Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2143 prosody security update 16 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: prosody Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-32921 CVE-2021-32917 Reference: ESB-2021.1668 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2687 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2687-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 15, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : prosody Version : 0.9.12-2+deb9u3 CVE ID : CVE-2021-32917 CVE-2021-32921 Two security issues have been discovered in prosody: CVE-2021-32917 The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. CVE-2021-32921 Authentication module does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. For Debian 9 stretch, these problems have been fixed in version 0.9.12-2+deb9u3. We recommend that you upgrade your prosody packages. For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDJfdIACgkQ0+Fzg8+n /wagXA//UNnOzVde7HdXBCtrlqOOons1VcGkLQ0hoMLLoCcJuJRA+w6LAJUPtuzE 1whyyhyujWC2keXSle+ZH1FfGd3SHwOvodCO2YaqCl8Vy0J05XC/bjYXGkboyIec wO5uSkZo6ABl8L2n6g3CUjcujnUM9FW1qfGF5OLmmNkESVsSck1LskgrV/NjLBEJ xBvz+JafDD8hGzCF9CrMmzBsjYHiCQG9UpfSn9bPAP8HMtv3uwwtV5ydhw+PdCSp OTNdFpURAKoMXxYgkGRglU32ltv7rlOj6ldSHR9eiZleoj2AW2ILpKP1+9e3R7nK uTbgm7WMuM09XeNLwDModXalK+vSsZ/5q2+G9VIKz3m353nmzeQ8328bHiJSdBL9 iRPET0x8/xIoCxQ6uWWXUfQr1SjFJ757Dmd8d2TllVMulX16l2qsYEmOWEHqwkss DysZz3goO/aAknzCrsabdUcRJB+WlER8fBtWDogV7NLQNKjP4+acAlHw9f7CvV5x /Get8Fsnreej5yCvmknfXsmiKnvW/v4SAlLgdYCJ8af1D4CaNL2CjHRj9jtlNzSP m8Z/vYiEZSaTkmaYUMX2OCv6SkmxIWepua2DmJtigPWuJJvBj9Sj4MudIgVzQGbE oOBqTuoTvIxeRXOg8s6JmeC0/CT+nX1c+Ss+vaHcgU64fNX7mmA= =Wp0Z - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYMmaZuNLKJtyKPYoAQj3hQ//ZNFXrWOAIMSZirrAsE2h1Fxt/9PWatxm cL32mnoqjqDH/sC07u38gTspwROSFc4dRsfX/6fmwLTSNLZxKl3urq77uGzazhCk 2j8Gw93d68ovQrU8eHYO4IFMVwN+Zm3DmfaUvm0nDt2URQ34sQPLm9w0bbtXUKV7 NaCbauawa8sIVRe52m8I+69/t/05iObGCNCkI76ORTqMJDVD6dqyvoAvksy/d7Bo PvD9AyLuuD5DE7G/+uKTjiu95trpqS/IQcxFS3SCWCWWksAgxxar1uicOlKrVHPP pEEu5wurXRsvGAi1vrIyD1Pn2g4acvqLcUzRJC5+YUoP5EiTU/gE4lhYADhFQaxz yHBKGbuWodTGAoYzQRgQSgnsS1v9pdhy46cEEAHkjc6VS0Ikcd4Qnj7GnXK0+FEC mVlAU5n5IuMLy7WIY6GmlBRp6v0dAJkGaYzcqA7ZxrPCZYAb4lX2HnVr/+8NF5tG WJLAkEq3pUyqZYRy15h2VotZ0vB70V/7iXZR49fw+nTKD6XobAuqvEbEsuygP0bx wzel7DflQuFRroER+fnQmtCmWoR9uPp1+ZkKs0taNesBhgBkv8i8oLYaI0Lhovhn AHpfBFmJWnLAzOuaKZFvCKwgeBYzueXDsUuxp2lkFvhGTWc7rNKBlpsIcOGhtTxq 3HOlJJM8xjs= =UpBc -----END PGP SIGNATURE-----