aboutsummaryrefslogtreecommitdiff
path: root/package/libbsd
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2021-05-14 11:43:09 +0200
committerGravatar Peter Korsgaard <peter@korsgaard.com>2021-05-14 23:01:19 +0200
commit9c108afab81b675eddc1f71cc496b47d9077bdb1 (patch)
tree592062bb853bdb3811f3af559d1d78fcc85ead68 /package/libbsd
parentaa31d10808df0560cc9e9b92acadad1af9a041e9 (diff)
downloadbuildroot-master.tar.gz
buildroot-master.tar.bz2
package/prosody: security bump to version 0.11.9HEADmaster
Fixes the following security issues: - CVE-2021-32918: DoS via insufficient memory consumption controls It was discovered that default settings leave Prosody susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default and recommended Lua version for Prosody 0.11.x series. - CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server. - CVE-2021-32921: Use of timing-dependent string comparison with sensitive values It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. - CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients. It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server’s bandwidth. - CVE-2021-32919: Undocumented dialback-without-dialback option insecure The undocumented option ‘dialback_without_dialback’ enabled an experimental feature for server-to-server authentication. A flaw in this feature meant it did not correctly authenticate remote servers, allowing a remote server to impersonate another server when this option is enabled. For more details, see the advisory: https://prosody.im/security/advisory_20210512/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/libbsd')
0 files changed, 0 insertions, 0 deletions