* [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9
@ 2021-05-14 9:43 Peter Korsgaard
2021-05-14 21:01 ` Peter Korsgaard
2021-05-17 19:25 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-05-14 9:43 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
- CVE-2021-32918: DoS via insufficient memory consumption controls
It was discovered that default settings leave Prosody susceptible to
remote unauthenticated denial-of-service (DoS) attacks via memory
exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default
and recommended Lua version for Prosody 0.11.x series.
- CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
consumption
It was discovered that Prosody does not disable SSL/TLS renegotiation,
even though this is not used in XMPP. A malicious client may flood a
connection with renegotiation requests to consume excessive CPU resources
on the server.
- CVE-2021-32921: Use of timing-dependent string comparison with sensitive
values
It was discovered that Prosody does not use a constant-time algorithm for
comparing certain secret strings when running under Lua 5.2 or later.
This can potentially be used in a timing attack to reveal the contents of
secret strings to an attacker.
- CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
configuration
mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
the transfer of files and other data between XMPP clients.
It was discovered that the proxy65 component of Prosody allows open access
by default, even if neither of the users have an XMPP account on the local
server, allowing unrestricted use of the server?s bandwidth.
- CVE-2021-32919: Undocumented dialback-without-dialback option insecure
The undocumented option ?dialback_without_dialback? enabled an
experimental feature for server-to-server authentication. A flaw in this
feature meant it did not correctly authenticate remote servers, allowing a
remote server to impersonate another server when this option is enabled.
For more details, see the advisory:
https://prosody.im/security/advisory_20210512/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/prosody/prosody.hash | 8 ++++----
package/prosody/prosody.mk | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/prosody/prosody.hash b/package/prosody/prosody.hash
index 309ae0181f..50d5964712 100644
--- a/package/prosody/prosody.hash
+++ b/package/prosody/prosody.hash
@@ -1,8 +1,8 @@
# Locally computed:
-md5 24cd3c1f7ab16a6b3726423d2fff802d prosody-0.11.8.tar.gz
-sha1 f1f030c75abde6e3c7232fedbe8371f5cb913245 prosody-0.11.8.tar.gz
-sha256 830f183b98d5742d81e908d2d8e3258f1b538dad7411f06fda5b2cc5c75068f8 prosody-0.11.8.tar.gz
-sha512 b0b7e1d3e41f47f0f88ad5b76444e4959b20f4c7a937f3cc605ba6ed5d92e713a3054dcb61ee6629063883a8f9ff1a03952893de4a0d840dcec4e5e42079eb57 prosody-0.11.8.tar.gz
+md5 be7e1c66c06b0eb4bdce37b67bcc6b51 prosody-0.11.9.tar.gz
+sha1 632c2dd7794d344d4edbcea18fc1b5f623da5ca4 prosody-0.11.9.tar.gz
+sha256 ccc032aea49d858635fb93644db276de6812be83073a8d80e9b4508095deff09 prosody-0.11.9.tar.gz
+sha512 fabbbbb1acb3de4ff01e3e8c6e9e4dc37cb161259f1649683a1f9d925ed9f1709e052bfc831cba3f1861a9cca599f2b725ee739bfcb57164d6f50ac07011b52a prosody-0.11.9.tar.gz
# Hash for license file:
sha256 bbbdc1c5426e5944cf869fc0faeaf19d88a220cd2b39ea98b7b8e86b0e88a2ef COPYING
diff --git a/package/prosody/prosody.mk b/package/prosody/prosody.mk
index a4482ad3c5..92c812ebfa 100644
--- a/package/prosody/prosody.mk
+++ b/package/prosody/prosody.mk
@@ -4,7 +4,7 @@
#
################################################################################
-PROSODY_VERSION = 0.11.8
+PROSODY_VERSION = 0.11.9
PROSODY_SITE = https://prosody.im/downloads/source
PROSODY_LICENSE = MIT
PROSODY_LICENSE_FILES = COPYING
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9
2021-05-14 9:43 [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9 Peter Korsgaard
@ 2021-05-14 21:01 ` Peter Korsgaard
2021-05-17 19:25 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-05-14 21:01 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2021-32918: DoS via insufficient memory consumption controls
> It was discovered that default settings leave Prosody susceptible to
> remote unauthenticated denial-of-service (DoS) attacks via memory
> exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default
> and recommended Lua version for Prosody 0.11.x series.
> - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
> consumption
> It was discovered that Prosody does not disable SSL/TLS renegotiation,
> even though this is not used in XMPP. A malicious client may flood a
> connection with renegotiation requests to consume excessive CPU resources
> on the server.
> - CVE-2021-32921: Use of timing-dependent string comparison with sensitive
> values
> It was discovered that Prosody does not use a constant-time algorithm for
> comparing certain secret strings when running under Lua 5.2 or later.
> This can potentially be used in a timing attack to reveal the contents of
> secret strings to an attacker.
> - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
> configuration
> mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
> the transfer of files and other data between XMPP clients.
> It was discovered that the proxy65 component of Prosody allows open access
> by default, even if neither of the users have an XMPP account on the local
> server, allowing unrestricted use of the server?s bandwidth.
> - CVE-2021-32919: Undocumented dialback-without-dialback option insecure
> The undocumented option ?dialback_without_dialback? enabled an
> experimental feature for server-to-server authentication. A flaw in this
> feature meant it did not correctly authenticate remote servers, allowing a
> remote server to impersonate another server when this option is enabled.
> For more details, see the advisory:
> https://prosody.im/security/advisory_20210512/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9
2021-05-14 9:43 [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9 Peter Korsgaard
2021-05-14 21:01 ` Peter Korsgaard
@ 2021-05-17 19:25 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-05-17 19:25 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2021-32918: DoS via insufficient memory consumption controls
> It was discovered that default settings leave Prosody susceptible to
> remote unauthenticated denial-of-service (DoS) attacks via memory
> exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default
> and recommended Lua version for Prosody 0.11.x series.
> - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU
> consumption
> It was discovered that Prosody does not disable SSL/TLS renegotiation,
> even though this is not used in XMPP. A malicious client may flood a
> connection with renegotiation requests to consume excessive CPU resources
> on the server.
> - CVE-2021-32921: Use of timing-dependent string comparison with sensitive
> values
> It was discovered that Prosody does not use a constant-time algorithm for
> comparing certain secret strings when running under Lua 5.2 or later.
> This can potentially be used in a timing attack to reveal the contents of
> secret strings to an attacker.
> - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default
> configuration
> mod_proxy65 is a file transfer proxy provided with Prosody to facilitate
> the transfer of files and other data between XMPP clients.
> It was discovered that the proxy65 component of Prosody allows open access
> by default, even if neither of the users have an XMPP account on the local
> server, allowing unrestricted use of the server?s bandwidth.
> - CVE-2021-32919: Undocumented dialback-without-dialback option insecure
> The undocumented option ?dialback_without_dialback? enabled an
> experimental feature for server-to-server authentication. A flaw in this
> feature meant it did not correctly authenticate remote servers, allowing a
> remote server to impersonate another server when this option is enabled.
> For more details, see the advisory:
> https://prosody.im/security/advisory_20210512/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-17 19:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-14 9:43 [Buildroot] [PATCH] package/prosody: security bump to version 0.11.9 Peter Korsgaard
2021-05-14 21:01 ` Peter Korsgaard
2021-05-17 19:25 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.