Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-407-1 prosody

Debian Security Advisory

DLA-407-1 prosody -- LTS security update

Date Reported:

30 Jan 2016

Affected Packages:

prosody

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-0756.

More information:

The flaw allows a malicious server to impersonate the vulnerable domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, bber.example would be able to connect to jabber.example and successfully impersonate any vulnerable server on the network.

This release also fixes a regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only.