DSA-3439-1 prosody -- prosodyID: oval:org.secpod.oval:def:602329 | Date: (C)2016-01-27 (M)2022-09-22 |
Class: PATCH | Family: unix |
Two vulnerabilities were discovered in Prosody, a lightweight Jabber/XMPP server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2016-1231 Kim Alvefur discovered a flaw in Prosody"s HTTP file-serving module that allows it to serve requests outside of the configured public root directory. A remote attacker can exploit this flaw to access private files including sensitive data. The default configuration does not enable the mod_http_files module and thus is not vulnerable. CVE-2016-1232 Thijs Alkemade discovered that Prosody"s generation of the secret token for server-to-server dialback authentication relied upon a weak random number generator that was not cryptographically secure. A remote attacker can take advantage of this flaw to guess at probable values of the secret key and impersonate the affected domain to other servers on the network.
Platform: |
Debian 8.x |
Debian 7.x |