Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-32921: Prosody 0.11.9 released

An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.

CVE
Open in Source
#web#mac#auth#ssl

2021-05-12 by The Prosody Team

Tags: release

We are pleased to announce a new minor release from our stable branch.

This release addresses a number of important security issues that affect most deployments of Prosody. Full details are available in a separate security advisory. We recommend that all deployments upgrade or apply the mitigations described in the advisory.

Note: We have updated the default config file. Your package manager may warn you about this, and ask if you want to use the new file or keep your existing one. You should usually keep your existing one, but make sure you update it to enable mod_limits after the upgrade.

A summary of changes in this release:

Security

  • mod_limits, prosody.cfg.lua: Enable rate limits by default
  • certmanager: Disable renegotiation by default
  • mod_proxy65: Restrict access to local c2s connections by default
  • util.startup: Set more aggressive defaults for GC
  • mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits
  • mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
  • mod_dialback: Remove dialback-without-dialback feature
  • mod_dialback: Use constant-time comparison with hmac

Minor changes

  • util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
  • mod_c2s: Don’t throw errors in async code when connections are gone
  • mod_c2s: Fix traceback in session close when conn is nil
  • core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
  • mod_saslauth: Use a defined SASL error
  • MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
  • mod_saslauth: Don’t throw errors in async code when connections are gone
  • mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco)
  • prosodyctl check config: Add ‘gc’ to list of global options
  • prosodyctl about: Report libexpat version if known
  • util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
  • util.set: Add is_set() to test if an object is a set
  • mod_http: Skip IP resolution in non-proxied case
  • mod_c2s: Log about missing conn on async state changes
  • util.xmppstream: Reduce internal default xmppstream limit to 1MB

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE