--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package prosody.
We fixed 5 CVE issues [0] already on sid and buster, this version needs
to migrate to testing in order not to have any security regression.
Security team asked me to contact you in order to get your unblock
approval. More info about this release at upstream [1] and our BTS at
#988668 [2].
[0] https://security-tracker.debian.org/tracker/source-package/prosody
[1] https://prosody.im/security/advisory_20210512.txt
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988668
unblock prosody/0.11.9-1
- -- System Information:
Debian Release: 10.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'unstable'), (1, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-0.bpo.5-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEDmBQEMrYIhRFqKAgIXSmjn2oLMcFAmCjeY4ACgkQIXSmjn2o
LMePfAf/YVdSkJvEj9ZorZrCgdngUObO/wep7PpKRP7BcA+xhrAjehb9+eb8rI+Y
JIjiyLFTQMBZxKos+NI1R7ubmodBfCRbIpwsmy06fbhyQXPx17TmNKR0pPEB36UN
DO0IcCRl7FLClYHgo41EolfCsLyu7Th4gCWQ6PSNe0aUHZVKPZxAsGcBdWwAuICg
LkbhCsQuKTzuEJpLmuq9pz9UFyMVgqncNxeITvb94/pMPeMzhV/Cr0JQoj3b9SZS
f3W5/2gm7IPL1xV4+EMiugPpJB0ECfeM3BbKP1fwi9q3cFSpQjCEksFO5anRkLM5
OFIPtZ6LIwJyYf3jfSlgWO5JCtbHTQ==
=4E83
-----END PGP SIGNATURE-----
diff -Nru prosody-0.11.8/core/certmanager.lua prosody-0.11.9/core/certmanager.lua
--- prosody-0.11.8/core/certmanager.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/core/certmanager.lua 2021-05-12 17:22:02.000000000 +0200
@@ -36,9 +36,13 @@
local resolve_path = require"util.paths".resolve_relative_path;
local config_path = prosody.paths.config or ".";
+local function test_option(option)
+ return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }});
+end
+
local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
-local luasec_has = softreq"ssl.config" or {
+local luasec_has = ssl.config or softreq"ssl.config" or {
algorithms = {
ec = luasec_version >= 5;
};
@@ -46,11 +50,12 @@
curves_list = luasec_version >= 7;
};
options = {
- cipher_server_preference = luasec_version >= 2;
- no_ticket = luasec_version >= 4;
- no_compression = luasec_version >= 5;
- single_dh_use = luasec_version >= 2;
- single_ecdh_use = luasec_version >= 2;
+ cipher_server_preference = test_option("cipher_server_preference");
+ no_ticket = test_option("no_ticket");
+ no_compression = test_option("no_compression");
+ single_dh_use = test_option("single_dh_use");
+ single_ecdh_use = test_option("single_ecdh_use");
+ no_renegotiation = test_option("no_renegotiation");
};
};
@@ -115,6 +120,7 @@
no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
single_dh_use = luasec_has.options.single_dh_use;
single_ecdh_use = luasec_has.options.single_ecdh_use;
+ no_renegotiation = luasec_has.options.no_renegotiation;
};
verifyext = { "lsec_continue", "lsec_ignore_purpose" };
curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
diff -Nru prosody-0.11.8/debian/changelog prosody-0.11.9/debian/changelog
--- prosody-0.11.8/debian/changelog 2021-02-16 14:26:08.000000000 +0100
+++ prosody-0.11.9/debian/changelog 2021-05-14 09:17:12.000000000 +0200
@@ -1,3 +1,16 @@
+prosody (0.11.9-1) unstable; urgency=high
+
+ * New upstream version 0.11.9 addressing several security issues
+ - https://prosody.im/security/advisory_20210512/
+ + CVE-2021-32918
+ + CVE-2021-32920
+ + CVE-2021-32921
+ + CVE-2021-32917
+ + CVE-2021-32919
+ * refresh patches
+
+ -- Victor Seva <vseva@debian.org> Fri, 14 May 2021 09:17:12 +0200
+
prosody (0.11.8-1) unstable; urgency=medium
* New upstream version 0.11.8
diff -Nru prosody-0.11.8/debian/patches/0001-conf.patch prosody-0.11.9/debian/patches/0001-conf.patch
--- prosody-0.11.8/debian/patches/0001-conf.patch 2021-02-16 14:26:08.000000000 +0100
+++ prosody-0.11.9/debian/patches/0001-conf.patch 2021-05-14 09:17:12.000000000 +0200
