Detections
Analytics

Fedora 32 : prosody (2020-a48bf86c27)

high Nessus Plugin ID 141392

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

Prosody 0.11.7 ==============

This is a security release for the 0.11.x stable branch. It is strongly recommended that all users upgrade to this release, especially those whose deployments have enabled `mod_websocket`.

As well as upgrading, we recommend all public deployments to review and configure the `c2s_stanza_size_limit` and `s2s_stanza_size_limit` options to values they are comfortable with. The value is specified in bytes, and the XMPP specification requires values to be at least 10000 bytes, however it also recommends against just setting the limit to 10000 bytes. We are working to obtain data on real-world stanza sizes in order to determine sensible defaults suitable for a future release.

Security ========

 - mod_websocket: Enforce size limits on received frames (fixes #1593)

Fixes and improvements ======================

 - mod_c2s, mod_s2s: Make stanza size limits configurable

 - Add configuration options to control Lua garbage collection parameters

 - net.http: Backport SNI support for outgoing HTTP requests (#409)

 - mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234)

 - util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572)

Prosody 0.11.6 ==============

This release brings a collection of fixes and improvements added since the 0.11.5 release improving security, performance, usability and interoperability.

This version continues the deprecation of using `prosodyctl` to start/stop Prosody.

Fixes and improvements ======================

 - mod_storage_internal: Fix error in time limited queries on items without ‘when’ field, fixes #1557

 - mod_carbons: Fix handling of incoming MUC PMs #1540

 - mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important

 - mod_http_files: Avoid using inode in etag, fixes #1498:
 Fail to download file on FreeBSD

 - mod_admin_telnet: Create a DNS resolver per console session (fixes #1492: Telnet console DNS commands reduced usefulness)

 - core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)

 - mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes #1574: Invalid XML input on s2s connection is logged unescaped)

 - mod_muc: Allow control over the server-admins-are-room-owners feature (see #1174)

 - mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552: MUC MAM may strip its own archive id)

 - mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam does not strip spoofed stanza ids

 - mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547: mod_muc_mam does not advertise stanza-id

Minor changes =============

 - net.http API: Add `request:cancel()` method

 - net.http API: Fix traceback on invalid URL passed to request()

 - MUC: Persist affiliation_data in new MUC format

 - mod_websocket: Fire event on session creation (thanks Aaron van Meerten)

 - MUC: Always include ‘affiliation’/‘role’ attributes, defaulting to ‘none’ if nil

 - mod_tls: Log when certificates are (re)loaded

 - mod_vcard4: Report correct error condition (fixes #1521:
 mod_vcard4 reports wrong error)

 - net.http: Re-expose `destroy_request()` function (fixes unintentional API breakage)

 - net.http.server: Strip port from Host header in IPv6 friendly way (fix #1302)

 - util.prosodyctl: Tell prosody do daemonize via command line flag (fixes #1514)

 - SASL: Apply saslprep where necessary, fixes #1560: Login fails if password contains special chars

 - net.http.server: Fix reporting of missing Host header

 - util.datamanager API: Fix iterating over “users” (thanks marc0s)

 - net.resolvers.basic: Default conn_type to ‘tcp’ consistently if unspecified (thanks marc0s)

 - mod_storage_sql: Fix check for deletion limits (fixes #1494)

 - mod_admin_telnet: Handle unavailable cipher info (fixes #1510: mod_admin_telnet backtrace)

 - Log warning when using `prosodyctl start/stop/restart`

 - core.certmanager: Look for `privkey.pem` to go with `fullchain.pem` (fixes #1526)

 - mod_storage_sql: Add index covering sort_id to improve performance (fixes #1505)

 - mod_mam,mod_muc_mam: Allow other work to be performed during archive cleanup (fixes #1504)

 - mod_muc_mam: Don’t strip MUC tags, fix #1567: MUC tags stripped by mod_muc_mam

 - mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496)

 - mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)

 - mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497)

 - util.startup: Remove duplicated initialization of logging (fix #1527: startup: Logging initialized twice)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected prosody package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2020-a48bf86c27

Plugin Details

Severity: High

ID: 141392

File Name: fedora_2020-a48bf86c27.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/12/2020

Updated: 10/12/2020

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:prosody, cpe:/o:fedoraproject:fedora:32

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 10/9/2020

Vulnerability Publication Date: 10/9/2020

Reference Information