Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2143
prosody security update
16 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: prosody
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-32921 CVE-2021-32917
Reference: ESB-2021.1668
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2687
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2687-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
June 15, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : prosody
Version : 0.9.12-2+deb9u3
CVE ID : CVE-2021-32917 CVE-2021-32921
Two security issues have been discovered in prosody:
CVE-2021-32917
The proxy65 component allows open access by default, even if neither of the
users has an XMPP account on the local server, allowing unrestricted use of
the server's bandwidth.
CVE-2021-32921
Authentication module does not use a constant-time algorithm for comparing
certain secret strings when running under Lua 5.2 or later. This can
potentially be used in a timing attack to reveal the contents of secret
strings to an attacker.
For Debian 9 stretch, these problems have been fixed in version
0.9.12-2+deb9u3.
We recommend that you upgrade your prosody packages.
For the detailed security status of prosody please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/prosody
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDJfdIACgkQ0+Fzg8+n
/wagXA//UNnOzVde7HdXBCtrlqOOons1VcGkLQ0hoMLLoCcJuJRA+w6LAJUPtuzE
1whyyhyujWC2keXSle+ZH1FfGd3SHwOvodCO2YaqCl8Vy0J05XC/bjYXGkboyIec
wO5uSkZo6ABl8L2n6g3CUjcujnUM9FW1qfGF5OLmmNkESVsSck1LskgrV/NjLBEJ
xBvz+JafDD8hGzCF9CrMmzBsjYHiCQG9UpfSn9bPAP8HMtv3uwwtV5ydhw+PdCSp
OTNdFpURAKoMXxYgkGRglU32ltv7rlOj6ldSHR9eiZleoj2AW2ILpKP1+9e3R7nK
uTbgm7WMuM09XeNLwDModXalK+vSsZ/5q2+G9VIKz3m353nmzeQ8328bHiJSdBL9
iRPET0x8/xIoCxQ6uWWXUfQr1SjFJ757Dmd8d2TllVMulX16l2qsYEmOWEHqwkss
DysZz3goO/aAknzCrsabdUcRJB+WlER8fBtWDogV7NLQNKjP4+acAlHw9f7CvV5x
/Get8Fsnreej5yCvmknfXsmiKnvW/v4SAlLgdYCJ8af1D4CaNL2CjHRj9jtlNzSP
m8Z/vYiEZSaTkmaYUMX2OCv6SkmxIWepua2DmJtigPWuJJvBj9Sj4MudIgVzQGbE
oOBqTuoTvIxeRXOg8s6JmeC0/CT+nX1c+Ss+vaHcgU64fNX7mmA=
=Wp0Z
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYMmaZuNLKJtyKPYoAQj3hQ//ZNFXrWOAIMSZirrAsE2h1Fxt/9PWatxm
cL32mnoqjqDH/sC07u38gTspwROSFc4dRsfX/6fmwLTSNLZxKl3urq77uGzazhCk
2j8Gw93d68ovQrU8eHYO4IFMVwN+Zm3DmfaUvm0nDt2URQ34sQPLm9w0bbtXUKV7
NaCbauawa8sIVRe52m8I+69/t/05iObGCNCkI76ORTqMJDVD6dqyvoAvksy/d7Bo
PvD9AyLuuD5DE7G/+uKTjiu95trpqS/IQcxFS3SCWCWWksAgxxar1uicOlKrVHPP
pEEu5wurXRsvGAi1vrIyD1Pn2g4acvqLcUzRJC5+YUoP5EiTU/gE4lhYADhFQaxz
yHBKGbuWodTGAoYzQRgQSgnsS1v9pdhy46cEEAHkjc6VS0Ikcd4Qnj7GnXK0+FEC
mVlAU5n5IuMLy7WIY6GmlBRp6v0dAJkGaYzcqA7ZxrPCZYAb4lX2HnVr/+8NF5tG
WJLAkEq3pUyqZYRy15h2VotZ0vB70V/7iXZR49fw+nTKD6XobAuqvEbEsuygP0bx
wzel7DflQuFRroER+fnQmtCmWoR9uPp1+ZkKs0taNesBhgBkv8i8oLYaI0Lhovhn
AHpfBFmJWnLAzOuaKZFvCKwgeBYzueXDsUuxp2lkFvhGTWc7rNKBlpsIcOGhtTxq
3HOlJJM8xjs=
=UpBc
-----END PGP SIGNATURE-----