logo
DATABASE RESOURCES PRICING ABOUT US

prosody - security update

Description

A denial-of-service vulnerability has been reported in Prosody, a XMPP server. If compression is enabled, an attacker might send highly-compressed XML elements (attack known as zip bomb) over XMPP streams and consume all the resources of the server. The SAX XML parser lua-expat is also affected by this issues. For the stable distribution (wheezy), this problem has been fixed in version 0.8.2-4+deb7u1 of prosody. For the unstable distribution (sid), this problem has been fixed in version 0.9.4-1 of prosody. For the stable distribution (wheezy), this problem has been fixed in version 1.2.0-5+deb7u1 of lua-expat. For the unstable distribution (sid), this problem has been fixed in version 1.3.0-1 lua-expat. We recommend that you upgrade your prosody and lua-expat packages.


Affected Software


CPE Name Name Version
prosody 0.8.2-4

Related