Detections
Analytics

openSUSE Security Update : prosody (openSUSE-2021-728)

high Nessus Plugin ID 149566

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for prosody fixes the following issues :

prosody was updated to 0.11.9 :

Security :

 - mod_limits, prosody.cfg.lua: Enable rate limits by default

 - certmanager: Disable renegotiation by default

 - mod_proxy65: Restrict access to local c2s connections by default

 - util.startup: Set more aggressive defaults for GC

 - mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits

 - mod_authinternal(plain,hashed): Use constant-time string comparison for secrets

 - mod_dialback: Remove dialback-without-dialback feature

 - mod_dialback: Use constant-time comparison with hmac

Minor changes :

 - util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)

 - mod_c2s: Don’t throw errors in async code when connections are gone

 - mod_c2s: Fix traceback in session close when conn is nil

 - core.certmanager: Improve detection of LuaSec/OpenSSL capabilities

 - mod_saslauth: Use a defined SASL error

 - MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info

 - mod_saslauth: Don’t throw errors in async code when connections are gone

 - mod_pep: Advertise base pubsub feature (fixes #1632:
 mod_pep missing pubsub feature in disco)

 - prosodyctl check config: Add ‘gc’ to list of global options

 - prosodyctl about: Report libexpat version if known

 - util.xmppstream: Add API to dynamically configure the stanza size limit for a stream

 - util.set: Add is_set() to test if an object is a set

 - mod_http: Skip IP resolution in non-proxied case

 - mod_c2s: Log about missing conn on async state changes

 - util.xmppstream: Reduce internal default xmppstream limit to 1MB

Relevant: https://prosody.im/security/advisory_20210512

 - boo#1186027: Prosody XMPP server advisory 2021-05-12

 - CVE-2021-32919

 - CVE-2021-32917

 - CVE-2021-32917

 - CVE-2021-32920

 - CVE-2021-32918

Update to 0.11.8 :

Security :

 - mod_saslauth: Disable ‘tls-unique’ channel binding with TLS 1.3 (#1542)

Fixes and improvements :

 - net.websocket.frames: Improve websocket masking performance by using the new util.strbitop

 - util.strbitop: Library for efficient bitwise operations on strings

Minor changes :

 - MUC: Correctly advertise whether the subject can be changed (#1155)

 - MUC: Preserve disco ‘node’ attribute (or lack thereof) in responses (#1595)

 - MUC: Fix logic bug causing unnecessary presence to be sent (#1615)

 - mod_bosh: Fix error if client tries to connect to component (#425)

 - mod_bosh: Pick out the ‘wait’ before checking it instead of earlier

 - mod_pep: Advertise base PubSub feature (#1632)

 - mod_pubsub: Fix notification stanza type setting (#1605)

 - mod_s2s: Prevent keepalives before client has established a stream

 - net.adns: Fix bug that sent empty DNS packets (#1619)

 - net.http.server: Don’t send Content-Length on 1xx/204 responses (#1596)

 - net.websocket.frames: Fix length calculation bug (#1598)

 - util.dbuffer: Make length API in line with Lua strings

 - util.dbuffer: Optimize substring operations

 - util.debug: Fix locals being reported under wrong stack frame in some cases

 - util.dependencies: Fix check for Lua bitwise operations library (#1594)

 - util.interpolation: Fix combination of filters and fallback values #1623

 - util.promise: Preserve tracebacks

 - util.stanza: Reject ASCII control characters (#1606)

 - timers: Ensure timers can’t block other processing (#1620)

Update to 0.11.7 :

Security :

 - mod_websocket: Enforce size limits on received frames (fixes #1593)

Fixes and improvements :

 - mod_c2s, mod_s2s: Make stanza size limits configurable

 - Add configuration options to control Lua garbage collection parameters

 - net.http: Backport SNI support for outgoing HTTP requests (#409)

 - mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234)

 - util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572)

Update to 0.11.6 :

Fixes and improvements :

 - mod_storage_internal: Fix error in time limited queries on items without ‘when’ field, fixes #1557

 - mod_carbons: Fix handling of incoming MUC PMs #1540

 - mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important

 - mod_http_files: Avoid using inode in etag, fixes #1498:
 Fail to download file on FreeBSD

 - mod_admin_telnet: Create a DNS resolver per console session (fixes #1492: Telnet console DNS commands reduced usefulness)

 - core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)

 - mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes #1574: Invalid XML input on s2s connection is logged unescaped)

 - mod_muc: Allow control over the server-admins-are-room-owners feature (see #1174)

 - mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552: MUC MAM may strip its own archive id)

 - mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam does not strip spoofed stanza ids

 - mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547: mod_muc_mam does not advertise stanza-id

Minor changes :

 - net.http API: Add request:cancel() method

 - net.http API: Fix traceback on invalid URL passed to request()

 - MUC: Persist affiliation_data in new MUC format

 - mod_websocket: Fire event on session creation (thanks Aaron van Meerten)

 - MUC: Always include ‘affiliation’/‘role’ attributes, defaulting to ‘none’ if nil

 - mod_tls: Log when certificates are (re)loaded

 - mod_vcard4: Report correct error condition (fixes #1521:
 mod_vcard4 reports wrong error)

 - net.http: Re-expose destroy_request() function (fixes unintentional API breakage)

 - net.http.server: Strip port from Host header in IPv6 friendly way (fix #1302)

 - util.prosodyctl: Tell prosody do daemonize via command line flag (fixes #1514)

 - SASL: Apply saslprep where necessary, fixes #1560: Login fails if password contains special chars

 - net.http.server: Fix reporting of missing Host header

 - util.datamanager API: Fix iterating over “users” (thanks marc0s)

 - net.resolvers.basic: Default conn_type to ‘tcp’ consistently if unspecified (thanks marc0s)

 - mod_storage_sql: Fix check for deletion limits (fixes #1494)

 - mod_admin_telnet: Handle unavailable cipher info (fixes #1510: mod_admin_telnet backtrace)

 - Log warning when using prosodyctl start/stop/restart

 - core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes #1526)

 - mod_storage_sql: Add index covering sort_id to improve performance (fixes #1505)

 - mod_mam,mod_muc_mam: Allow other work to be performed during archive cleanup (fixes #1504)

 - mod_muc_mam: Don’t strip MUC tags, fix #1567: MUC tags stripped by mod_muc_mam

 - mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496)

 - mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)

 - mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497)

 - util.startup: Remove duplicated initialization of logging (fix #1527: startup: Logging initialized twice)

Solution

Update the affected prosody packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1186027

https://prosody.im/security/advisory_20210512

Plugin Details

Severity: High

ID: 149566

File Name: openSUSE-2021-728.nasl

Version: 1.3

Type: local

Agent: unix

Published: 5/18/2021

Updated: 5/25/2021

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-32919

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:prosody, p-cpe:/a:novell:opensuse:prosody-debuginfo, p-cpe:/a:novell:opensuse:prosody-debugsource, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 5/14/2021

Vulnerability Publication Date: 5/13/2021

Reference Information

CVE: CVE-2021-32917, CVE-2021-32918, CVE-2021-32919, CVE-2021-32920