[ANN] Prosody 0.11.9 security release
6 views
Skip to first unread message
Matthew Wild
May 13, 2021, 7:31:43 AM5/13/21
to Prosody IM Users Group, Prosody IM Developers Group, prosody-...@googlegroups.com
Hi folks,
We are pleased to announce the release of Prosody 0.11.9.
This release addresses a number of important security issues that affect
most deployments of Prosody. Full details are available in a separate
security advisory](https://prosody.im/security/advisory_20210512/). We
recommend that all deployments upgrade or apply the mitigations
described in the advisory.
A summary of changes since the previous release:
Security
- mod_limits, prosody.cfg.lua: Enable rate limits by default
- certmanager: Disable renegotiation by default
- mod_proxy65: Restrict access to local c2s connections by default
- util.startup: Set more aggressive defaults for GC
- mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set
default stanza size limits
- mod_auth_internal_{plain,hashed}: Use constant-time string
comparison for secrets
- mod_dialback: Remove dialback-without-dialback feature
- mod_dialback: Use constant-time comparison with hmac
Minor changes
- util.hashes: Add constant-time string comparison (binding to
CRYPTO_memcmp)
- mod_c2s: Don’t throw errors in async code when connections are gone
- mod_c2s: Fix traceback in session close when conn is nil
- core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
- mod_saslauth: Use a defined SASL error
- MUC: Add support for advertising muc#roomconfig_allowinvites in room
disco#info
- mod_saslauth: Don’t throw errors in async code when connections are
gone
- mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing
pubsub feature in disco)
- prosodyctl check config: Add ‘gc’ to list of global options
- prosodyctl about: Report libexpat version if known
- util.xmppstream: Add API to dynamically configure the stanza size
limit for a stream
- util.set: Add is_set() to test if an object is a set
- mod_http: Skip IP resolution in non-proxied case
- mod_c2s: Log about missing conn on async state changes
- util.xmppstream: Reduce internal default xmppstream limit to 1MB
# Download
As usual, download instructions for many platforms can be found on our
download page: https://prosody.im/download
If you have any questions, comments or other issues with this release,
let us know! https://prosody.im/discuss
We are pleased to announce the release of Prosody 0.11.9.
This release addresses a number of important security issues that affect
most deployments of Prosody. Full details are available in a separate
security advisory](https://prosody.im/security/advisory_20210512/). We
recommend that all deployments upgrade or apply the mitigations
described in the advisory.
A summary of changes since the previous release:
Security
- mod_limits, prosody.cfg.lua: Enable rate limits by default
- certmanager: Disable renegotiation by default
- mod_proxy65: Restrict access to local c2s connections by default
- util.startup: Set more aggressive defaults for GC
- mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set
default stanza size limits
- mod_auth_internal_{plain,hashed}: Use constant-time string
comparison for secrets
- mod_dialback: Remove dialback-without-dialback feature
- mod_dialback: Use constant-time comparison with hmac
Minor changes
- util.hashes: Add constant-time string comparison (binding to
CRYPTO_memcmp)
- mod_c2s: Don’t throw errors in async code when connections are gone
- mod_c2s: Fix traceback in session close when conn is nil
- core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
- mod_saslauth: Use a defined SASL error
- MUC: Add support for advertising muc#roomconfig_allowinvites in room
disco#info
- mod_saslauth: Don’t throw errors in async code when connections are
gone
- mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing
pubsub feature in disco)
- prosodyctl check config: Add ‘gc’ to list of global options
- prosodyctl about: Report libexpat version if known
- util.xmppstream: Add API to dynamically configure the stanza size
limit for a stream
- util.set: Add is_set() to test if an object is a set
- mod_http: Skip IP resolution in non-proxied case
- mod_c2s: Log about missing conn on async state changes
- util.xmppstream: Reduce internal default xmppstream limit to 1MB
# Download
As usual, download instructions for many platforms can be found on our
download page: https://prosody.im/download
If you have any questions, comments or other issues with this release,
let us know! https://prosody.im/discuss
Matthew Wild
May 13, 2021, 8:28:39 AM5/13/21
to Prosody IM Users Group, Prosody IM Developers Group, prosody-...@googlegroups.com
On Thu, 13 May 2021 at 12:31, Matthew Wild <mwi...@gmail.com> wrote:>
> Hi folks,
>
> We are pleased to announce the release of Prosody 0.11.9.
