[SECURITY] [DLA 407-1] prosody security update

ID DEBIAN:DLA-407-1:8E767
Type debian
Reporter Debian
Modified 2016-01-30T23:02:36


Package : prosody Version : 0.7.0-1squeeze1+deb6u2 CVE ID : CVE-2016-0756

The flaw allows a malicious server to impersonate the vulnerable domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, 'bber.example' would be able to connect to 'jabber.example' and successfully impersonate any vulnerable server on the network.

This release also fixes a regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only.