FEDORA-EPEL-2021-86c73cc3af created by robert 7 months ago for Fedora EPEL 8
stable

Prosody 0.11.9

This release addresses a number of important security issues that affect most deployments of Prosody. Full details are available in a separate security advisory. Upstream recommends that all deployments upgrade or apply the mitigations described in the advisory: https://prosody.im/security/advisory_20210512/

Note: Upstream updated the default config file. DNF or RPM will create a /etc/prosody/prosody.cfg.lua.rpmnew file, so make sure you update your existing /etc/prosody/prosody.cfg.lua to enable mod_limits after the upgrade.

Security

  • mod_limits, prosody.cfg.lua: Enable rate limits by default
  • certmanager: Disable renegotiation by default
  • mod_proxy65: Restrict access to local c2s connections by default
  • util.startup: Set more aggressive defaults for GC
  • mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits
  • mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
  • mod_dialback: Remove dialback-without-dialback feature
  • mod_dialback: Use constant-time comparison with hmac

Minor changes

  • util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
  • mod_c2s: Don’t throw errors in async code when connections are gone
  • mod_c2s: Fix traceback in session close when conn is nil
  • core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
  • mod_saslauth: Use a defined SASL error
  • MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
  • mod_saslauth: Don’t throw errors in async code when connections are gone
  • mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco)
  • prosodyctl check config: Add gc to list of global options
  • prosodyctl about: Report libexpat version if known
  • util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
  • util.set: Add is_set() to test if an object is a set
  • mod_http: Skip IP resolution in non-proxied case
  • mod_c2s: Log about missing conn on async state changes
  • util.xmppstream: Reduce internal default xmppstream limit to 1MB

This update has been submitted for testing by robert.

7 months ago

This update's test gating status has been changed to 'ignored'.

7 months ago

This update's test gating status has been changed to 'waiting'.

7 months ago

robert edited this update.

7 months ago

This update's test gating status has been changed to 'ignored'.

7 months ago

robert edited this update.

7 months ago

This update has been pushed to testing.

7 months ago

This update has been submitted for stable by bodhi.

7 months ago

This update has been pushed to stable.

7 months ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
7 months ago
in testing
7 months ago
in stable
7 months ago
modified
7 months ago
BZ#1960244 prosody-0.11.9 is available
0
0
BZ#1960332 CVE-2021-32917 prosody: use of mod_proxy65 is unrestricted in default configuration
0
0
BZ#1960335 CVE-2021-32918 prosody: DoS via insufficient memory consumption controls
0
0
BZ#1960340 CVE-2021-32919 prosody: undocumented dialback-without-dialback option insecure
0
0
BZ#1960343 CVE-2021-32920 prosody: DoS via repeated TLS renegotiation causing excessive CPU consumption
0
0
BZ#1960349 CVE-2021-32921 prosody: use of timing-dependent string comparison with sensitive values
0
0
BZ#1960353 CVE-2021-32917 prosody: use of mod_proxy65 is unrestricted in default configuration [epel-all]
0
0
BZ#1960354 CVE-2021-32918 prosody: DoS via insufficient memory consumption controls [epel-all]
0
0
BZ#1960355 CVE-2021-32919 prosody: undocumented dialback-without-dialback option insecure [epel-all]
0
0
BZ#1960357 CVE-2021-32920 prosody: DoS via repeated TLS renegotiation causing excessive CPU consumption [epel-all]
0
0
BZ#1960358 CVE-2021-32921 prosody: use of timing-dependent string comparison with sensitive values [epel-all]
0
0

Automated Test Results