Debian Security Advisory

DLA-407-1 prosody -- LTS security update

Date Reported:
30 Jan 2016
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-0756.
More information:

The flaw allows a malicious server to impersonate the vulnerable domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, bber.example would be able to connect to jabber.example and successfully impersonate any vulnerable server on the network.

This release also fixes a regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only.