--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-b5d8c6d086
2021-05-22 01:07:28.002697
--------------------------------------------------------------------------------
Name : prosody
Product : Fedora 33
Version : 0.11.9
Release : 1.fc33
URL :
https://prosody.im/
Summary : Flexible communications server for Jabber/XMPP
Description :
Prosody is a flexible communications server for Jabber/XMPP written in Lua.
It aims to be easy to use, and light on resources. For developers it aims
to be easy to extend and give a flexible system on which to rapidly develop
added functionality, or prototype new protocols.
--------------------------------------------------------------------------------
Update Information:
Prosody 0.11.9 ============== This release addresses a number of important
security issues that affect most deployments of Prosody. Full details are
available in a separate security advisory. Upstream recommends that all
deployments upgrade or apply the mitigations described in the advisory:
https://prosody.im/security/advisory_20210512/ Note: Upstream updated the
default config file. DNF or RPM will create a
`/etc/prosody/prosody.cfg.lua.rpmnew` file, so make sure you update your
existing `/etc/prosody/prosody.cfg.lua` to enable mod_limits after the upgrade.
Security -------- * mod_limits, prosody.cfg.lua: Enable rate limits by
default * certmanager: Disable renegotiation by default * mod_proxy65:
Restrict access to local c2s connections by default * util.startup: Set more
aggressive defaults for GC * mod_c2s, mod_s2s, mod_component, mod_bosh,
mod_websockets: Set default stanza size limits *
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for
secrets * mod_dialback: Remove dialback-without-dialback feature *
mod_dialback: Use constant-time comparison with hmac Minor changes
------------- * util.hashes: Add constant-time string comparison (binding to
`CRYPTO_memcmp`) * mod_c2s: Don���t throw errors in async code when connections
are gone * mod_c2s: Fix traceback in session close when conn is nil *
core.certmanager: Improve detection of LuaSec/OpenSSL capabilities *
mod_saslauth: Use a defined SASL error * MUC: Add support for advertising
muc#roomconfig_allowinvites in room disco#info * mod_saslauth: Don���t throw
errors in async code when connections are gone * mod_pep: Advertise base
pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco) *
prosodyctl check config: Add `gc` to list of global options * prosodyctl
about: Report libexpat version if known * util.xmppstream: Add API to
dynamically configure the stanza size limit for a stream * util.set: Add
`is_set()` to test if an object is a set * mod_http: Skip IP resolution in
non-proxied case * mod_c2s: Log about missing conn on async state changes *
util.xmppstream: Reduce internal default xmppstream limit to 1MB
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 13 2021 Robert Scheck <robert(a)fedoraproject.org> 0.11.9-1
- Upgrade to 0.11.9 (#1960244, #1960332, #1960335, #1960340,
* Fri Apr 30 2021 Robert Scheck <robert(a)fedoraproject.org> 0.11.8-4
- Added upstream patch to avoid '-Wl,--as-needed' removing linking
to libpthread when building with current libicu (#1954178)
* Tue Mar 2 2021 Zbigniew J��drzejewski-Szmek <zbyszek(a)in.waw.pl> - 0.11.8-3
- Rebuilt for updated systemd-rpm-macros
See
https://pagure.io/fesco/issue/2583.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1960332 - CVE-2021-32917 prosody: use of mod_proxy65 is unrestricted in
default configuration
https://bugzilla.redhat.com/show_bug.cgi?id=1960332
[ 2 ] Bug #1960335 - CVE-2021-32918 prosody: DoS via insufficient memory consumption
controls
https://bugzilla.redhat.com/show_bug.cgi?id=1960335
[ 3 ] Bug #1960340 - CVE-2021-32919 prosody: undocumented dialback-without-dialback
option insecure
https://bugzilla.redhat.com/show_bug.cgi?id=1960340
[ 4 ] Bug #1960343 - CVE-2021-32920 prosody: DoS via repeated TLS renegotiation causing
excessive CPU consumption
https://bugzilla.redhat.com/show_bug.cgi?id=1960343
[ 5 ] Bug #1960349 - CVE-2021-32921 prosody: use of timing-dependent string comparison
with sensitive values
https://bugzilla.redhat.com/show_bug.cgi?id=1960349
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-b5d8c6d086' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------