This update for prosody fixes the following issues :
prosody was updated to 0.11.9 :
Security :
mod_limits, prosody.cfg.lua: Enable rate limits by default
certmanager: Disable renegotiation by default
mod_proxy65: Restrict access to local c2s connections by default
util.startup: Set more aggressive defaults for GC
mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits
mod_authinternal(plain,hashed): Use constant-time string comparison for secrets
mod_dialback: Remove dialback-without-dialback feature
mod_dialback: Use constant-time comparison with hmac
Minor changes :
util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
mod_c2s: Donβt throw errors in async code when connections are gone
mod_c2s: Fix traceback in session close when conn is nil
core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
mod_saslauth: Use a defined SASL error
MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
mod_saslauth: Donβt throw errors in async code when connections are gone
mod_pep: Advertise base pubsub feature (fixes #1632:
mod_pep missing pubsub feature in disco)
prosodyctl check config: Add βgcβ to list of global options
prosodyctl about: Report libexpat version if known
util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
util.set: Add is_set() to test if an object is a set
mod_http: Skip IP resolution in non-proxied case
mod_c2s: Log about missing conn on async state changes
util.xmppstream: Reduce internal default xmppstream limit to 1MB
Relevant: https://prosody.im/security/advisory_20210512
boo#1186027: Prosody XMPP server advisory 2021-05-12
CVE-2021-32919
CVE-2021-32917
CVE-2021-32917
CVE-2021-32920
CVE-2021-32918
Update to 0.11.8 :
Security :
Fixes and improvements :
net.websocket.frames: Improve websocket masking performance by using the new util.strbitop
util.strbitop: Library for efficient bitwise operations on strings
Minor changes :
MUC: Correctly advertise whether the subject can be changed (#1155)
MUC: Preserve disco βnodeβ attribute (or lack thereof) in responses (#1595)
MUC: Fix logic bug causing unnecessary presence to be sent (#1615)
mod_bosh: Fix error if client tries to connect to component (#425)
mod_bosh: Pick out the βwaitβ before checking it instead of earlier
mod_pep: Advertise base PubSub feature (#1632)
mod_pubsub: Fix notification stanza type setting (#1605)
mod_s2s: Prevent keepalives before client has established a stream
net.adns: Fix bug that sent empty DNS packets (#1619)
net.http.server: Donβt send Content-Length on 1xx/204 responses (#1596)
net.websocket.frames: Fix length calculation bug (#1598)
util.dbuffer: Make length API in line with Lua strings
util.dbuffer: Optimize substring operations
util.debug: Fix locals being reported under wrong stack frame in some cases
util.dependencies: Fix check for Lua bitwise operations library (#1594)
util.interpolation: Fix combination of filters and fallback values #1623
util.promise: Preserve tracebacks
util.stanza: Reject ASCII control characters (#1606)
timers: Ensure timers canβt block other processing (#1620)
Update to 0.11.7 :
Security :
Fixes and improvements :
mod_c2s, mod_s2s: Make stanza size limits configurable
Add configuration options to control Lua garbage collection parameters
net.http: Backport SNI support for outgoing HTTP requests (#409)
mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234)
util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572)
Update to 0.11.6 :
Fixes and improvements :
mod_storage_internal: Fix error in time limited queries on items without βwhenβ field, fixes #1557
mod_carbons: Fix handling of incoming MUC PMs #1540
mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important
mod_http_files: Avoid using inode in etag, fixes #1498:
Fail to download file on FreeBSD
mod_admin_telnet: Create a DNS resolver per console session (fixes #1492: Telnet console DNS commands reduced usefulness)
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes #1574: Invalid XML input on s2s connection is logged unescaped)
mod_muc: Allow control over the server-admins-are-room-owners feature (see #1174)
mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552: MUC MAM may strip its own archive id)
mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam does not strip spoofed stanza ids
mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547: mod_muc_mam does not advertise stanza-id
Minor changes :
net.http API: Add request:cancel() method
net.http API: Fix traceback on invalid URL passed to request()
MUC: Persist affiliation_data in new MUC format
mod_websocket: Fire event on session creation (thanks Aaron van Meerten)
MUC: Always include βaffiliationβ/βroleβ attributes, defaulting to βnoneβ if nil
mod_tls: Log when certificates are (re)loaded
mod_vcard4: Report correct error condition (fixes #1521:
mod_vcard4 reports wrong error)
net.http: Re-expose destroy_request() function (fixes unintentional API breakage)
net.http.server: Strip port from Host header in IPv6 friendly way (fix #1302)
util.prosodyctl: Tell prosody do daemonize via command line flag (fixes #1514)
SASL: Apply saslprep where necessary, fixes #1560: Login fails if password contains special chars
net.http.server: Fix reporting of missing Host header
util.datamanager API: Fix iterating over βusersβ (thanks marc0s)
net.resolvers.basic: Default conn_type to βtcpβ consistently if unspecified (thanks marc0s)
mod_storage_sql: Fix check for deletion limits (fixes #1494)
mod_admin_telnet: Handle unavailable cipher info (fixes #1510: mod_admin_telnet backtrace)
Log warning when using prosodyctl start/stop/restart
core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes #1526)
mod_storage_sql: Add index covering sort_id to improve performance (fixes #1505)
mod_mam,mod_muc_mam: Allow other work to be performed during archive cleanup (fixes #1504)
mod_muc_mam: Donβt strip MUC tags, fix #1567: MUC tags stripped by mod_muc_mam
mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496)
mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)
mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497)
util.startup: Remove duplicated initialization of logging (fix #1527: startup: Logging initialized twice)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2021-728.