@@ -6,11 +6,14 @@
---
example.com.cfg.lua | 29 +++++++++++++++++++++++++++++
localhost.cfg.lua | 5 +++++
- prosody.cfg.lua.dist | 40 +++++++++++++++++++++++++++++++---------
- 3 files changed, 65 insertions(+), 9 deletions(-)
+ prosody.cfg.lua.dist | 42 +++++++++++++++++++++++++++++++++++-------
+ 3 files changed, 69 insertions(+), 7 deletions(-)
create mode 100644 example.com.cfg.lua
create mode 100644 localhost.cfg.lua
+diff --git a/example.com.cfg.lua b/example.com.cfg.lua
+new file mode 100644
+index 0000000..9db4b4f
--- /dev/null
+++ b/example.com.cfg.lua
@@ -0,0 +1,29 @@
@@ -43,6 +46,9 @@
+--Component "gateway.example.com"
+-- component_secret = "password"
+
+diff --git a/localhost.cfg.lua b/localhost.cfg.lua
+new file mode 100644
+index 0000000..38a6655
--- /dev/null
+++ b/localhost.cfg.lua
@@ -0,0 +1,5 @@
@@ -51,9 +57,11 @@
+-- This allows clients to connect to localhost. No harm in it.
+VirtualHost "localhost"
+
+diff --git a/prosody.cfg.lua.dist b/prosody.cfg.lua.dist
+index 9ed17d5..5bc3120 100644
--- a/prosody.cfg.lua.dist
+++ b/prosody.cfg.lua.dist
-@@ -30,7 +30,9 @@
+@@ -30,7 +30,9 @@ admins = { }
-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
@@ -64,15 +72,15 @@
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-@@ -71,6 +73,7 @@
+@@ -72,6 +74,7 @@ modules_enabled = {
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
+ "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
- --"limits"; -- Enable bandwidth limiting for XMPP connections
--"groups"; -- Shared roster support
--"server_contact_info"; -- Publish contact information for this service
-@@ -88,13 +91,23 @@
+ --"announce"; -- Send announcement to all online users
+@@ -88,13 +91,23 @@ modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
@@ -97,7 +105,7 @@
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
-@@ -131,7 +144,8 @@
+@@ -142,7 +155,8 @@ authentication = "internal_hashed"
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See https://prosody.im/doc/storage for more info.
@@ -107,7 +115,7 @@
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
-@@ -152,11 +166,16 @@
+@@ -163,11 +177,16 @@ archive_expires_after = "1w" -- Remove archived messages after 1 week
-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
@@ -128,7 +136,7 @@
}
-- Uncomment to enable statistics
-@@ -179,6 +198,14 @@
+@@ -190,6 +209,14 @@ certificates = "certs"
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
@@ -143,7 +151,7 @@
VirtualHost "localhost"
-@@ -203,3 +230,4 @@
+@@ -214,3 +241,4 @@ VirtualHost "localhost"
--
--Component "gateway.example.com"
-- component_secret = "password"
diff -Nru prosody-0.11.8/debian/patches/0002-prosody-lua52.patch prosody-0.11.9/debian/patches/0002-prosody-lua52.patch
--- prosody-0.11.8/debian/patches/0002-prosody-lua52.patch 2021-02-16 14:26:08.000000000 +0100
+++ prosody-0.11.9/debian/patches/0002-prosody-lua52.patch 2021-05-14 09:17:12.000000000 +0200
@@ -9,7 +9,7 @@
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/prosody b/prosody
-index ee2baca..1c353c6 100755
+index 3659ca5..f971298 100755
--- a/prosody
+++ b/prosody
@@ -1,4 +1,4 @@
@@ -19,7 +19,7 @@
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
diff --git a/prosodyctl b/prosodyctl
-index d341a75..5e06f61 100755
+index 8c0ce66..9b6425e 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -1,4 +1,4 @@
@@ -29,7 +29,7 @@
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
diff --git a/tools/migration/prosody-migrator.lua b/tools/migration/prosody-migrator.lua
-index 7c933b8..ca9b2c5 100644
+index 1219d89..d6d3607 100644
--- a/tools/migration/prosody-migrator.lua
+++ b/tools/migration/prosody-migrator.lua
@@ -1,4 +1,4 @@
diff -Nru prosody-0.11.8/debian/patches/0003-buildflags.patch prosody-0.11.9/debian/patches/0003-buildflags.patch
