All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9
@ 2021-05-14  9:43 Peter Korsgaard
  2021-05-14 21:01 ` Peter Korsgaard
  2021-05-17 19:25 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-05-14  9:43 UTC (permalink / raw)
  To: buildroot

Fixes the following security issues:

- CVE-2021-32918: DoS via insufficient memory consumption controls

  It was discovered that default settings leave Prosody susceptible to
  remote unauthenticated denial-of-service (DoS) attacks via memory
  exhaustion when running under Lua 5.2 or Lua 5.3.  Lua 5.2 is the default
  and recommended Lua version for Prosody 0.11.x series.

- CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
  consumption

  It was discovered that Prosody does not disable SSL/TLS renegotiation,
  even though this is not used in XMPP.  A malicious client may flood a
  connection with renegotiation requests to consume excessive CPU resources
  on the server.

- CVE-2021-32921: Use of timing-dependent string comparison with sensitive
  values

  It was discovered that Prosody does not use a constant-time algorithm for
  comparing certain secret strings when running under Lua 5.2 or later.
  This can potentially be used in a timing attack to reveal the contents of
  secret strings to an attacker.

- CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
  configuration

  mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
  the transfer of files and other data between XMPP clients.

  It was discovered that the proxy65 component of Prosody allows open access
  by default, even if neither of the users have an XMPP account on the local
  server, allowing unrestricted use of the server?s bandwidth.

- CVE-2021-32919: Undocumented dialback-without-dialback option insecure

  The undocumented option ?dialback_without_dialback? enabled an
  experimental feature for server-to-server authentication.  A flaw in this
  feature meant it did not correctly authenticate remote servers, allowing a
  remote server to impersonate another server when this option is enabled.

For more details, see the advisory:
https://prosody.im/security/advisory_20210512/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/prosody/prosody.hash | 8 ++++----
 package/prosody/prosody.mk   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/prosody/prosody.hash b/package/prosody/prosody.hash
index 309ae0181f..50d5964712 100644
--- a/package/prosody/prosody.hash
+++ b/package/prosody/prosody.hash
@@ -1,8 +1,8 @@
 # Locally computed:
-md5  24cd3c1f7ab16a6b3726423d2fff802d  prosody-0.11.8.tar.gz
-sha1  f1f030c75abde6e3c7232fedbe8371f5cb913245  prosody-0.11.8.tar.gz
-sha256  830f183b98d5742d81e908d2d8e3258f1b538dad7411f06fda5b2cc5c75068f8  prosody-0.11.8.tar.gz
-sha512  b0b7e1d3e41f47f0f88ad5b76444e4959b20f4c7a937f3cc605ba6ed5d92e713a3054dcb61ee6629063883a8f9ff1a03952893de4a0d840dcec4e5e42079eb57  prosody-0.11.8.tar.gz
+md5  be7e1c66c06b0eb4bdce37b67bcc6b51  prosody-0.11.9.tar.gz
+sha1  632c2dd7794d344d4edbcea18fc1b5f623da5ca4  prosody-0.11.9.tar.gz
+sha256  ccc032aea49d858635fb93644db276de6812be83073a8d80e9b4508095deff09  prosody-0.11.9.tar.gz
+sha512  fabbbbb1acb3de4ff01e3e8c6e9e4dc37cb161259f1649683a1f9d925ed9f1709e052bfc831cba3f1861a9cca599f2b725ee739bfcb57164d6f50ac07011b52a  prosody-0.11.9.tar.gz
 
 # Hash for license file:
 sha256 bbbdc1c5426e5944cf869fc0faeaf19d88a220cd2b39ea98b7b8e86b0e88a2ef  COPYING
diff --git a/package/prosody/prosody.mk b/package/prosody/prosody.mk
index a4482ad3c5..92c812ebfa 100644
--- a/package/prosody/prosody.mk
+++ b/package/prosody/prosody.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PROSODY_VERSION = 0.11.8
+PROSODY_VERSION = 0.11.9
 PROSODY_SITE = https://prosody.im/downloads/source
 PROSODY_LICENSE = MIT
 PROSODY_LICENSE_FILES = COPYING
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9
  2021-05-14  9:43 [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9 Peter Korsgaard
@ 2021-05-14 21:01 ` Peter Korsgaard
  2021-05-17 19:25 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-05-14 21:01 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > - CVE-2021-32918: DoS via insufficient memory consumption controls

