Fedora 44 : prosody (2026-2947986ad6)

🗓️ 10 May 2026 00:00:00Reported by TenableType

Fedora 44 advisory: Prosody 13.0.5 fixes multiple security issues and memory leaks; upgrade now.

Reporter	Title	Published	Views	Family All 68
FreeBSD	Prosody XMPP server advisory 2026-04-29	29 Apr 202600:00	–	freebsd
ATTACKERKB	CVE-2026-43505	1 May 202614:42	–	attackerkb
ATTACKERKB	CVE-2026-43507	1 May 202614:47	–	attackerkb
ATTACKERKB	CVE-2026-43506	1 May 202614:45	–	attackerkb
ATTACKERKB	CVE-2026-43504	1 May 202614:40	–	attackerkb
AlpineLinux	CVE-2026-43504	1 May 202614:40	–	alpinelinux
AlpineLinux	CVE-2026-43505	1 May 202614:42	–	alpinelinux
AlpineLinux	CVE-2026-43506	1 May 202614:45	–	alpinelinux
AlpineLinux	CVE-2026-43507	1 May 202614:47	–	alpinelinux
CNNVD	Prosody 安全漏洞	1 May 202600:00	–	cnnvd

Source	Link
bodhi	www.bodhi.fedoraproject.org/updates/FEDORA-2026-2947986ad6
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2026-2947986ad6
#

include('compat.inc');

if (description)
{
  script_id(313721);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/10");

  script_cve_id(
    "CVE-2026-43504",
    "CVE-2026-43505",
    "CVE-2026-43506",
    "CVE-2026-43507"
  );
  script_xref(name:"FEDORA", value:"2026-2947986ad6");

  script_name(english:"Fedora 44 : prosody (2026-2947986ad6)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the
FEDORA-2026-2947986ad6 advisory.

    # Prosody 13.0.5

    Upstream is pleased to announce a new minor release from their stable branch.

    This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some
    memory leaks and some smaller bugs and changes which have been implemented since the previous release.

    Full details about the security vulnerabilities can be found in upstream's [security
    advisory](https://prosody.im/security/advisory_735dd9d3/). Upstream encourages all Prosody operators on
    13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement
    appropriate mitigations.

    A summary of changes in this release:

    ## Security
     - mod_proxy65: Consistently apply authorization checks
     - mod_proxy65: Dont proxy data until after bytestream activation
     - mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
     - Add limit for stanza max child elements
     - mod_c2s: Remove timers immediately on disconnection
     - net.server_epoll: Clean up timers after disconnection

    ## Fixes and improvements
     - net.http.parser: Fix handling of chunked request
     - MUC: Advertise hats feature on room JID
     - moduleapi: Use multitable add/remove instead of set (fixes memory leak)
     - mod_cloud_notify: Fix leaking iq response handlers by using `send_iq()`
     - Improve federation with servers using only IP addresses
     - prosody: Prevent loading local code when installed system-wide
     - mod_http_file_share: Improve handling of Range requests
     - mod_carbons: Fix some carbons decision-making bugs

    ## Minor changes
     - net.resolvers: Fix to avoid SRV lookups for IP addresses
     - prosody: Abort earlier on incompatible Lua version
     - mod_turn_external: hand out credentials for type `==` turns too
     - mod_s2s: Fully validate stream addressing
     - prosodyctl check features: Warn if http file sharing enabled on both host and component
     - util.prosodyctl: Dont check for mod_posix being disabled, its deprecated
     - util.startup: Improve error message when failing to load config file
     - util.x509: Add support for iPAddress certs
     - prosodyctl: Trim any trailing newline from password entry
     - mod_admin_shell: Make cert index search path relative to config file
     - mod_admin_shell: Improve multi-host command handling
     - mod_admin_shell: Show help listing when specifying only a section name
     - mod_admin_shell: Ensure password validity when setting passwords for new/existing users
     - mod_account_activity: Handle authentication provider returning no user info
     - config: Use default value when enum option has incorrect value
     - mod_http: Handle streaming requests to avoid invoking redirect handler


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2026-2947986ad6");
  script_set_attribute(attribute:"solution", value:
"Update the affected prosody package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-43507");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:44");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:prosody");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Fedora Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Fedora' >!< os_product) audit(AUDIT_OS_NOT, 'Fedora');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
if (! preg(pattern:"^44([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'Fedora 44', 'Fedora ' + os_version);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);

var constraints = [
  {
    'release': '44',
    'pkgs': [
      {'reference':'prosody-13.0.5-1.fc44', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'prosody');
}

10 May 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.5 - 7.5

EPSS0.00077

SSVC