--- prosody-0.11.8/debian/patches/0003-buildflags.patch 2021-02-16 14:26:08.000000000 +0100
+++ prosody-0.11.9/debian/patches/0003-buildflags.patch 2021-05-14 09:17:12.000000000 +0200
@@ -3,6 +3,11 @@
Subject: don't override buildflags
---
+ configure | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure b/configure
+index 0fe186b..01a3bce 100755
--- a/configure
+++ b/configure
@@ -23,8 +23,8 @@ EXCERTS="yes"
diff -Nru prosody-0.11.8/debian/patches/0004-fix-package.path-of-ejabberd2prosody.patch prosody-0.11.9/debian/patches/0004-fix-package.path-of-ejabberd2prosody.patch
--- prosody-0.11.8/debian/patches/0004-fix-package.path-of-ejabberd2prosody.patch 2021-02-16 14:26:08.000000000 +0100
+++ prosody-0.11.9/debian/patches/0004-fix-package.path-of-ejabberd2prosody.patch 2021-05-14 09:17:12.000000000 +0200
@@ -7,7 +7,7 @@
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/ejabberd2prosody.lua b/tools/ejabberd2prosody.lua
-index d0675a6..aac6007 100755
+index 46a48f5..567be39 100755
--- a/tools/ejabberd2prosody.lua
+++ b/tools/ejabberd2prosody.lua
@@ -9,7 +9,8 @@
diff -Nru prosody-0.11.8/debian/patches/0005-use-lua52.patch prosody-0.11.9/debian/patches/0005-use-lua52.patch
--- prosody-0.11.8/debian/patches/0005-use-lua52.patch 2021-02-16 14:26:08.000000000 +0100
+++ prosody-0.11.9/debian/patches/0005-use-lua52.patch 2021-05-14 09:17:12.000000000 +0200
@@ -1,12 +1,20 @@
-Description: use lua5.2 for prosody >= 0.11.0
-Author: W. Martin Borgert <debacle@debian.org>
+From: "W. Martin Borgert" <debacle@debian.org>
+Date: Fri, 14 May 2021 09:25:13 +0200
+Subject: use lua5.2 for prosody >= 0.11.0
+
Origin: vendor
Last-Update: 2018-11-24
+
+Last-Update: 2018-11-24
---
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+ configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure b/configure
+index 01a3bce..5577a62 100755
--- a/configure
+++ b/configure
-@@ -156,7 +156,7 @@
+@@ -156,7 +156,7 @@ do
OSPRESET="$value"
if [ "$OSPRESET" = "debian" ]; then
if [ "$LUA_SUFFIX_SET" != "yes" ]; then
diff -Nru prosody-0.11.8/.hg_archival.txt prosody-0.11.9/.hg_archival.txt
--- prosody-0.11.8/.hg_archival.txt 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/.hg_archival.txt 2021-05-12 17:22:02.000000000 +0200
@@ -1,4 +1,4 @@
repo: 3e3171b59028ee70122cfec6ecf98f518f946b59
-node: 774811e2c6abfc5a1b1dd60007cf564bb7c1f969
+node: d0e9ffccdef934af554ea2d4a5beb9a52e9e951d
branch: 0.11
-tag: 0.11.8
+tag: 0.11.9
diff -Nru prosody-0.11.8/plugins/mod_auth_internal_hashed.lua prosody-0.11.9/plugins/mod_auth_internal_hashed.lua
--- prosody-0.11.8/plugins/mod_auth_internal_hashed.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_auth_internal_hashed.lua 2021-05-12 17:22:02.000000000 +0200
@@ -16,6 +16,7 @@
local hex = require"util.hex";
local to_hex, from_hex = hex.to, hex.from;
local saslprep = require "util.encodings".stringprep.saslprep;
+local secure_equals = require "util.hashes".equals;
local log = module._log;
local host = module.host;
@@ -39,7 +40,7 @@
end
if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
- if saslprep(credentials.password) ~= password then
+ if not secure_equals(saslprep(credentials.password), password) then
return nil, "Auth failed. Provided password is incorrect.";
end
@@ -59,7 +60,7 @@
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
- if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
+ if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then
return true;
else
return nil, "Auth failed. Invalid username, password, or password hash information.";
diff -Nru prosody-0.11.8/plugins/mod_auth_internal_plain.lua prosody-0.11.9/plugins/mod_auth_internal_plain.lua
--- prosody-0.11.8/plugins/mod_auth_internal_plain.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_auth_internal_plain.lua 2021-05-12 17:22:02.000000000 +0200
@@ -9,6 +9,7 @@
local usermanager = require "core.usermanager";
local new_sasl = require "util.sasl".new;
local saslprep = require "util.encodings".stringprep.saslprep;
+local secure_equals = require "util.hashes".equals;
local log = module._log;
local host = module.host;
@@ -26,7 +27,7 @@
return nil, "Password fails SASLprep.";
end
- if password == saslprep(credentials.password) then
+ if secure_equals(password, saslprep(credentials.password)) then
return true;
else
return nil, "Auth failed. Invalid username or password.";
diff -Nru prosody-0.11.8/plugins/mod_bosh.lua prosody-0.11.9/plugins/mod_bosh.lua
--- prosody-0.11.8/plugins/mod_bosh.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_bosh.lua 2021-05-12 17:22:02.000000000 +0200
@@ -45,6 +45,7 @@
local consider_bosh_secure = module:get_option_boolean("consider_bosh_secure");
local cross_domain = module:get_option("cross_domain_bosh", false);
+local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256);
if cross_domain == true then cross_domain = "*"; end
if type(cross_domain) == "table" then cross_domain = table.concat(cross_domain, ", "); end
@@ -115,7 +116,7 @@
local body = request.body;
local context = { request = request, response = response, notopen = true };
- local stream = new_xmpp_stream(context, stream_callbacks);
+ local stream = new_xmpp_stream(context, stream_callbacks, stanza_size_limit);
response.context = context;
local headers = response.headers;
diff -Nru prosody-0.11.8/plugins/mod_c2s.lua prosody-0.11.9/plugins/mod_c2s.lua
--- prosody-0.11.8/plugins/mod_c2s.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_c2s.lua 2021-05-12 17:22:02.000000000 +0200
@@ -26,7 +26,7 @@
local c2s_timeout = module:get_option_number("c2s_timeout", 300);
local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5);
local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true));
-local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit"); -- TODO come up with a sensible default (util.xmppstream defaults to 10M)
+local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256);
local measure_connections = module:measure("connections", "amount");
local measure_ipv6 = module:measure("ipv6", "amount");
@@ -190,12 +190,12 @@
if not session.destroyed then
session.log("warn", "Failed to receive a stream close response, closing connection anyway...");
sm_destroy_session(session, reason_text);
- conn:close();
+ if conn then conn:close(); end
end
end);
else
sm_destroy_session(session, reason_text);
- conn:close();
+ if conn then conn:close(); end
end
else
local reason_text = (reason and (reason.name or reason.text or reason.condition)) or reason;
@@ -226,11 +226,19 @@
end, 200);
function runner_callbacks:ready()
- self.data.conn:resume();
+ if self.data.conn then
+ self.data.conn:resume();
+ else
+ (self.data.log or log)("debug", "Session has no connection to resume");
+ end
end
function runner_callbacks:waiting()
- self.data.conn:pause();
+ if self.data.conn then
+ self.data.conn:pause();
+ else
+ (self.data.log or log)("debug", "Session has no connection to pause while waiting");
+ end
end
function runner_callbacks:error(err)
diff -Nru prosody-0.11.8/plugins/mod_component.lua prosody-0.11.9/plugins/mod_component.lua
--- prosody-0.11.8/plugins/mod_component.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_component.lua 2021-05-12 17:22:02.000000000 +0200
@@ -27,6 +27,7 @@
local log = module._log;
local opt_keepalives = module:get_option_boolean("component_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true));
+local stanza_size_limit = module:get_option_number("component_stanza_size_limit", module:get_option_number("s2s_stanza_size_limit", 1024*512));
local sessions = module:shared("sessions");
@@ -297,7 +298,7 @@
session.log("info", "Incoming Jabber component connection");
