Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573158 (CVE-2016-0756) - <net-im/prosody-0.9.10: Security vulnerability in mod_dialback (CVE-2016-0756)
Summary: <net-im/prosody-0.9.10: Security vulnerability in mod_dialback (CVE-2016-0756)
Alias: CVE-2016-0756
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Blocks: CVE-2016-1231
  Show dependency tree
Reported: 2016-01-27 21:07 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-06-28 12:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-27 21:07:28 UTC
A vulnerability has been found and fixed in the Prosody XMPP server.


  ~ Prosody XMPP server
  ~ CVE-2016-0756
  ~ 2016-01-27

Affected versions
  ~ All versions prior to 0.9.10
Affected Prosody modules
  ~ mod_dialback
Fixed versions
  ~ 0.9.10, 0.10 nightly build 201, trunk nightly build 612


The flaw allows a malicious XMPP server to impersonate the vulnerable
domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, 'bber.example' would be able to connect to 'jabber.example' and
successfully impersonate any vulnerable server on the network.

Affected configurations

The default configuration is affected. Servers with mod_dialback
disabled are not affected.

Servers with s2s_secure_auth enabled will reject incoming
impersonation attempts (that is,
servers attempting to impersonate other domains will be rejected), but
may still be impersonated to other servers on the network.

Temporary mitigation

Disable mod_dialback by adding "dialback" to your modules_disabled
list in the global
section of your config file, and restart Prosody:

   modules_disabled = { "dialback" }

Note that disabling dialback will affect interoperability with servers
that do not have trusted
TLS certificates.


All users should upgrade to 0.9.10, or check their OS distribution for
security updates. Users of development branches (0.10, trunk) should
upgrade to the latest nightly builds.


The flaw was discovered and responsibly disclosed to us by Thijs Alkemade.


Comment 1 Tobias Klausmann (RETIRED) gentoo-dev 2016-01-28 08:36:04 UTC
Version 0.9.10 is in the tree with testing keywords for amd64, arm and x86.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-05-30 06:57:43 UTC
@arches, please stabilize.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-30 12:34:54 UTC
Been running it for a while with no issues.

Stable on amd64.
Comment 4 Markus Meier gentoo-dev 2016-06-04 05:04:53 UTC
arm stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 08:59:52 UTC
CVE-2016-0756 (
  The generate_dialback function in the mod_dialback module in Prosody before
  0.9.10 does not properly separate fields when generating dialback keys,
  which allows remote attackers to spoof XMPP network domains via a crafted
  stream id and domain name that is included in the target domain as a suffix.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-06-21 09:00:42 UTC
@x86, ping.
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-27 08:48:55 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-28 12:03:55 UTC
Removed 0.9.{8,9} with commit 3b0fbe83c7219e1bd9fccc4ad7c5fb9cd54fb4fa
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-06-28 12:32:07 UTC
GLSA Vote: No