[Buildroot] [PATCH] package/prosody: security bump to version 0.11.9
Peter Korsgaard
peter at korsgaard.com
Fri May 14 21:01:25 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2021-32918: DoS via insufficient memory consumption controls
> It was discovered that default settings leave Prosody susceptible to
> remote unauthenticated denial-of-service (DoS) attacks via memory
> exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default
> and recommended Lua version for Prosody 0.11.x series.
> - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
> consumption
> It was discovered that Prosody does not disable SSL/TLS renegotiation,
> even though this is not used in XMPP. A malicious client may flood a
> connection with renegotiation requests to consume excessive CPU resources
> on the server.
> - CVE-2021-32921: Use of timing-dependent string comparison with sensitive
> values
> It was discovered that Prosody does not use a constant-time algorithm for
> comparing certain secret strings when running under Lua 5.2 or later.
> This can potentially be used in a timing attack to reveal the contents of
> secret strings to an attacker.
> - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
> configuration
> mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
> the transfer of files and other data between XMPP clients.
> It was discovered that the proxy65 component of Prosody allows open access
> by default, even if neither of the users have an XMPP account on the local
> server, allowing unrestricted use of the server’s bandwidth.
> - CVE-2021-32919: Undocumented dialback-without-dialback option insecure
> The undocumented option ‘dialback_without_dialback’ enabled an
> experimental feature for server-to-server authentication. A flaw in this
> feature meant it did not correctly authenticate remote servers, allowing a
> remote server to impersonate another server when this option is enabled.
> For more details, see the advisory:
> https://prosody.im/security/advisory_20210512/
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list