Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0445.2 prosody security update 22 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: prosody Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 6 Linux variants Windows OS X Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-2745 CVE-2014-2744 Original Bulletin: http://www.debian.org/security/2014/dsa-2895 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running prosody check for an updated version of the software for their operating system. Revision History: April 22 2014: Regression in previous update corrected. April 7 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2895-2 security@debian.org http://www.debian.org/security/ Luciano Bello April 21, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : prosody CVE ID : CVE-2014-2744 CVE-2014-2745 Debian Bug : 743836 The update for prosody in DSA 2895 caused a regression when a client logins with the compression functionality activated. This update corrects that problem. For reference, the original advisory text follows. A denial-of-service vulnerability has been reported in Prosody, a XMPP server. If compression is enabled, an attacker might send highly-com- pressed XML elements (attack known as "zip bomb") over XMPP streams and consume all the resources of the server. For the stable distribution (wheezy), this problem has been fixed in version 0.8.2-4+deb7u2 of prosody. We recommend that you upgrade your prosody package. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTVFsbAAoJEG7C3vaP/jd0dsgQAIWJ3rTPgvpf4XWhmnzcZDn9 cf0F8jGL8sD5KaXepyr1f91qdAG5/bhd0lrsYGuuK9JS7UANa5SyN04GuAA9tgFi vmAg7aSgLAcmdHhjmQy5ABDXI6eLmXxVv2abvkN3RulnClMHByyTdJSMbwYzvNbq YyyVhunCuYPiyl48GuwseHPwo58Sd4CTXNTj7y94UjTQH2fP/75t4GRidoT03wEL iD4pvb4eSG0dniCU/nL5RALAbfCQNQXb++vMAWYkiGQPf5MG0sI8jS4Rql6jdVh3 eFMhYwUnNRSfYkdHso6uhydcMhQbOR3b3r4Vbi+G2kzldtPA6ZhkqIU23WLltBSu Z+KGsV+T1+aReCijMznRmSl/lzIfX51s3w6SibRHdnvZqDTX9YAiIfBVfWYMMN7C PC5MbANRTZYpovkQsMGY+cJENztPzArDq/Dex/BfqIgKr7bcTvgmhI0faPqXj1sb lp7vBNs77qB3n0wPUVE8ws5Dt4pOoJJW71u/cLBIQchE05mrvuwip43ud5fs8m45 gZvyk496n0hQbgqDaPCN+nsraC1W6AMizMEG4AskZEa+v06MGfMAmtwdEN/5+XjA qAL1kRfZPIUUMIbtayv6W4THNdmo6ckIs/8amkpuJyOxBJaRJWewFUMCQWMuYioL jpknu6AtYPWSz/UItRku =a97E - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU1X6URLndAQH1ShLAQKI9hAAqPH3CM0orONFIPtSdpHLR3VAU2CJQ+xm MD3mbUgQB03gswZs0C7qerftB+W8m4qToNky9MVmedRKNtDxZPARt29Y+MMOVuz/ V4FRb5EZBWQEOQSwMcEXonCmhXxjbG4p720reDUd91wJtlBtBdWBRqK/Z6kf20wG O+XsMXuXyTj00YGZLRu9x/ZcOnLw0R5IKf/8U/G84AnXrInOzh9lwR77x+3mNIAm O70cttsRSpyH42Avcjg7J+iZfBB9erG1KTlpLLQauOOuVRAqV4hndE4+a8iaYKzZ dCQPaJOaUtUC88XnaYKqjlg8x5fOaWOL0XRfW1VqWo/m5ZL0pOGBC40glhDUv9X4 T6zXs7WBAmf8uM5D51IaX2ssAuq+/tqscgQFGTNOmHZXftyjoUGg7SFdb47x+BFP opKsNNuV/9UL22N3VC7ZrU7hAdkByS131tkfCxuOOP8fCyi/ZVswLQ7whm64JqmU VGNOguWOVUi1zMb2CUbx/Rd4UG388DRL1CmoqUCYixobzlTSxraN/RFSDI4L2JqG d4T+1dY6FWW3yPCfwJkR/gVz2kLZwNvURfJb7h11Xmt+H6FcSOnMx8R/IRqV6VNI H0pZ0ie0W8HoBca33lJ6cR3rt4jHvwqU1qPB8f//9sy5LKJfUMu6j4IoDnlmKo66 P9TCJwiR1WQ= =SH0Y -----END PGP SIGNATURE-----