-------------------------------------------------------------------------------- Fedora EPEL Update Notification FEDORA-EPEL-2021-c44d955770 2021-05-29 00:37:40.425928 --------------------------------------------------------------------------------
Name : prosody Product : Fedora EPEL 7 Version : 0.11.9 Release : 1.el7 URL : https://prosody.im/ Summary : Flexible communications server for Jabber/XMPP Description : Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols.
-------------------------------------------------------------------------------- Update Information:
Prosody 0.11.9 ============== This release addresses a number of important security issues that affect most deployments of Prosody. Full details are available in a separate security advisory. Upstream recommends that all deployments upgrade or apply the mitigations described in the advisory: https://prosody.im/security/advisory_20210512/ Note: Upstream updated the default config file. YUM or RPM will create a `/etc/prosody/prosody.cfg.lua.rpmnew` file, so make sure you update your existing `/etc/prosody/prosody.cfg.lua` to enable mod_limits after the upgrade. Security -------- * mod_limits, prosody.cfg.lua: Enable rate limits by default * certmanager: Disable renegotiation by default * mod_proxy65: Restrict access to local c2s connections by default * util.startup: Set more aggressive defaults for GC * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits * mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets * mod_dialback: Remove dialback-without-dialback feature * mod_dialback: Use constant-time comparison with hmac Minor changes ------------- * util.hashes: Add constant-time string comparison (binding to `CRYPTO_memcmp`) * mod_c2s: Don���t throw errors in async code when connections are gone * mod_c2s: Fix traceback in session close when conn is nil * core.certmanager: Improve detection of LuaSec/OpenSSL capabilities * mod_saslauth: Use a defined SASL error * MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info * mod_saslauth: Don���t throw errors in async code when connections are gone * mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco) * prosodyctl check config: Add `gc` to list of global options * prosodyctl about: Report libexpat version if known * util.xmppstream: Add API to dynamically configure the stanza size limit for a stream * util.set: Add `is_set()` to test if an object is a set * mod_http: Skip IP resolution in non-proxied case * mod_c2s: Log about missing conn on async state changes * util.xmppstream: Reduce internal default xmppstream limit to 1MB -------------------------------------------------------------------------------- ChangeLog:
* Thu May 13 2021 Robert Scheck robert@fedoraproject.org 0.11.9-1 - Upgrade to 0.11.9 (#1960244, #1960332, #1960335, #1960340, * Fri Apr 30 2021 Robert Scheck robert@fedoraproject.org 0.11.8-4 - Added upstream patch to avoid '-Wl,--as-needed' removing linking to libpthread when building with current libicu (#1954178) * Tue Mar 2 2021 Zbigniew J��drzejewski-Szmek zbyszek@in.waw.pl - 0.11.8-3 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. * Fri Feb 26 2021 Robert Scheck robert@fedoraproject.org 0.11.8-2 - Added upstream patch to unbreak Lua 5.4 support (#1933063) - Added %check to run some common commands (as a small testsuite) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1960332 - CVE-2021-32917 prosody: use of mod_proxy65 is unrestricted in default configuration https://bugzilla.redhat.com/show_bug.cgi?id=1960332 [ 2 ] Bug #1960335 - CVE-2021-32918 prosody: DoS via insufficient memory consumption controls https://bugzilla.redhat.com/show_bug.cgi?id=1960335 [ 3 ] Bug #1960340 - CVE-2021-32919 prosody: undocumented dialback-without-dialback option insecure https://bugzilla.redhat.com/show_bug.cgi?id=1960340 [ 4 ] Bug #1960343 - CVE-2021-32920 prosody: DoS via repeated TLS renegotiation causing excessive CPU consumption https://bugzilla.redhat.com/show_bug.cgi?id=1960343 [ 5 ] Bug #1960349 - CVE-2021-32921 prosody: use of timing-dependent string comparison with sensitive values https://bugzilla.redhat.com/show_bug.cgi?id=1960349 --------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use su -c 'yum update prosody' at the command line. For more information, refer to "YUM", available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7%5C /html/System_Administrators_Guide/ch-yum.html
All packages are signed with the Fedora EPEL GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
epel-package-announce@lists.fedoraproject.org