ALT-PU-2018-2853-1
Closed vulnerabilities
Published: 2018-05-09
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-18265
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- https://bugs.debian.org/875829
- https://bugs.debian.org/875829
- https://hg.prosody.im/0.9/rev/176b7f4e4ac9
- https://hg.prosody.im/0.9/rev/176b7f4e4ac9
- https://hg.prosody.im/0.9/rev/adfffc5b4e2a
- https://hg.prosody.im/0.9/rev/adfffc5b4e2a
- https://prosody.im/issues/issue/987
- https://prosody.im/issues/issue/987
- DSA-4198
- DSA-4198
Published: 2018-07-30
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-10847
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
Severity: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- https://blog.prosody.im/prosody-0-10-2-security-release/
- https://blog.prosody.im/prosody-0-10-2-security-release/
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847
- https://issues.prosody.im/1147
- https://issues.prosody.im/1147
- https://prosody.im/security/advisory_20180531/
- https://prosody.im/security/advisory_20180531/
- DSA-4216
- DSA-4216
Closed bugs
Prosody не работает с Lua 5.3