9c108afab8
Fixes the following security issues: - CVE-2021-32918: DoS via insufficient memory consumption controls It was discovered that default settings leave Prosody susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default and recommended Lua version for Prosody 0.11.x series. - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server. - CVE-2021-32921: Use of timing-dependent string comparison with sensitive values It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients. It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server’s bandwidth. - CVE-2021-32919: Undocumented dialback-without-dialback option insecure The undocumented option ‘dialback_without_dialback’ enabled an experimental feature for server-to-server authentication. A flaw in this feature meant it did not correctly authenticate remote servers, allowing a remote server to impersonate another server when this option is enabled. For more details, see the advisory: https://prosody.im/security/advisory_20210512/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
|---|---|---|
| arch | ||
| board | ||
| boot | ||
| configs | ||
| docs | ||
| fs | ||
| linux | ||
| package | ||
| support | ||
| system | ||
| toolchain | ||
| utils | ||
| .defconfig | ||
| .flake8 | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| CHANGES | ||
| Config.in | ||
| Config.in.legacy | ||
| COPYING | ||
| DEVELOPERS | ||
| Makefile | ||
| Makefile.legacy | ||
| README | ||
Buildroot is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation. The documentation can be found in docs/manual. You can generate a text document with 'make manual-text' and read output/docs/manual/manual.text. Online documentation can be found at http://buildroot.org/docs.html To build and use the buildroot stuff, do the following: 1) run 'make menuconfig' 2) select the target architecture and the packages you wish to compile 3) run 'make' 4) wait while it compiles 5) find the kernel, bootloader, root filesystem, etc. in output/images You do not need to be root to build or run buildroot. Have fun! Buildroot comes with a basic configuration for a number of boards. Run 'make list-defconfigs' to view the list of provided configurations. Please feed suggestions, bug reports, insults, and bribes back to the buildroot mailing list: buildroot@buildroot.org You can also find us on #buildroot on Freenode IRC. If you would like to contribute patches, please read https://buildroot.org/manual.html#submitting-patches