Stay Secure with the Latest Linux Advisories

security advisorydenial of servicefedora

Fedora 44 Prosody Critical Denial of Service Security Fix 2026-2947986ad6

Prosody 13.0.5 Upstream is pleased to announce a new minor release from their stable branch. This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2947986ad6 2026-05-10 02:48:49.647007+00:00 -------------------------------------------------------------------------------- Name : prosody Product : Fedora 44 Version : 13.0.5 Release : 1.fc44 URL : https://prosody.im/ Summary : Flexible communications server for Jabber/XMPP Description : Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. -------------------------------------------------------------------------------- Update Information: Prosody 13.0.5 Upstream is pleased to announce a new minor release from their stable branch. This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release. Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations. A summary of changes in this release: Security mod_proxy65: Consistently apply authorization checks mod_proxy65: Don\u2019t proxy data until after bytestream activation mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit Add limit for stanza max child elements mod_c2s: Remove timers immediately on disconnection net.server_epoll: Clean uptimers after disconnection Fixes and improvements net.http.parser: Fix handling of chunked request MUC: Advertise hats feature on room JID moduleapi: Use multitable add/remove instead of set (fixes memory leak) mod_cloud_notify: Fix leaking iq response handlers by using send_iq() Improve federation with servers using only IP addresses prosody: Prevent loading local code when installed system-wide mod_http_file_share: Improve handling of Range requests mod_carbons: Fix some carbons decision-making bugs Minor changes net.resolvers: Fix to avoid SRV lookups for IP addresses prosody: Abort earlier on incompatible Lua version mod_turn_external: hand out credentials for type == turns too mod_s2s: Fully validate stream addressing prosodyctl check features: Warn if http file sharing enabled on both host and component util.prosodyctl: Don\u2019t check for mod_posix being disabled, it\u2019s deprecated util.startup: Improve error message when failing to load config file util.x509: Add support for iPAddress certs prosodyctl: Trim any trailing newline from password entry mod_admin_shell: Make cert index search path relative to config file mod_admin_shell: Improve multi-host command handling mod_admin_shell: Show help listing when specifying only a section name mod_admin_shell: Ensure password validity when setting passwords for new/existing users mod_account_activity: Handle authentication provider returning no user info config: Use default value when enum option has incorrect value mod_http: \u201cHandle\u201d streaming requests to avoid invoking redirect handler -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 30 2026 Robert Scheck 13.0.5-1 - Upgrade to 13.0.5 (#2463898) * Thu Apr 16 2026 Tom Callaway - 13.0.4-3 - rebuild * Sun Mar 15 2026 Tom Callaway - 13.0.4-2 - rebuild for lua 5.5 - apply upstream fix for configure - make a new patch to actually support lua 5.5 -------------------------------------------------------------------------------- References: [ 1] Bug #2464363 - CVE-2026-43507 Prosody: Prosody: Denial of Service via XML parsing resource amplification https://bugzilla.redhat.com/show_bug.cgi?id=2464363 [ 2 ] Bug #2464412 - CVE-2026-43504 Prosody: mod_proxy65: Prosody: Unauthenticated traffic relay due to access control mishandling in mod_proxy65 https://bugzilla.redhat.com/show_bug.cgi?id=2464412 [ 3 ] Bug #2464452 - CVE-2026-43505 Prosody: mod_proxy65: Prosody: Unauthorized traffic relay via mod_proxy65 access control flaw https://bugzilla.redhat.com/show_bug.cgi?id=2464452 [ 4 ] Bug #2464492 - CVE-2026-43506 Prosody: Prosody: Denial of Service via memory exhaustion from unauthenticated connections https://bugzilla.redhat.com/show_bug.cgi?id=2464492 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2947986ad6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Prosody 13.0.5 release fixes critical security issues including denial of service and unauthorized access. Upgrade now.. Fedora Prosody Security Update, Denial of Service Vulnerability, Communication Server Fixes. . Severity: Critical. LinuxSecurity.com Team

May 10, 2026 •Critical Fedora