[Buildroot] [PATCH] package/prosody: security bump to version 0.11.9

Peter Korsgaard peter at korsgaard.com
Fri May 14 21:01:25 UTC 2021


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - CVE-2021-32918: DoS via insufficient memory consumption controls

 >   It was discovered that default settings leave Prosody susceptible to
 >   remote unauthenticated denial-of-service (DoS) attacks via memory
 >   exhaustion when running under Lua 5.2 or Lua 5.3.  Lua 5.2 is the default
 >   and recommended Lua version for Prosody 0.11.x series.

 > - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
 >   consumption

 >   It was discovered that Prosody does not disable SSL/TLS renegotiation,
 >   even though this is not used in XMPP.  A malicious client may flood a
 >   connection with renegotiation requests to consume excessive CPU resources
 >   on the server.

 > - CVE-2021-32921: Use of timing-dependent string comparison with sensitive
 >   values

 >   It was discovered that Prosody does not use a constant-time algorithm for
 >   comparing certain secret strings when running under Lua 5.2 or later.
 >   This can potentially be used in a timing attack to reveal the contents of
 >   secret strings to an attacker.

 > - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
 >   configuration

 >   mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
 >   the transfer of files and other data between XMPP clients.

 >   It was discovered that the proxy65 component of Prosody allows open access
 >   by default, even if neither of the users have an XMPP account on the local
 >   server, allowing unrestricted use of the server’s bandwidth.

 > - CVE-2021-32919: Undocumented dialback-without-dialback option insecure

 >   The undocumented option ‘dialback_without_dialback’ enabled an
 >   experimental feature for server-to-server authentication.  A flaw in this
 >   feature meant it did not correctly authenticate remote servers, allowing a
 >   remote server to impersonate another server when this option is enabled.

 > For more details, see the advisory:
 > https://prosody.im/security/advisory_20210512/

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list