http://blog.prosody.im/prosody-0-9-9-security-release/ This release contains important fixes for two security issues recently discovered in Prosody. It also contains various other fixes and improvements we have made since 0.9.8. We strongly recommend that you upgrade your server as soon as possible. Another important note is that for a number of reasons we have dropped Windows support with this release. If you are affected by this, please contact us directly via email at developers@prosody.im. A summary of changes: Security fixes: Fix path traversal vulnerability in mod_http_files (CVE-2016-1231) Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232) Bugs: Improve handling of CNAME records in DNS Fix traceback when deleting a user in some configurations (issue #496) MUC: restrict_room_creation could prevent users from joining rooms (issue #458) MUC: fix occasional dropping of iq stanzas sent privately between occupants Fix a potential memory leak in mod_pep Additions: Add http:list() command to telnet to view active HTTP services Simplify IPv4/v6 address selection code for outgoing s2s Add support for importing SCRAM hashes from ejabberd Reproducible: Always
Add v0.9.9 to the tree, with KEYWORDS="~amd64 ~arm ~x86". Will send to stabilization in 10 days unless there are bugs/objections.
(In reply to Tobias Klausmann from comment #1) > Will send to stabilization in 10 days unless there are bugs/objections. Based on it being a security fix and upstream recommending an upgrade "as soon as possible", could we expedite this please?
Arches, please test & mark stable: =net-im/prosody-0.9.9 Any concerns about expedited stable can be raised here or with me personally.
(In reply to Tony Vroon from comment #3) > Arches, please test & mark stable: > =net-im/prosody-0.9.9 > > Any concerns about expedited stable can be raised here or with me personally. I am idiot and filed 571764 separately. I have done the stabilization on amd64, x86 and arm are still open.
x86 done
arm stable, all arches done.
CVE-2016-1232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1232): The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack. CVE-2016-1231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1231): Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.
Cleanup complete by maintainer: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b0fbe83 GLSA Vote: No
