6tUBNGLA0AuJWZWm0IGJi+wGZDq4iRWms okziK6e5HrVUYHtOSkanvhzR+02qTHXBwE4lxfvhlaRpEF8XWwi3KxNqhvC8KJfLWp3Kkr QMhUylw/5toZZ+C2EvxxI7CNyMKhFKp7S2BncRsyMIJV1QLzPQLcRwETmzXpHn8keunjp+ B75FQQRDcvYYYpeMUuggWMZ7y4uQtJlEFXWG1eyrpGOiFCxP4H88gxyUv2j+vg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745053798; a=rsa-sha256; cv=none; b=lech+1O08EYO5LWIHnqXkkK5IcuiOsCsKgANPVMH01mZXgaknSrBHVGJCC3wApWvcwQkdu IVrm/8h7Z9RKC2G3TkSNwIJjsh8cScHn7UPT4BILAwRXDQdeGXxoTTBu+opFEwPP3EFvz2 +rZOqyereEuvRRYp8iHnwKlnOyTbGjGGwWglp99UaJw3vV66N7rs+29zdUsK+p38MRp4To iOb4pd4/MtPTrsgU4sbfYYQltkIG3HlInkwo1NHackMvtjO1MXJ99iVMEEF49ro+ZSbvFh qDz61WyjAjlDlNedMxeb4ukEUQGy/hNVYPdxWzmw32X/O5jGo02MsAipeXzs2g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1745053798; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ozr/ceyN5kloEAm8LAvwiULtOhe2p/bH2vQ0tGa9zNs=; b=fBnj0/Ykfo1k0skC0R/zYy80Ye6EVEOsBqMYquVzJh66GqU5dH68U9RH7zyLSWzrsiPp9E EZ7sgls8rZzu1Y6q0wHjG1qMBSM/fXG0QJfP3Eutwhg7nqs4ClgqvHxcQCBwiq7mGWwk5O QWcOw14No+0j2iPnKrIquDW+8DMj0GSxWozY0c5MCEHj4aRQzrsFqNYW8NFh7L0J67KKCK 8DUP0DM8Xovor1Ugj0ARfrNVxhZ0KX8Aaud+Ha2ZomraVNNc9X3ixPunmDyMT9tdMKGaZM BTFoqIC0Pa16NjPC0f2CQRLeZZAl+wq5VVX/X0RnAgWzmjvxpMENHnGsSRHPQg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zfm6t1FVcz1BsK; Sat, 19 Apr 2025 09:09:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53J99wsX072039; Sat, 19 Apr 2025 09:09:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53J99w8U072036; Sat, 19 Apr 2025 09:09:58 GMT (envelope-from git) Date: Sat, 19 Apr 2025 09:09:58 GMT Message-Id: <202504190909.53J99w8U072036@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Ashish SHUKLA Subject: git: bc550c727973 - main - security/vuxml: Document ejabberd vulnerability List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ashish X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bc550c72797395b13e04c381ed2f6bdd9fb4442d Auto-Submitted: auto-generated The branch main has been updated by ashish: URL: https://cgit.FreeBSD.org/ports/commit/?id=bc550c72797395b13e04c381ed2f6bdd9fb4442d commit bc550c72797395b13e04c381ed2f6bdd9fb4442d Author: Ashish SHUKLA AuthorDate: 2025-04-19 09:07:57 +0000 Commit: Ashish SHUKLA CommitDate: 2025-04-19 09:08:51 +0000 security/vuxml: Document ejabberd vulnerability --- security/vuxml/vuln/2025.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index 404b7d9a4afc..90b4b50e1a05 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,34 @@ + + ejabberd -- mod_muc_occupantid: Fix handling multiple occupant-id + + + ejabberd + 25.04 + + + + +

ejabberd team reports:

+
+

Fixed issue with handling of user provided occupant-id in + messages and presences sent to muc room. Server was + replacing just first instance of occupant-id with its own + version, leaving other ones untouched. That would mean that + depending on order in which clients send occupant-id, they + could see value provided by sender, and that could be used + to spoof as different sender.

+
+ + + + https://www.process-one.net/blog/ejabberd-25-04/#occupantid + + + 2025-04-16 + 2025-04-19 + + + chromium -- multiple security fixes