Alerts This Week
Warning Icon 1 681
Alerts This Week
Warning Icon 1 681

Fedora 20: FEDORA-2015-6428 High: Prosody Buffer Overflow Issue

fedora
Calendar Grey May 10, 2015
Dist Fedora Esm H88
An upgrade for Fedora 20's Prosody enhances functionality and addresses significant vulnerabilities related to memory mismanagement and secure socket layer problems.
Prosody 0.9.8 A summary of changes in this release: High ----

Summary

Prosody is a flexible communications server for Jabber/XMPP written in Lua.

It aims to be easy to use, and light on resources. For developers it aims

to be easy to extend and give a flexible system on which to rapidly develop

added functionality, or prototype new protocols.

Update Information:

Prosody 0.9.8 ============ A summary of changes in this release:

High ---- * Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059) that libidn can read beyond the boundaries of the provided buffer when an input string contains invalid UTF-8 sequences.

Systems where Prosody is compiled to use libICU are not affected by this issue.

Medium ------ * DNS: Fix traceback caused when DNS server IP is unroutable (issue 473) * HTTP client: More robust handling of chunked encoding across packet boundaries * Stanza router: Fix handling of 'error' 's with multiple children

Minor ----- * c2s: Fix error reply when clients try to bind multiple resources on the same stream (issue 484) * s2s: Ensure to/from attributes are always present on stream headers, even if empty (issue 468) * Build scripts: Add --libdir option to ./configure to simplify building on some platforms * Fix traceback in datamanager when used outside of Prosody (e.g. in some migration t...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory high severity software update Fedora buffer issue XMPP server prosody

Change Log

* Sat Apr 18 2015 Robert Scheck 0.9.8-1 - Upgrade to 0.9.8 (#1152126) * Sat Feb 14 2015 Robert Scheck 0.9.7-1 - Upgrade to 0.9.7 (#985563, #1152126) * Sun Aug 17 2014 Fedora Release Engineering - 0.9.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Sat Jun 7 2014 Fedora Release Engineering - 0.9.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Tue Jun 3 2014 Jan Kaluza - 0.9.4-2 - add missing lua-socket-compat dependency * Fri May 30 2014 Jan Kaluza - 0.9.4-1 - update to version 0.9.4 - build with luajit * Wed Sep 11 2013 Johan Cwiklinski - 0.9.1-1 - Update to 0.9.1 * Thu Aug 22 2013 Matěj Cepl - 0.9.0-1 - Final upstream release.

References


[ 1 ] Bug #985563 - Logging, conf.d and log rotation https://bugzilla.redhat.com/show_bug.cgi?id=985563 [ 2 ] Bug #1085693 - prosody: resource consumption denial of service when using XMPP application-layer compression [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1085693 [ 3 ] Bug #1091499 - Please use luajit instead of lua in F20+ (prosody requires lua 5.1; lua 5.2 is packaged) https://bugzilla.redhat.com/show_bug.cgi?id=1091499 [ 4 ] Bug #1152126 - prosody-0.9.8 is available https://bugzilla.redhat.com/show_bug.cgi?id=1152126

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update prosody' at the command line. For more information, refer to "Managing Software with yum", available at .

Name: prosody
Product: Fedora 20
Version: 0.9.8
Release: 1.fc20
URL: https://prosody.im/
Summary: Flexible communications server for Jabber/XMPP

Topics%20covered

Topics Covered

security advisory high severity software update Fedora buffer issue XMPP server prosody

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here