A vulnerability has been found and fixed in the Prosody XMPP server. CVE-2016-0756 ------------- Project ~ Prosody XMPP server URL ~ https://prosody.im/ CVE ~ CVE-2016-0756 Date ~ 2016-01-27 Affected versions ~ All versions prior to 0.9.10 Affected Prosody modules ~ mod_dialback Fixed versions ~ 0.9.10, 0.10 nightly build 201, trunk nightly build 612 Description ----------- The flaw allows a malicious XMPP server to impersonate the vulnerable domain to any XMPP domain whose domain name includes the attacker's domain as a suffix. For example, 'bber.example' would be able to connect to 'jabber.example' and successfully impersonate any vulnerable server on the network. Affected configurations ----------------------- The default configuration is affected. Servers with mod_dialback disabled are not affected. Servers with s2s_secure_auth enabled will reject incoming impersonation attempts (that is, servers attempting to impersonate other domains will be rejected), but may still be impersonated to other servers on the network. Temporary mitigation -------------------- Disable mod_dialback by adding "dialback" to your modules_disabled list in the global section of your config file, and restart Prosody: modules_disabled = { "dialback" } Note that disabling dialback will affect interoperability with servers that do not have trusted TLS certificates. Advice ------ All users should upgrade to 0.9.10, or check their OS distribution for security updates. Users of development branches (0.10, trunk) should upgrade to the latest nightly builds. Credits ------- The flaw was discovered and responsibly disclosed to us by Thijs Alkemade. Links ------- - https://prosody.im/security/advisory_20160127/ - http://blog.prosody.im/prosody-0-9-10-released/ - https://prosody.im/issues/issue/596 - https://hg.prosody.im/0.9/rev/5c6e78dc1864
Version 0.9.10 is in the tree with testing keywords for amd64, arm and x86.
@arches, please stabilize.
Been running it for a while with no issues. Stable on amd64.
arm stable
CVE-2016-0756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0756): The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
@x86, ping.
x86 stable. Maintainer(s), please cleanup.
Removed 0.9.{8,9} with commit 3b0fbe83c7219e1bd9fccc4ad7c5fb9cd54fb4fa
GLSA Vote: No