Sorry for the double-post. I just wanted to note that I've made an
> Hi folks,
>
> We are pleased to announce the release of Prosody 0.11.9.
addition to the release notes and blog post based on feedback.
This release has updated the default config file. Your package manager
may warn you about this, and ask if you want to use the new file or
keep your existing one. You should usually keep your existing one, but
just make sure you update it to enable mod_limits after the upgrade.
Hope this helps anyone who gets confused during the upgrade :)
Regards,
Matthew
Lonnie Abelbeck
May 13, 2021, 8:36:36 AM5/13/21
to proso...@googlegroups.com
> On May 13, 2021, at 6:31 AM, Matthew Wild <mwi...@gmail.com> wrote:
>
> Hi folks,
>
> We are pleased to announce the release of Prosody 0.11.9.
>
> This release addresses a number of important security issues that affect
> most deployments of Prosody.
Any chance a 0.10.4 version will be released with just the security fixes ?
Lonnie
Matthew Wild
May 13, 2021, 9:04:10 AM5/13/21
to Prosody IM Developers Group
Hi Lonnie,
On Thu, 13 May 2021 at 13:36, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote:
> Hi Matthew,
>
> Any chance a 0.10.4 version will be released with just the security fixes ?
Sorry, we're no longer maintaining the 0.10 branch at this point. I'm
pretty sure our build infrastructure wouldn't succeed at a 0.10
release even if we tried. As a reminder, our policy is generally to
support a branch for as long as that branch is included in a supported
Debian release. With the EOL of Debian 9 in July 2020, we're now only
maintaining 0.11.x.
I've just updated the security advisory with the commits relevant to
each issue to make it easier for packagers who want to cherry-pick or
backport changes.
Some notes/pointers:
- 0.10 will usually be running on Lua 5.1, which is far less
susceptible to the memory exhaustion issue.
- 0.10 is lacking util.startup and support for the 'gc' config
option, so you'll need to plug in collectgarbage("setstepmul", 500)
somewhere during startup
- Backporting the timing attack patches should be trivial enough
(just patch the new function into util-src/hashes.c and fix the
appropriate modules, which have probably changed little since 0.10).
- mod_proxy65 has also not changed much (at all?) and it should be
easy to apply the patch for 0.11.
- mod_dialback should be a similar story.
- I can't say how much work the stanza size limits patches will be
in 0.10, but hopefully not too tricky.
Hope this helps! Let me know if you have any further questions.
Regards,
Matthew
On Thu, 13 May 2021 at 13:36, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote:
> Hi Matthew,
>
> Any chance a 0.10.4 version will be released with just the security fixes ?
pretty sure our build infrastructure wouldn't succeed at a 0.10
release even if we tried. As a reminder, our policy is generally to
support a branch for as long as that branch is included in a supported
Debian release. With the EOL of Debian 9 in July 2020, we're now only
maintaining 0.11.x.
I've just updated the security advisory with the commits relevant to
each issue to make it easier for packagers who want to cherry-pick or
backport changes.
Some notes/pointers:
- 0.10 will usually be running on Lua 5.1, which is far less
susceptible to the memory exhaustion issue.
- 0.10 is lacking util.startup and support for the 'gc' config
option, so you'll need to plug in collectgarbage("setstepmul", 500)
somewhere during startup
- Backporting the timing attack patches should be trivial enough
(just patch the new function into util-src/hashes.c and fix the
appropriate modules, which have probably changed little since 0.10).
- mod_proxy65 has also not changed much (at all?) and it should be
easy to apply the patch for 0.11.
- mod_dialback should be a similar story.
- I can't say how much work the stanza size limits patches will be
in 0.10, but hopefully not too tricky.
Hope this helps! Let me know if you have any further questions.
Regards,
Matthew
Reply all
Reply to author
Forward
0 new messages