Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

prosody: CVE-2022-0217: Unauthenticated Remote Denial of Service Attack in the WebSocket interface

Related Vulnerabilities: CVE-2022-0217  

Source

Debian Bug report logs - #1003696
prosody: CVE-2022-0217: Unauthenticated Remote Denial of Service Attack in the WebSocket interface

version graph

Package: src:prosody; Maintainer for src:prosody is Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 13 Jan 2022 20:39:01 UTC

Severity: grave

Tags: security, upstream

Found in version prosody/0.11.11-2

Fixed in version prosody/0.11.12-1

Done: Victor Seva <vseva@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>:
Bug#1003696; Package src:prosody. (Thu, 13 Jan 2022 20:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>. (Thu, 13 Jan 2022 20:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: prosody: CVE-2022-0217: Unauthenticated Remote Denial of Service Attack in the WebSocket interface
Date: Thu, 13 Jan 2022 21:35:06 +0100
Source: prosody
Version: 0.11.11-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for prosody.

CVE-2022-0217[0]:
| Unauthenticated Remote Denial of Service Attack in the WebSocket
| interface

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-0217
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0217
[1] https://prosody.im/security/advisory_20220113/
[2] https://www.openwall.com/lists/oss-security/2022/01/13/3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>:
Bug#1003696; Package src:prosody. (Fri, 14 Jan 2022 11:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Matthew Wild <mwild1@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>. (Fri, 14 Jan 2022 11:06:03 GMT) (full text, mbox, link).

Message #10 received at 1003696@bugs.debian.org (full text, mbox, reply):

From: Matthew Wild <mwild1@gmail.com>
To: 1003696@bugs.debian.org
Subject: prosody: CVE-2022-0217: Unauthenticated Remote Denial of Service Attack in the WebSocket interface
Date: Fri, 14 Jan 2022 11:03:09 +0000
[Message part 1 (text/plain, inline)]
Hi folks,

This is a link to the upstream patch for our 0.11.x series:
https://hg.prosody.im/0.11/raw-rev/783056b4e448

Let me know if you have any questions!

Regards,
Matthew (Prosody developer)

[Message part 2 (text/html, inline)]

Reply sent to Victor Seva <vseva@debian.org>:
You have taken responsibility. (Fri, 14 Jan 2022 11:36:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 14 Jan 2022 11:36:03 GMT) (full text, mbox, link).

Message #15 received at 1003696-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1003696-close@bugs.debian.org
Subject: Bug#1003696: fixed in prosody 0.11.12-1
Date: Fri, 14 Jan 2022 11:33:47 +0000
Source: prosody
Source-Version: 0.11.12-1
Done: Victor Seva <vseva@debian.org>

We believe that the bug you reported is fixed in the latest version of
prosody, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1003696@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Victor Seva <vseva@debian.org> (supplier of updated prosody package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jan 2022 12:12:44 +0100
Source: prosody
Architecture: source
Version: 0.11.12-1
Distribution: unstable
Urgency: high
Maintainer: Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>
Changed-By: Victor Seva <vseva@debian.org>
Closes: 1003696
Changes:
 prosody (0.11.12-1) unstable; urgency=high
 .
   * New upstream version 0.11.12 addressing security issue
     - https://prosody.im/security/advisory_20220113/
     + fixes CVE-2022-0217
     (Closes: #1003696)
Checksums-Sha1:
 8f504db0b197ff744f172764e9a02e876f192ee6 1840 prosody_0.11.12-1.dsc
 64c918439c2df130204dcd86398832cb7a481eb3 439656 prosody_0.11.12.orig.tar.gz
 212f49e93ba3009bfe78509a0d9c37c7fb6151b9 28664 prosody_0.11.12-1.debian.tar.xz
 5439e97e6ad896543d58a2ac63c8e93c7e2fa821 6686 prosody_0.11.12-1_amd64.buildinfo
Checksums-Sha256:
 3bec68f7614d83d59fcdb8c2090932e845d06bae3e3834d61dd835fb7b8653f1 1840 prosody_0.11.12-1.dsc
 56cd52d820f5b3ed37e02d8a2577aa064bbc04db8e87fd18a6020eba0c10560d 439656 prosody_0.11.12.orig.tar.gz
 74b470e74da60d637319fb83f5418794ba79e32a08149caf397687f62afd3d57 28664 prosody_0.11.12-1.debian.tar.xz
 9b1d08f4ff70f005b5e06e0ce1e4a3b5b67d2d2e1f129bcdd2651876a687ba28 6686 prosody_0.11.12-1_amd64.buildinfo
Files:
 8bfa03dd20364d90e036fc3a3ef6567f 1840 net optional prosody_0.11.12-1.dsc
 64a99571a5de84ace24d8142a1556d68 439656 net optional prosody_0.11.12.orig.tar.gz
 232365b3ab53301cba536ff2801d0394 28664 net optional prosody_0.11.12-1.debian.tar.xz
 2a0103ce61d41b031c21a656e876104b 6686 net optional prosody_0.11.12-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFFBAEBCgAvFiEE3S3PbKiJPTunbGuNsViYiXJxmOAFAmHhW/8RHHZzZXZhQGRl
Ymlhbi5vcmcACgkQsViYiXJxmOC4Cgf+Jnle9mSdm7UVcGloRwqNQsHG9+hsXFWw
ADd57vl9gfT5R4N94dabnhpNIFWex8pc+z4yziAqD7kKaQiFTpR/cppN0uAqTki4
eMdv1MSXN5JcYTV4vzet5xozDfX1oN7Oavswe1Q45GK2i585d0+3tIuRRQmbDOY/
fWPnFkLk+L/Hx9b0q+0ZYJfTocEOgSC2NkB2Mt98nKsz9fu9EQ/sx33fi6hZCgNF
DTBwSya70AizinoMs4A/A2OVs7eEySj23HskXTbZ3ps8Phj8SY5AV8lGEGxfLDX7
cfI8O4m3B3CKAZCGI0TnpJkSeh6VQcHIfkaNLK8DHadjMADFmTL/wg==
=qbK3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 14 16:11:43 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started