9c108afab8
Fixes the following security issues: - CVE-2021-32918: DoS via insufficient memory consumption controls It was discovered that default settings leave Prosody susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default and recommended Lua version for Prosody 0.11.x series. - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server. - CVE-2021-32921: Use of timing-dependent string comparison with sensitive values It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients. It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server’s bandwidth. - CVE-2021-32919: Undocumented dialback-without-dialback option insecure The undocumented option ‘dialback_without_dialback’ enabled an experimental feature for server-to-server authentication. A flaw in this feature meant it did not correctly authenticate remote servers, allowing a remote server to impersonate another server when this option is enabled. For more details, see the advisory: https://prosody.im/security/advisory_20210512/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
9 lines
514 B
Plaintext
9 lines
514 B
Plaintext
# Locally computed:
|
|
md5 be7e1c66c06b0eb4bdce37b67bcc6b51 prosody-0.11.9.tar.gz
|
|
sha1 632c2dd7794d344d4edbcea18fc1b5f623da5ca4 prosody-0.11.9.tar.gz
|
|
sha256 ccc032aea49d858635fb93644db276de6812be83073a8d80e9b4508095deff09 prosody-0.11.9.tar.gz
|
|
sha512 fabbbbb1acb3de4ff01e3e8c6e9e4dc37cb161259f1649683a1f9d925ed9f1709e052bfc831cba3f1861a9cca599f2b725ee739bfcb57164d6f50ac07011b52a prosody-0.11.9.tar.gz
|
|
|
|
# Hash for license file:
|
|
sha256 bbbdc1c5426e5944cf869fc0faeaf19d88a220cd2b39ea98b7b8e86b0e88a2ef COPYING
|