Debian Security Advisory
DLA-407-1 prosody -- LTS security update
- Date Reported:
- 30 Jan 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-0756.
- More information:
The flaw allows a malicious server to impersonate the vulnerable domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.
bber.examplewould be able to connect to
jabber.exampleand successfully impersonate any vulnerable server on the network.
This release also fixes a regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only.