Debian Linux Distribution

Find the information you need for your favorite open source distribution .


   openSUSE Security Update: Security update for prosody
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0728-1
Rating:             important
References:         #1186027 
Cross-References:   CVE-2021-32917 CVE-2021-32918 CVE-2021-32919
                    CVE-2021-32920
Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.

Description:

   This update for prosody fixes the following issues:

   prosody was updated to 0.11.9:

   Security:

   * mod_limits, prosody.cfg.lua: Enable rate limits by default
   * certmanager: Disable renegotiation by default
   * mod_proxy65: Restrict access to local c2s connections by default
   * util.startup: Set more aggressive defaults for GC
   * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default
     stanza size limits
   * mod_authinternal{plain,hashed}: Use constant-time string comparison for
     secrets
   * mod_dialback: Remove dialback-without-dialback feature
   * mod_dialback: Use constant-time comparison with hmac

   Minor changes:

   * util.hashes: Add constant-time string comparison (binding to
     CRYPTO_memcmp)
   * mod_c2s: Don???t throw errors in async code when connections are gone
   * mod_c2s: Fix traceback in session close when conn is nil
   * core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
   * mod_saslauth: Use a defined SASL error
   * MUC: Add support for advertising muc#roomconfig_allowinvites in room
     disco#info
   * mod_saslauth: Don???t throw errors in async code when connections are
     gone
   * mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing
     pubsub feature in disco)
   * prosodyctl check config: Add ???gc??? to list of global options
   * prosodyctl about: Report libexpat version if known
   * util.xmppstream: Add API to dynamically configure the stanza size limit
     for a stream
   * util.set: Add is_set() to test if an object is a set
   * mod_http: Skip IP resolution in non-proxied case
   * mod_c2s: Log about missing conn on async state changes
   * util.xmppstream: Reduce internal default xmppstream limit to 1MB

   Relevant: https://prosody.im/security/advisory_20210512/

   * boo#1186027: Prosody XMPP server advisory 2021-05-12
   * CVE-2021-32919
   * CVE-2021-32917
   * CVE-2021-32917
   * CVE-2021-32920
   * CVE-2021-32918

   Update to 0.11.8:

   Security:
   * mod_saslauth: Disable ???tls-unique??? channel binding with TLS 1.3
     (#1542)

   Fixes and improvements:

   * net.websocket.frames: Improve websocket masking performance by using the
     new util.strbitop
   * util.strbitop: Library for efficient bitwise operations on strings

   Minor changes:

   * MUC: Correctly advertise whether the subject can be changed (#1155)
   * MUC: Preserve disco ???node??? attribute (or lack thereof) in responses
     (#1595)
   * MUC: Fix logic bug causing unnecessary presence to be sent (#1615)
   * mod_bosh: Fix error if client tries to connect to component (#425)
   * mod_bosh: Pick out the ???wait??? before checking it instead of earlier
   * mod_pep: Advertise base PubSub feature (#1632)
   * mod_pubsub: Fix notification stanza type setting (#1605)
   * mod_s2s: Prevent keepalives before client has established a stream
   * net.adns: Fix bug that sent empty DNS packets (#1619)
   * net.http.server: Don???t send Content-Length on 1xx/204 responses (#1596)
   * net.websocket.frames: Fix length calculation bug (#1598)
   * util.dbuffer: Make length API in line with Lua strings
   * util.dbuffer: Optimize substring operations
   * util.debug: Fix locals being reported under wrong stack frame in some
     cases
   * util.dependencies: Fix check for Lua bitwise operations library (#1594)
   * util.interpolation: Fix combination of filters and fallback values #1623
   * util.promise: Preserve tracebacks
   * util.stanza: Reject ASCII control characters (#1606)
   * timers: Ensure timers can???t block other processing (#1620)

   Update to 0.11.7:

   Security:

   * mod_websocket: Enforce size limits on received frames (fixes #1593)

   Fixes and improvements:

   * mod_c2s, mod_s2s: Make stanza size limits configurable
   * Add configuration options to control Lua garbage collection parameters   * net.http: Backport SNI support for outgoing HTTP requests (#409)
   * mod_websocket: Process all data in the buffer on close frame and
     connection errors (fixes #1474, #1234)
   * util.indexedbheap: Fix heap data structure corruption, causing some
     timers to fail after a reschedule (fixes #1572)

   Update to 0.11.6:

   Fixes and improvements:

   * mod_storage_internal: Fix error in time limited queries on items without
     ???when??? field, fixes #1557
   * mod_carbons: Fix handling of incoming MUC PMs #1540
   * mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important
   * mod_http_files: Avoid using inode in etag, fixes #1498: Fail to download
     file on FreeBSD
   * mod_admin_telnet: Create a DNS resolver per console session (fixes
     #1492: Telnet console DNS commands reduced usefulness)
   * core.certmanager: Move EECDH ciphers before EDH in default cipherstring
     (fixes #1513)
   * mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes
     #1574: Invalid XML input on s2s connection is logged unescaped)
   * mod_muc: Allow control over the server-admins-are-room-owners feature
     (see #1174)
   * mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552:
     MUC MAM may strip its own archive id)
   * mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam
     does not strip spoofed stanza ids
   * mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547:
     mod_muc_mam does not advertise stanza-id

   Minor changes:

   * net.http API: Add request:cancel() method
   * net.http API: Fix traceback on invalid URL passed to request()
   * MUC: Persist affiliation_data in new MUC format
   * mod_websocket: Fire event on session creation (thanks Aaron van Meerten)
   * MUC: Always include ???affiliation???/???role??? attributes, defaulting
     to ???none??? if nil
   * mod_tls: Log when certificates are (re)loaded
   * mod_vcard4: Report correct error condition (fixes #1521: mod_vcard4
     reports wrong error)
   * net.http: Re-expose destroy_request() function (fixes unintentional API
     breakage)
   * net.http.server: Strip port from Host header in IPv6 friendly way (fix
     #1302)
   * util.prosodyctl: Tell prosody do daemonize via command line flag (fixes
     #1514)
   * SASL: Apply saslprep where necessary, fixes #1560: Login fails if
     password contains special chars   * net.http.server: Fix reporting of missing Host header
   * util.datamanager API: Fix iterating over ???users??? (thanks marc0s)
   * net.resolvers.basic: Default conn_type to ???tcp??? consistently if
     unspecified (thanks marc0s)
   * mod_storage_sql: Fix check for deletion limits (fixes #1494)
   * mod_admin_telnet: Handle unavailable cipher info (fixes #1510:
     mod_admin_telnet backtrace)
   * Log warning when using prosodyctl start/stop/restart
   * core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes
     #1526)
   * mod_storage_sql: Add index covering sort_id to improve performance
     (fixes #1505)
   * mod_mam,mod_muc_mam: Allow other work to be performed during archive
     cleanup (fixes #1504)
   * mod_muc_mam: Don???t strip MUC tags, fix #1567: MUC tags stripped by
     mod_muc_mam
   * mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496)
   * mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)
   * mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497)
   * util.startup: Remove duplicated initialization of logging (fix #1527:
     startup: Logging initialized twice)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-728=1



Package List:

   - openSUSE Leap 15.2 (x86_64):

      prosody-0.11.9-lp152.2.3.1
      prosody-debuginfo-0.11.9-lp152.2.3.1
      prosody-debugsource-0.11.9-lp152.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-32917.html
   https://www.suse.com/security/cve/CVE-2021-32918.html
   https://www.suse.com/security/cve/CVE-2021-32919.html
   https://www.suse.com/security/cve/CVE-2021-32920.html
   https://bugzilla.suse.com/1186027

openSUSE: 2021:0728-1 important: prosody

May 14, 2021
An update that fixes four vulnerabilities is now available

Description

This update for prosody fixes the following issues: prosody was updated to 0.11.9: Security: * mod_limits, prosody.cfg.lua: Enable rate limits by default * certmanager: Disable renegotiation by default * mod_proxy65: Restrict access to local c2s connections by default * util.startup: Set more aggressive defaults for GC * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits * mod_authinternal{plain,hashed}: Use constant-time string comparison for secrets * mod_dialback: Remove dialback-without-dialback feature * mod_dialback: Use constant-time comparison with hmac Minor changes: * util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp) * mod_c2s: Don???t throw errors in async code when connections are gone * mod_c2s: Fix traceback in session close when conn is nil * core.certmanager: Improve detection of LuaSec/OpenSSL capabilities * mod_saslauth: Use a defined SASL error * MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info * mod_saslauth: Don???t throw errors in async code when connections are gone * mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco) * prosodyctl check config: Add ???gc??? to list of global options * prosodyctl about: Report libexpat version if known * util.xmppstream: Add API to dynamically configure the stanza size limit for a stream * util.set: Add is_set() to test if an object is a set * mod_http: Skip IP resolution in non-proxied case * mod_c2s: Log about missing conn on async state changes * util.xmppstream: Reduce internal default xmppstream limit to 1MB Relevant: https://prosody.im/security/advisory_20210512/ * boo#1186027: Prosody XMPP server advisory 2021-05-12 * CVE-2021-32919 * CVE-2021-32917 * CVE-2021-32917 * CVE-2021-32920 * CVE-2021-32918 Update to 0.11.8: Security: * mod_saslauth: Disable ???tls-unique??? channel binding with TLS 1.3 (#1542) Fixes and improvements: * net.websocket.frames: Improve websocket masking performance by using the new util.strbitop * util.strbitop: Library for efficient bitwise operations on strings Minor changes: * MUC: Correctly advertise whether the subject can be changed (#1155) * MUC: Preserve disco ???node??? attribute (or lack thereof) in responses (#1595) * MUC: Fix logic bug causing unnecessary presence to be sent (#1615) * mod_bosh: Fix error if client tries to connect to component (#425) * mod_bosh: Pick out the ???wait??? before checking it instead of earlier * mod_pep: Advertise base PubSub feature (#1632) * mod_pubsub: Fix notification stanza type setting (#1605) * mod_s2s: Prevent keepalives before client has established a stream * net.adns: Fix bug that sent empty DNS packets (#1619) * net.http.server: Don???t send Content-Length on 1xx/204 responses (#1596) * net.websocket.frames: Fix length calculation bug (#1598) * util.dbuffer: Make length API in line with Lua strings * util.dbuffer: Optimize substring operations * util.debug: Fix locals being reported under wrong stack frame in some cases * util.dependencies: Fix check for Lua bitwise operations library (#1594) * util.interpolation: Fix combination of filters and fallback values #1623 * util.promise: Preserve tracebacks * util.stanza: Reject ASCII control characters (#1606) * timers: Ensure timers can???t block other processing (#1620) Update to 0.11.7: Security: * mod_websocket: Enforce size limits on received frames (fixes #1593) Fixes and improvements: * mod_c2s, mod_s2s: Make stanza size limits configurable * Add configuration options to control Lua garbage collection parameters * net.http: Backport SNI support for outgoing HTTP requests (#409) * mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234) * util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572) Update to 0.11.6: Fixes and improvements: * mod_storage_internal: Fix error in time limited queries on items without ???when??? field, fixes #1557 * mod_carbons: Fix handling of incoming MUC PMs #1540 * mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important * mod_http_files: Avoid using inode in etag, fixes #1498: Fail to download file on FreeBSD * mod_admin_telnet: Create a DNS resolver per console session (fixes #1492: Telnet console DNS commands reduced usefulness) * core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513) * mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes #1574: Invalid XML input on s2s connection is logged unescaped) * mod_muc: Allow control over the server-admins-are-room-owners feature (see #1174) * mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552: MUC MAM may strip its own archive id) * mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam does not strip spoofed stanza ids * mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547: mod_muc_mam does not advertise stanza-id Minor changes: * net.http API: Add request:cancel() method * net.http API: Fix traceback on invalid URL passed to request() * MUC: Persist affiliation_data in new MUC format * mod_websocket: Fire event on session creation (thanks Aaron van Meerten) * MUC: Always include ???affiliation???/???role??? attributes, defaulting to ???none??? if nil * mod_tls: Log when certificates are (re)loaded * mod_vcard4: Report correct error condition (fixes #1521: mod_vcard4 reports wrong error) * net.http: Re-expose destroy_request() function (fixes unintentional API breakage) * net.http.server: Strip port from Host header in IPv6 friendly way (fix #1302) * util.prosodyctl: Tell prosody do daemonize via command line flag (fixes #1514) * SASL: Apply saslprep where necessary, fixes #1560: Login fails if password contains special chars * net.http.server: Fix reporting of missing Host header * util.datamanager API: Fix iterating over ???users??? (thanks marc0s) * net.resolvers.basic: Default conn_type to ???tcp??? consistently if unspecified (thanks marc0s) * mod_storage_sql: Fix check for deletion limits (fixes #1494) * mod_admin_telnet: Handle unavailable cipher info (fixes #1510: mod_admin_telnet backtrace) * Log warning when using prosodyctl start/stop/restart * core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes #1526) * mod_storage_sql: Add index covering sort_id to improve performance (fixes #1505) * mod_mam,mod_muc_mam: Allow other work to be performed during archive cleanup (fixes #1504) * mod_muc_mam: Don???t strip MUC tags, fix #1567: MUC tags stripped by mod_muc_mam * mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496) * mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511) * mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497) * util.startup: Remove duplicated initialization of logging (fix #1527: startup: Logging initialized twice)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-728=1


Package List

- openSUSE Leap 15.2 (x86_64): prosody-0.11.9-lp152.2.3.1 prosody-debuginfo-0.11.9-lp152.2.3.1 prosody-debugsource-0.11.9-lp152.2.3.1


References

https://www.suse.com/security/cve/CVE-2021-32917.html https://www.suse.com/security/cve/CVE-2021-32918.html https://www.suse.com/security/cve/CVE-2021-32919.html https://www.suse.com/security/cve/CVE-2021-32920.html https://bugzilla.suse.com/1186027


Severity
Announcement ID: openSUSE-SU-2021:0728-1
Rating: important
Affected Products: openSUSE Leap 15.2 .

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved