prosody-0.11.10-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11197-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z prosody-0.11.10-1.2 on GA media These are all security issues fixed in the prosody-0.11.10-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11197 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-32917/ SUSE CVE CVE-2021-32917 page https://www.suse.com/security/cve/CVE-2021-32918/ SUSE CVE CVE-2021-32918 page https://www.suse.com/security/cve/CVE-2021-32919/ SUSE CVE CVE-2021-32919 page https://www.suse.com/security/cve/CVE-2021-32920/ SUSE CVE CVE-2021-32920 page https://www.suse.com/security/cve/CVE-2021-37601/ SUSE CVE CVE-2021-37601 page openSUSE Tumbleweed prosody-0.11.10-1.2 prosody-0.11.10-1.2 as a component of openSUSE Tumbleweed An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. CVE-2021-32917 openSUSE Tumbleweed:prosody-0.11.10-1.2 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32917.html CVE-2021-32917 https://bugzilla.suse.com/1186027 SUSE Bug 1186027 An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. CVE-2021-32918 openSUSE Tumbleweed:prosody-0.11.10-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32918.html CVE-2021-32918 https://bugzilla.suse.com/1186027 SUSE Bug 1186027 An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled). CVE-2021-32919 openSUSE Tumbleweed:prosody-0.11.10-1.2 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32919.html CVE-2021-32919 https://bugzilla.suse.com/1186027 SUSE Bug 1186027 Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. CVE-2021-32920 openSUSE Tumbleweed:prosody-0.11.10-1.2 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32920.html CVE-2021-32920 https://bugzilla.suse.com/1186027 SUSE Bug 1186027 muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations. CVE-2021-37601 openSUSE Tumbleweed:prosody-0.11.10-1.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-37601.html CVE-2021-37601 https://bugzilla.suse.com/1188976 SUSE Bug 1188976