From the changelog: "Security - mod_limits, prosody.cfg.lua: Enable rate limits by default - certmanager: Disable renegotiation by default - mod_proxy65: Restrict access to local c2s connections by default - util.startup: Set more aggressive defaults for GC - mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits - mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets - mod_dialback: Remove dialback-without-dialback feature - mod_dialback: Use constant-time comparison with hmac" See https://prosody.im/security/advisory_20210512/.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a6d44e5859ff7c72680a187c29eb4c68f67240d commit 5a6d44e5859ff7c72680a187c29eb4c68f67240d Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-05-13 23:26:34 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-05-13 23:26:34 +0000 net-im/prosody: bump to version 0.11.9 Bug: https://bugs.gentoo.org/789969 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-im/prosody/Manifest | 1 + net-im/prosody/prosody-0.11.9.ebuild | 102 +++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+)
Please stabilize.
amd64 stable
x86 stable
arm done
arm64 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2992fce599930fda0a031eeab572bdcab1fcb7a1 commit 2992fce599930fda0a031eeab572bdcab1fcb7a1 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-05-16 00:56:57 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-05-16 00:56:57 +0000 net-im/prosody: drop old version Bug: https://bugs.gentoo.org/789969 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-im/prosody/Manifest | 1 - net-im/prosody/prosody-0.11.8.ebuild | 102 ----------------------------------- 2 files changed, 103 deletions(-)
Thank you!
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-15 at https://security.gentoo.org/glsa/202105-15 by GLSA coordinator Thomas Deutschmann (whissi).