 >   It was discovered that default settings leave Prosody susceptible to
 >   remote unauthenticated denial-of-service (DoS) attacks via memory
 >   exhaustion when running under Lua 5.2 or Lua 5.3.  Lua 5.2 is the default
 >   and recommended Lua version for Prosody 0.11.x series.

 > - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
 >   consumption

 >   It was discovered that Prosody does not disable SSL/TLS renegotiation,
 >   even though this is not used in XMPP.  A malicious client may flood a
 >   connection with renegotiation requests to consume excessive CPU resources
 >   on the server.

 > - CVE-2021-32921: Use of timing-dependent string comparison with sensitive
 >   values

 >   It was discovered that Prosody does not use a constant-time algorithm for
 >   comparing certain secret strings when running under Lua 5.2 or later.
 >   This can potentially be used in a timing attack to reveal the contents of
 >   secret strings to an attacker.

 > - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
 >   configuration

 >   mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
 >   the transfer of files and other data between XMPP clients.

 >   It was discovered that the proxy65 component of Prosody allows open access
 >   by default, even if neither of the users have an XMPP account on the local
 >   server, allowing unrestricted use of the server?s bandwidth.

 > - CVE-2021-32919: Undocumented dialback-without-dialback option insecure

 >   The undocumented option ?dialback_without_dialback? enabled an
 >   experimental feature for server-to-server authentication.  A flaw in this
 >   feature meant it did not correctly authenticate remote servers, allowing a
 >   remote server to impersonate another server when this option is enabled.

 > For more details, see the advisory:
 > https://prosody.im/security/advisory_20210512/

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9
  2021-05-14  9:43 [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9 Peter Korsgaard
  2021-05-14 21:01 ` Peter Korsgaard
@ 2021-05-17 19:25 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-05-17 19:25 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > - CVE-2021-32918: DoS via insufficient memory consumption controls

 >   It was discovered that default settings leave Prosody susceptible to
 >   remote unauthenticated denial-of-service (DoS) attacks via memory
 >   exhaustion when running under Lua 5.2 or Lua 5.3.  Lua 5.2 is the default
 >   and recommended Lua version for Prosody 0.11.x series.

 > - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
 >   consumption

 >   It was discovered that Prosody does not disable SSL/TLS renegotiation,
 >   even though this is not used in XMPP.  A malicious client may flood a
 >   connection with renegotiation requests to consume excessive CPU resources
 >   on the server.

 > - CVE-2021-32921: Use of timing-dependent string comparison with sensitive
 >   values

 >   It was discovered that Prosody does not use a constant-time algorithm for
 >   comparing certain secret strings when running under Lua 5.2 or later.
 >   This can potentially be used in a timing attack to reveal the contents of
 >   secret strings to an attacker.

 > - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
 >   configuration

 >   mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
 >   the transfer of files and other data between XMPP clients.

 >   It was discovered that the proxy65 component of Prosody allows open access
 >   by default, even if neither of the users have an XMPP account on the local
 >   server, allowing unrestricted use of the server?s bandwidth.

 > - CVE-2021-32919: Undocumented dialback-without-dialback option insecure

 >   The undocumented option ?dialback_without_dialback? enabled an
 >   experimental feature for server-to-server authentication.  A flaw in this
 >   feature meant it did not correctly authenticate remote servers, allowing a
 >   remote server to impersonate another server when this option is enabled.

 > For more details, see the advisory:
 > https://prosody.im/security/advisory_20210512/

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2021.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-17 19:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-14  9:43 [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9 Peter Korsgaard
2021-05-14 21:01 ` Peter Korsgaard
2021-05-17 19:25 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.