[Pkg-xmpp-devel] Bug#988668: prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921

Salvatore Bonaccorso carnil at debian.org
Mon May 17 18:08:27 BST 2021


Source: prosody
Version: 0.11.8-1
Severity: serious
Tags: security upstream
Justification: security issues, need to be fixed in testing for avoid security regression from buster
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Control: found -1 0.11.2-1
Control: fixed -1 0.11.2-1+deb10u1
Control: fixed -1 0.11.9-1
Hi,

The following vulnerabilities were published for prosody. Those are
fixed in unstable already by 0.11.9, but we need to make sure the
fixed go into bullseye in particular as they are going to be fixed
with 0.11.2-1+deb10u1 via buster security. Can you please contact the
release team for an unblock, please?

CVE-2021-32917[0]:
| An issue was discovered in Prosody before 0.11.9. The proxy65
| component allows open access by default, even if neither of the users
| has an XMPP account on the local server, allowing unrestricted use of
| the server's bandwidth.


CVE-2021-32918[1]:
| An issue was discovered in Prosody before 0.11.9. Default settings are
| susceptible to remote unauthenticated denial-of-service (DoS) attacks
| via memory exhaustion when running under Lua 5.2 or Lua 5.3.


CVE-2021-32919[2]:
| An issue was discovered in Prosody before 0.11.9. The undocumented
| dialback_without_dialback option in mod_dialback enables an
| experimental feature for server-to-server authentication. It does not
| correctly authenticate remote server certificates, allowing a remote
| server to impersonate another server (when this option is enabled).


CVE-2021-32920[3]:
| Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood
| of SSL/TLS renegotiation requests.


CVE-2021-32921[4]:
| An issue was discovered in Prosody before 0.11.9. It does not use a
| constant-time algorithm for comparing certain secret strings when
| running under Lua 5.2 or later. This can potentially be used in a
| timing attack to reveal the contents of secret strings to an attacker.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32917
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32917
[1] https://security-tracker.debian.org/tracker/CVE-2021-32918
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32918
[2] https://security-tracker.debian.org/tracker/CVE-2021-32919
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32919
[3] https://security-tracker.debian.org/tracker/CVE-2021-32920
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32920
[4] https://security-tracker.debian.org/tracker/CVE-2021-32921
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32921
[5] https://prosody.im/security/advisory_20210512.txt

Regards,
Salvatore



More information about the Pkg-xmpp-devel mailing list