[SECURITY] [DLA 407-1] prosody security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : prosody
Version : 0.7.0-1squeeze1+deb6u2
CVE ID : CVE-2016-0756
The flaw allows a malicious server to impersonate the vulnerable domain
to any XMPP domain whose domain name includes the attacker's domain as a
suffix.
For example, 'bber.example' would be able to connect to 'jabber.example'
and successfully impersonate any vulnerable server on the network.
This release also fixes a regression introduced in the previous
CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWrT7AAAoJEHkhUlJ7dZIeJOsP/iGXuPvD7zlJ0GfICUwNRgrn
nK1MNV/sPipgs9tTOtP4+L6L6wNDH0Jkwbe2VLRA2jgb9zLxjquafE+Ne4PMiDz7
A99kByWSM5rqbhxori2ljCUvMzTJkuDwQCz9tbmlmD7JJrvdKW9bgQr8xTj4NDAl
lYMifTUxp3DEEXK/9IsB1e4dsRleJ+LZrL2kdTRsJ2quaUZ/UEwSa1tsYJ9n/Vqv
iH2GG3w7Z0D94Sc55ljSWaFeUqQsO7mQgUrkhjuTalpe6MsR99PJw/OW3thgQFCg
dwDucntXez3NJFplw1YiO9XbpBgDtjUnM7GqqlJoqJ79OaRci2Jq0J7GTMCNoozk
C2QgrmYNVzLWxl5WcqSD3XGyhIBZ3496M30It9+qG18ZSU1WNo+2lT4+ijweRGHR
iJD01CiWo9FcQK/RUf7yvRsJi13HBljQpeGEod7UAYS/QEBL2CdWXROE6kbnallc
pva/Psty2gmsv5gqZs1j/2ppZwp5ERTvrZlEJJgfQCG8tP5Gu8Kne+H1zJK2rmzW
CyivgzBy+tkDIpBCtVFXCWYu41znrKoOLEqafNdQUMW/DT88I8EfHCLK+H2aRn8i
Ri0/MDUXODq4blU9u04/zQban4d7IUzGvmQeRCJ8e9pc5GFJ+rp1D1xJlUIWuj2T
6TIHfmilgN5I/nfkOo/z
=XFuX
-----END PGP SIGNATURE-----
Reply to: