Hello ports, A security update for Prosody is out. Details can be found in [1]. The patch is against previous revision, not against the proposed changes to use Lua 5.2, so it's easier to apply against both -current and -stable. and the same patch applies to both. The report also explains mitigations that can be enabled for 0.11.8 for all the vulnerabilities.
[1]: https://prosody.im/security/advisory_20210512/ Cheers, -Lucas Index: Makefile =================================================================== RCS file: /home/cvs/ports/net/prosody/Makefile,v retrieving revision 1.60 diff -u -p -r1.60 Makefile --- Makefile 6 Mar 2021 18:43:56 -0000 1.60 +++ Makefile 13 May 2021 15:02:47 -0000 @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.60 2021/03/06 18:43:56 sthen Exp $ COMMENT= communications server for Jabber/XMPP written in Lua -DISTNAME= prosody-0.11.8 +DISTNAME= prosody-0.11.9 CATEGORIES= net MASTER_SITES= https://prosody.im/downloads/source/ Index: distinfo =================================================================== RCS file: /home/cvs/ports/net/prosody/distinfo,v retrieving revision 1.20 diff -u -p -r1.20 distinfo --- distinfo 6 Mar 2021 18:43:56 -0000 1.20 +++ distinfo 13 May 2021 15:05:58 -0000 @@ -1,2 +1,2 @@ -SHA256 (prosody-0.11.8.tar.gz) = gw8YO5jVdC2B6QjS2OMljxtTja10EfBv2lssxcdQaPg= -SIZE (prosody-0.11.8.tar.gz) = 429762 +SHA256 (prosody-0.11.9.tar.gz) = zMAyrqSdhYY1+5NkTbJ23mgSvoMHOo2A6bRQgJXe/wk= +SIZE (prosody-0.11.9.tar.gz) = 431647 Index: patches/patch-core_certmanager_lua =================================================================== RCS file: /home/cvs/ports/net/prosody/patches/patch-core_certmanager_lua,v retrieving revision 1.4 diff -u -p -r1.4 patch-core_certmanager_lua --- patches/patch-core_certmanager_lua 5 Oct 2020 22:09:34 -0000 1.4 +++ patches/patch-core_certmanager_lua 13 May 2021 15:10:26 -0000 @@ -3,7 +3,7 @@ $OpenBSD: patch-core_certmanager_lua,v 1 Index: core/certmanager.lua --- core/certmanager.lua.orig +++ core/certmanager.lua -@@ -105,7 +105,7 @@ end +@@ -110,7 +110,7 @@ end -- Built-in defaults local core_defaults = { Index: patches/patch-prosody_cfg_lua_dist =================================================================== RCS file: /home/cvs/ports/net/prosody/patches/patch-prosody_cfg_lua_dist,v retrieving revision 1.9 diff -u -p -r1.9 patch-prosody_cfg_lua_dist --- patches/patch-prosody_cfg_lua_dist 2 Jun 2020 07:22:46 -0000 1.9 +++ patches/patch-prosody_cfg_lua_dist 13 May 2021 15:10:41 -0000 @@ -16,7 +16,7 @@ Index: prosody.cfg.lua.dist -- Enable use of libevent for better performance under high load -- For more information see: https://prosody.im/doc/libevent --use_libevent = true -@@ -153,8 +160,8 @@ archive_expires_after = "1w" -- Remove archived messag +@@ -164,8 +171,8 @@ archive_expires_after = "1w" -- Remove archived messag -- Logging configuration -- For advanced logging see https://prosody.im/doc/logging log = {