Debian Bug report logs -
#988668
prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 17 May 2021 17:12:01 UTC
Severity: serious
Tags: security, upstream
Found in versions prosody/0.11.8-1, prosody/0.11.2-1
Fixed in versions prosody/0.11.9-1, prosody/0.11.2-1+deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>
:
Bug#988668
; Package src:prosody
.
(Mon, 17 May 2021 17:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>
.
(Mon, 17 May 2021 17:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: prosody
Version: 0.11.8-1
Severity: serious
Tags: security upstream
Justification: security issues, need to be fixed in testing for avoid security regression from buster
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 0.11.2-1
Control: fixed -1 0.11.2-1+deb10u1
Control: fixed -1 0.11.9-1
Hi,
The following vulnerabilities were published for prosody. Those are
fixed in unstable already by 0.11.9, but we need to make sure the
fixed go into bullseye in particular as they are going to be fixed
with 0.11.2-1+deb10u1 via buster security. Can you please contact the
release team for an unblock, please?
CVE-2021-32917[0]:
| An issue was discovered in Prosody before 0.11.9. The proxy65
| component allows open access by default, even if neither of the users
| has an XMPP account on the local server, allowing unrestricted use of
| the server's bandwidth.
CVE-2021-32918[1]:
| An issue was discovered in Prosody before 0.11.9. Default settings are
| susceptible to remote unauthenticated denial-of-service (DoS) attacks
| via memory exhaustion when running under Lua 5.2 or Lua 5.3.
CVE-2021-32919[2]:
| An issue was discovered in Prosody before 0.11.9. The undocumented
| dialback_without_dialback option in mod_dialback enables an
| experimental feature for server-to-server authentication. It does not
| correctly authenticate remote server certificates, allowing a remote
| server to impersonate another server (when this option is enabled).
CVE-2021-32920[3]:
| Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood
| of SSL/TLS renegotiation requests.
CVE-2021-32921[4]:
| An issue was discovered in Prosody before 0.11.9. It does not use a
| constant-time algorithm for comparing certain secret strings when
| running under Lua 5.2 or later. This can potentially be used in a
| timing attack to reveal the contents of secret strings to an attacker.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32917
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32917
[1] https://security-tracker.debian.org/tracker/CVE-2021-32918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32918
[2] https://security-tracker.debian.org/tracker/CVE-2021-32919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32919
[3] https://security-tracker.debian.org/tracker/CVE-2021-32920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32920
[4] https://security-tracker.debian.org/tracker/CVE-2021-32921
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32921
[5] https://prosody.im/security/advisory_20210512.txt
Regards,
Salvatore
Marked as fixed in versions prosody/0.11.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 17 May 2021 17:21:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 17 May 2021 17:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 17 May 2021 17:21:06 GMT) (full text, mbox, link).
Marked as found in versions prosody/0.11.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 17 May 2021 17:21:06 GMT) (full text, mbox, link).
Marked as fixed in versions prosody/0.11.2-1+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 17 May 2021 17:21:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#988668.
(Mon, 17 May 2021 17:21:25 GMT) (full text, mbox, link).
Message #18 received at 988668-submitter@bugs.debian.org (full text, mbox, reply):
close 988668 0.11.9-1
found 988668 0.11.2-1
# upcoming prosody DSA
fixed 988668 0.11.2-1+deb10u1
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue May 18 12:43:49 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.