-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.0445.2
                          prosody security update
                               22 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           prosody
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 6
                   Linux variants
                   Windows
                   OS X
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-2745 CVE-2014-2744 

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2895

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running prosody check for an updated version of the software for 
         their operating system.

Revision History:  April 22 2014: Regression in previous update corrected.
                   April  7 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2895-2                   security@debian.org
http://www.debian.org/security/                             Luciano Bello
April 21, 2014                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : prosody
CVE ID         : CVE-2014-2744 CVE-2014-2745
Debian Bug     : 743836

The update for prosody in DSA 2895 caused a regression when a client 
logins with the compression functionality activated. This update corrects
that problem. For reference, the original advisory text follows.

A denial-of-service vulnerability has been reported in Prosody, a XMPP 
server. If compression is enabled, an attacker might send highly-com-
pressed XML elements (attack known as "zip bomb") over XMPP streams and 
consume all the resources of the server.

For the stable distribution (wheezy), this problem has been fixed in
version 0.8.2-4+deb7u2 of prosody.

We recommend that you upgrade your prosody package.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJTVFsbAAoJEG7C3vaP/jd0dsgQAIWJ3rTPgvpf4XWhmnzcZDn9
cf0F8jGL8sD5KaXepyr1f91qdAG5/bhd0lrsYGuuK9JS7UANa5SyN04GuAA9tgFi
vmAg7aSgLAcmdHhjmQy5ABDXI6eLmXxVv2abvkN3RulnClMHByyTdJSMbwYzvNbq
YyyVhunCuYPiyl48GuwseHPwo58Sd4CTXNTj7y94UjTQH2fP/75t4GRidoT03wEL
iD4pvb4eSG0dniCU/nL5RALAbfCQNQXb++vMAWYkiGQPf5MG0sI8jS4Rql6jdVh3
eFMhYwUnNRSfYkdHso6uhydcMhQbOR3b3r4Vbi+G2kzldtPA6ZhkqIU23WLltBSu
Z+KGsV+T1+aReCijMznRmSl/lzIfX51s3w6SibRHdnvZqDTX9YAiIfBVfWYMMN7C
PC5MbANRTZYpovkQsMGY+cJENztPzArDq/Dex/BfqIgKr7bcTvgmhI0faPqXj1sb
lp7vBNs77qB3n0wPUVE8ws5Dt4pOoJJW71u/cLBIQchE05mrvuwip43ud5fs8m45
gZvyk496n0hQbgqDaPCN+nsraC1W6AMizMEG4AskZEa+v06MGfMAmtwdEN/5+XjA
qAL1kRfZPIUUMIbtayv6W4THNdmo6ckIs/8amkpuJyOxBJaRJWewFUMCQWMuYioL
jpknu6AtYPWSz/UItRku
=a97E
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU1X6URLndAQH1ShLAQKI9hAAqPH3CM0orONFIPtSdpHLR3VAU2CJQ+xm
MD3mbUgQB03gswZs0C7qerftB+W8m4qToNky9MVmedRKNtDxZPARt29Y+MMOVuz/
V4FRb5EZBWQEOQSwMcEXonCmhXxjbG4p720reDUd91wJtlBtBdWBRqK/Z6kf20wG
O+XsMXuXyTj00YGZLRu9x/ZcOnLw0R5IKf/8U/G84AnXrInOzh9lwR77x+3mNIAm
O70cttsRSpyH42Avcjg7J+iZfBB9erG1KTlpLLQauOOuVRAqV4hndE4+a8iaYKzZ
dCQPaJOaUtUC88XnaYKqjlg8x5fOaWOL0XRfW1VqWo/m5ZL0pOGBC40glhDUv9X4
T6zXs7WBAmf8uM5D51IaX2ssAuq+/tqscgQFGTNOmHZXftyjoUGg7SFdb47x+BFP
opKsNNuV/9UL22N3VC7ZrU7hAdkByS131tkfCxuOOP8fCyi/ZVswLQ7whm64JqmU
VGNOguWOVUi1zMb2CUbx/Rd4UG388DRL1CmoqUCYixobzlTSxraN/RFSDI4L2JqG
d4T+1dY6FWW3yPCfwJkR/gVz2kLZwNvURfJb7h11Xmt+H6FcSOnMx8R/IRqV6VNI
H0pZ0ie0W8HoBca33lJ6cR3rt4jHvwqU1qPB8f//9sy5LKJfUMu6j4IoDnlmKo66
P9TCJwiR1WQ=
=SH0Y
-----END PGP SIGNATURE-----