Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 8 Jan 2016 15:40:14 +0000
From: Matthew Wild <mwild1@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities

Two vulnerabilities have been discovered and fixed in the Prosody XMPP
server. Details below.

CVE-2016-1231 prosody: path traversal vulnerability in the built-in
HTTP server's file-serving module
-------------

Project: Prosody XMPP server
URL: https://prosody.im/
Affected versions:
    0.9.x (before 0.9.9), 0.10 (unreleased)
Affected Prosody modules:
    mod_http_files (and community modules that depend on it)
Fixed versions:
    0.9.9, 0.10 nightly build 196, trunk nightly build 608

Description
-----------

A flaw was found in Prosody's HTTP file-serving module (mod_http_files)
that allows it to serve requests outside of the configured public root
directory. This could allow attackers access to private files including
sensitive data.

Affected configurations
-----------------------

The default configuration has mod_http_files disabled, and is not
vulnerable. Additionally, configurations where mod_http_files serves
files at the root URL (e.g. not /files/ prefix, using http_paths) are
not vulnerable.

Temporary mitigation
--------------------

Disable mod_http_files and any community modules that depend on it.

Advice
------

All users should upgrade to 0.9.9, or check their OS distribution for
security updates. Users of development branches (0.10, trunk) should
upgrade to the latest nightly builds.

Credits
-------

The flaw was discovered by Kim Alvefur, a member of the Prosody team.

//////////////////////////

CVE-2016-1232 prosody: using a weak PRNG to generate the
authentication secret used when verifying server-to-server connections
using the dialback method.
-------------

Project: Prosody XMPP server
URL: https://prosody.im/
Affected versions:
    All
Affected Prosody modules:
    mod_dialback
Fixed versions:
    0.9.9, 0.10 nightly build 196, trunk nightly build 608

Description
-----------

It was discovered that Prosody's generation of the secret token for
server-to-server dialback authentication relied upon a weak random
number generator that was not cryptographically secure. This allows an
attacker to guess at probable values of the secret key. A successful
guess allows impersonation of the affected domain to other servers on
the network.

Affected configurations
-----------------------

Configurations with mod_dialback loaded (default configuration) are
affected.

Servers with s2s_secure_auth = true will not be susceptible to incoming
attempts to spoof other domains on the network. However if mod_dialback
is loaded, a server's domain's may still be spoofed by an attacker in
connections to other servers.

Not affected are configurations with a strong custom dialback_secret set
(though periodically regenerating the dialback_secret is still
advisable).

Temporary mitigation
--------------------

Set the 'dialback_secret' option in your configuration file to a long
random string.

A strong dialback_secret can be generated (for example) using the
command:

head -c 32 /dev/urandom | base64

Alternatively disable mod_dialback by adding it to your modules_disabled
option in your configuration file. In this case communication with
servers that only support dialback or have untrusted certificates will
not be possible.

Advice
------

All users should upgrade to 0.9.9, or check their OS distribution for
security updates. Users of development branches (0.10, trunk) should
upgrade to the latest nightly builds.

Credits
-------

The flaw was discovered and reported by Thijs Alkemade.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.