#
# The text description of this plugin is (C) SUSE LLC.
#
include('deprecated_nasl_level.inc');
include("compat.inc");
if (description)
{
script_id(149566);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/05/25");
script_cve_id("CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920");
script_name(english:"openSUSE Security Update : prosody (openSUSE-2021-728)");
script_summary(english:"Check for the openSUSE-2021-728 patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote openSUSE host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"This update for prosody fixes the following issues :
prosody was updated to 0.11.9 :
Security :
- mod_limits, prosody.cfg.lua: Enable rate limits by
default
- certmanager: Disable renegotiation by default
- mod_proxy65: Restrict access to local c2s connections by
default
- util.startup: Set more aggressive defaults for GC
- mod_c2s, mod_s2s, mod_component, mod_bosh,
mod_websockets: Set default stanza size limits
- mod_authinternal(plain,hashed): Use constant-time string
comparison for secrets
- mod_dialback: Remove dialback-without-dialback feature
- mod_dialback: Use constant-time comparison with hmac
Minor changes :
- util.hashes: Add constant-time string comparison
(binding to CRYPTO_memcmp)
- mod_c2s: Don’t throw errors in async code when
connections are gone
- mod_c2s: Fix traceback in session close when conn is nil
- core.certmanager: Improve detection of LuaSec/OpenSSL
capabilities
- mod_saslauth: Use a defined SASL error
- MUC: Add support for advertising
muc#roomconfig_allowinvites in room disco#info
- mod_saslauth: Don’t throw errors in async code
when connections are gone
- mod_pep: Advertise base pubsub feature (fixes #1632:
mod_pep missing pubsub feature in disco)
- prosodyctl check config: Add ‘gc’ to list of
global options
- prosodyctl about: Report libexpat version if known
- util.xmppstream: Add API to dynamically configure the
stanza size limit for a stream
- util.set: Add is_set() to test if an object is a set
- mod_http: Skip IP resolution in non-proxied case
- mod_c2s: Log about missing conn on async state changes
- util.xmppstream: Reduce internal default xmppstream
limit to 1MB
Relevant: https://prosody.im/security/advisory_20210512
- boo#1186027: Prosody XMPP server advisory 2021-05-12
- CVE-2021-32919
- CVE-2021-32917
- CVE-2021-32917
- CVE-2021-32920
- CVE-2021-32918
Update to 0.11.8 :
Security :
- mod_saslauth: Disable ‘tls-unique’ channel
binding with TLS 1.3 (#1542)
Fixes and improvements :
- net.websocket.frames: Improve websocket masking
performance by using the new util.strbitop
- util.strbitop: Library for efficient bitwise operations
on strings
Minor changes :
- MUC: Correctly advertise whether the subject can be
changed (#1155)
- MUC: Preserve disco ‘node’ attribute (or
lack thereof) in responses (#1595)
- MUC: Fix logic bug causing unnecessary presence to be
sent (#1615)
- mod_bosh: Fix error if client tries to connect to
component (#425)
- mod_bosh: Pick out the ‘wait’ before
checking it instead of earlier
- mod_pep: Advertise base PubSub feature (#1632)
- mod_pubsub: Fix notification stanza type setting (#1605)
- mod_s2s: Prevent keepalives before client has
established a stream
- net.adns: Fix bug that sent empty DNS packets (#1619)
- net.http.server: Don’t send Content-Length on
1xx/204 responses (#1596)
- net.websocket.frames: Fix length calculation bug (#1598)
- util.dbuffer: Make length API in line with Lua strings
- util.dbuffer: Optimize substring operations
- util.debug: Fix locals being reported under wrong stack
frame in some cases
- util.dependencies: Fix check for Lua bitwise operations
library (#1594)
- util.interpolation: Fix combination of filters and
fallback values #1623
- util.promise: Preserve tracebacks
- util.stanza: Reject ASCII control characters (#1606)
- timers: Ensure timers can’t block other processing
(#1620)
Update to 0.11.7 :
Security :
- mod_websocket: Enforce size limits on received frames
(fixes #1593)
Fixes and improvements :
- mod_c2s, mod_s2s: Make stanza size limits configurable
- Add configuration options to control Lua garbage
collection parameters
- net.http: Backport SNI support for outgoing HTTP
requests (#409)
- mod_websocket: Process all data in the buffer on close
frame and connection errors (fixes #1474, #1234)
- util.indexedbheap: Fix heap data structure corruption,
causing some timers to fail after a reschedule (fixes
#1572)
Update to 0.11.6 :
Fixes and improvements :
- mod_storage_internal: Fix error in time limited queries
on items without ‘when’ field, fixes #1557
- mod_carbons: Fix handling of incoming MUC PMs #1540
- mod_csi_simple: Consider XEP-0353: Jingle Message
Initiation important
- mod_http_files: Avoid using inode in etag, fixes #1498:
Fail to download file on FreeBSD
- mod_admin_telnet: Create a DNS resolver per console
session (fixes #1492: Telnet console DNS commands
reduced usefulness)
- core.certmanager: Move EECDH ciphers before EDH in
default cipherstring (fixes #1513)
- mod_s2s: Escape invalid XML in loggin (same way as
mod_c2s) (fixes #1574: Invalid XML input on s2s
connection is logged unescaped)
- mod_muc: Allow control over the
server-admins-are-room-owners feature (see #1174)
- mod_muc_mam: Remove spoofed archive IDs before archiving
(fixes #1552: MUC MAM may strip its own archive id)
- mod_muc_mam: Fix stanza id filter event name, fixes
#1546: mod_muc_mam does not strip spoofed stanza ids
- mod_muc_mam: Fix missing advertising of XEP-0359, fixes
#1547: mod_muc_mam does not advertise stanza-id
Minor changes :
- net.http API: Add request:cancel() method
- net.http API: Fix traceback on invalid URL passed to
request()
- MUC: Persist affiliation_data in new MUC format
- mod_websocket: Fire event on session creation (thanks
Aaron van Meerten)
- MUC: Always include
‘affiliation’/‘role’ attributes,
defaulting to ‘none’ if nil
- mod_tls: Log when certificates are (re)loaded
- mod_vcard4: Report correct error condition (fixes #1521:
mod_vcard4 reports wrong error)
- net.http: Re-expose destroy_request() function (fixes
unintentional API breakage)
- net.http.server: Strip port from Host header in IPv6
friendly way (fix #1302)
- util.prosodyctl: Tell prosody do daemonize via command
line flag (fixes #1514)
- SASL: Apply saslprep where necessary, fixes #1560: Login
fails if password contains special chars
- net.http.server: Fix reporting of missing Host header
- util.datamanager API: Fix iterating over
“users” (thanks marc0s)
- net.resolvers.basic: Default conn_type to
‘tcp’ consistently if unspecified (thanks
marc0s)
- mod_storage_sql: Fix check for deletion limits (fixes
#1494)
- mod_admin_telnet: Handle unavailable cipher info (fixes
#1510: mod_admin_telnet backtrace)
- Log warning when using prosodyctl start/stop/restart
- core.certmanager: Look for privkey.pem to go with
fullchain.pem (fixes #1526)
- mod_storage_sql: Add index covering sort_id to improve
performance (fixes #1505)
- mod_mam,mod_muc_mam: Allow other work to be performed
during archive cleanup (fixes #1504)
- mod_muc_mam: Don’t strip MUC tags, fix #1567: MUC
tags stripped by mod_muc_mam
- mod_pubsub, mod_pep: Ensure correct number of children
of (fixes #1496)
- mod_register_ibr: Add FORM_TYPE as required by XEP-0077
(fixes #1511)
- mod_muc_mam: Fix traceback saving message from
non-occupant (fixes #1497)
- util.startup: Remove duplicated initialization of
logging (fix #1527: startup: Logging initialized twice)"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1186027"
);
script_set_attribute(
attribute:"see_also",
value:"https://prosody.im/security/advisory_20210512"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected prosody packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-32919");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:prosody");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:prosody-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:prosody-debugsource");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.2");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/13");
script_set_attribute(attribute:"patch_publication_date", value:"2021/05/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/05/18");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE15.2", reference:"prosody-0.11.9-lp152.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"prosody-debuginfo-0.11.9-lp152.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"prosody-debugsource-0.11.9-lp152.2.3.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "prosody / prosody-debuginfo / prosody-debugsource");
}