Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 789969 (CVE-2021-32917, CVE-2021-32918, CVE-2021-32919, CVE-2021-32920, CVE-2021-32921)

Summary: <net-im/prosody-0.11.9: Multiple vulnerabilities (CVE-2021-{32917,32918,32919,32920,32921})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: conikost
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve]
Package list:
net-im/prosody-0.11.9
 Runtime testing required: No

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 14:07:23 UTC 
From the changelog:

"Security
-   mod_limits, prosody.cfg.lua: Enable rate limits by default
-   certmanager: Disable renegotiation by default
-   mod_proxy65: Restrict access to local c2s connections by default
-   util.startup: Set more aggressive defaults for GC
-   mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set
default stanza size limits
-   mod_auth_internal_{plain,hashed}: Use constant-time string
   comparison for secrets
-   mod_dialback: Remove dialback-without-dialback feature
-   mod_dialback: Use constant-time comparison with hmac"

See https://prosody.im/security/advisory_20210512/.
Comment 1 Larry the Git Cow gentoo-dev 2021-05-13 23:28:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a6d44e5859ff7c72680a187c29eb4c68f67240d

commit 5a6d44e5859ff7c72680a187c29eb4c68f67240d
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-05-13 23:26:34 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-05-13 23:26:34 +0000

    net-im/prosody: bump to version 0.11.9
    
    Bug: https://bugs.gentoo.org/789969
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-im/prosody/Manifest              |   1 +
 net-im/prosody/prosody-0.11.9.ebuild | 102 +++++++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+)
Comment 2 Conrad Kostecki gentoo-dev 2021-05-13 23:29:45 UTC 
Please stabilize.
Comment 3 Agostino Sarubbo gentoo-dev 2021-05-14 09:31:08 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2021-05-14 09:37:01 UTC 
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-14 17:21:51 UTC 
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-16 00:02:58 UTC 
arm64 done

all arches done
Comment 7 Larry the Git Cow gentoo-dev 2021-05-16 00:57:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2992fce599930fda0a031eeab572bdcab1fcb7a1

commit 2992fce599930fda0a031eeab572bdcab1fcb7a1
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-05-16 00:56:57 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-05-16 00:56:57 +0000

    net-im/prosody: drop old version
    
    Bug: https://bugs.gentoo.org/789969
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-im/prosody/Manifest              |   1 -
 net-im/prosody/prosody-0.11.8.ebuild | 102 -----------------------------------
 2 files changed, 103 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-16 03:32:17 UTC 
Thank you!
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 16:03:15 UTC 
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:55:42 UTC 
This issue was resolved and addressed in
 GLSA 202105-15 at https://security.gentoo.org/glsa/202105-15
by GLSA coordinator Thomas Deutschmann (whissi).