Source: prosody Version: 0.11.8-1 Severity: serious Tags: security upstream Justification: security issues, need to be fixed in testing for avoid security regression from buster X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 0.11.2-1 Control: fixed -1 0.11.2-1+deb10u1 Control: fixed -1 0.11.9-1 Hi, The following vulnerabilities were published for prosody. Those are fixed in unstable already by 0.11.9, but we need to make sure the fixed go into bullseye in particular as they are going to be fixed with 0.11.2-1+deb10u1 via buster security. Can you please contact the release team for an unblock, please? CVE-2021-32917[0]: | An issue was discovered in Prosody before 0.11.9. The proxy65 | component allows open access by default, even if neither of the users | has an XMPP account on the local server, allowing unrestricted use of | the server's bandwidth. CVE-2021-32918[1]: | An issue was discovered in Prosody before 0.11.9. Default settings are | susceptible to remote unauthenticated denial-of-service (DoS) attacks | via memory exhaustion when running under Lua 5.2 or Lua 5.3. CVE-2021-32919[2]: | An issue was discovered in Prosody before 0.11.9. The undocumented | dialback_without_dialback option in mod_dialback enables an | experimental feature for server-to-server authentication. It does not | correctly authenticate remote server certificates, allowing a remote | server to impersonate another server (when this option is enabled). CVE-2021-32920[3]: | Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood | of SSL/TLS renegotiation requests. CVE-2021-32921[4]: | An issue was discovered in Prosody before 0.11.9. It does not use a | constant-time algorithm for comparing certain secret strings when | running under Lua 5.2 or later. This can potentially be used in a | timing attack to reveal the contents of secret strings to an attacker. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32917 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32917 [1] https://security-tracker.debian.org/tracker/CVE-2021-32918 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32918 [2] https://security-tracker.debian.org/tracker/CVE-2021-32919 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32919 [3] https://security-tracker.debian.org/tracker/CVE-2021-32920 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32920 [4] https://security-tracker.debian.org/tracker/CVE-2021-32921 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32921 [5] https://prosody.im/security/advisory_20210512.txt Regards, Salvatore