FEDORA-2018-455803056d created by robert 3 years ago for Fedora 27
stable

Prosody 0.10.2

See upstream's blog post at https://blog.prosody.im/prosody-0-10-2-security-release/ for a full overview of the release changes.

Prosody 0.10.2 fixes a cross-host authentication vulnerability, CVE-2018-10847. The issue affects Prosody instances that have multiple virtual hosts (including anonymous authenticated hosts). All versions of Prosody before 0.9.14 and 0.10.2 are affected. A full security advisory is available at https://prosody.im/security/advisory_20180531

Security

  • mod_c2s: Do not allow the stream ‘to’ to change across stream restarts (fixes #1147)

Minor changes

  • mod_websocket: Store the request object on the session for use by other modules (fixes #1153)
  • mod_c2s: Avoid concatenating potential nil value (fixes #753)
  • core.certmanager: Allow all non-whitespace in service name (fixes #1019)
  • mod_disco: Skip code specific to disco on user accounts (avoids invoking usermanager, fixes #1150)
  • mod_bosh: Store the normalized hostname on session (fixes #1151)
  • MUC: Fix error logged when no persistent rooms present (fixes #1154)

Dowstream

  • Changed log rotation from weekly/52 to local system defaults

How to install

sudo dnf upgrade --advisory=FEDORA-2018-455803056d

This update has been submitted for testing by robert.

3 years ago

robert edited this update.

3 years ago

This update has been pushed to testing.

3 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

3 years ago

This update has been submitted for batched by robert.

3 years ago

This update has been submitted for stable by robert.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
1
Stable by Time
disabled
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
modified
3 years ago
BZ#1584801 CVE-2018-10847 prosody: cross-host authentication vulnerability
0
0

Automated Test Results