- local stream = new_xmpp_stream(session, stream_callbacks);
+ local stream = new_xmpp_stream(session, stream_callbacks, stanza_size_limit);
session.stream = stream;
session.notopen = true;
diff -Nru prosody-0.11.8/plugins/mod_dialback.lua prosody-0.11.9/plugins/mod_dialback.lua
--- prosody-0.11.8/plugins/mod_dialback.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_dialback.lua 2021-05-12 17:22:02.000000000 +0200
@@ -13,6 +13,7 @@
local st = require "util.stanza";
local sha256_hash = require "util.hashes".sha256;
local sha256_hmac = require "util.hashes".hmac_sha256;
+local secure_equals = require "util.hashes".equals;
local nameprep = require "util.encodings".stringprep.nameprep;
local uuid_gen = require"util.uuid".generate;
@@ -21,20 +22,6 @@
local dialback_requests = setmetatable({}, { __mode = 'v' });
local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true);
-local dwd = module:get_option_boolean("dialback_without_dialback", false);
-
---- Helper to check that a session peer's certificate is valid
-function check_cert_status(session)
- local host = session.direction == "outgoing" and session.to_host or session.from_host
- local conn = session.conn:socket()
- local cert
- if conn.getpeercertificate then
- cert = conn:getpeercertificate()
- end
-
- return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert });
-end
-
function module.save()
return { dialback_secret = dialback_secret };
@@ -56,7 +43,7 @@
end
function verify_dialback(id, to, from, key)
- return key == generate_dialback(id, to, from);
+ return secure_equals(key, generate_dialback(id, to, from));
end
module:hook("stanza/jabber:server:dialback:verify", function(event)
@@ -104,15 +91,6 @@
origin:close("improper-addressing");
end
- if dwd and origin.secure then
- if check_cert_status(origin, from) == false then
- return
- elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
- origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" }));
- module:fire_event("s2s-authenticated", { session = origin, host = from });
- return true;
- end
- end
origin.hosts[from] = { dialback_key = stanza[1] };
diff -Nru prosody-0.11.8/plugins/mod_http.lua prosody-0.11.9/plugins/mod_http.lua
--- prosody-0.11.8/plugins/mod_http.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_http.lua 2021-05-12 17:22:02.000000000 +0200
@@ -161,7 +161,7 @@
local function get_ip_from_request(request)
local ip = request.conn:ip();
local forwarded_for = request.headers.x_forwarded_for;
- if forwarded_for then
+ if forwarded_for and trusted_proxies[ip] then
forwarded_for = forwarded_for..", "..ip;
for forwarded_ip in forwarded_for:gmatch("[^%s,]+") do
if not trusted_proxies[forwarded_ip] then
diff -Nru prosody-0.11.8/plugins/mod_limits.lua prosody-0.11.9/plugins/mod_limits.lua
--- prosody-0.11.8/plugins/mod_limits.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_limits.lua 2021-05-12 17:22:02.000000000 +0200
@@ -31,7 +31,7 @@
burst = burst:match("^(%d+) ?s$");
end
local n_burst = tonumber(burst);
- if not n_burst then
+ if burst and not n_burst then
module:log("error", "Unable to parse burst for %s: %q, using default burst interval (%ds)", sess_type, tostring(burst), default_burst);
end
return n_burst or default_burst;
@@ -39,7 +39,16 @@
-- Process config option into limits table:
-- limits = { c2s = { bytes_per_second = X, burst_seconds = Y } }
-local limits = {};
+local limits = {
+ c2s = {
+ bytes_per_second = 10 * 1024;
+ burst_seconds = 2;
+ };
+ s2sin = {
+ bytes_per_second = 30 * 1024;
+ burst_seconds = 2;
+ };
+};
for sess_type, sess_limits in pairs(limits_cfg) do
limits[sess_type] = {
diff -Nru prosody-0.11.8/plugins/mod_proxy65.lua prosody-0.11.9/plugins/mod_proxy65.lua
--- prosody-0.11.8/plugins/mod_proxy65.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_proxy65.lua 2021-05-12 17:22:02.000000000 +0200
@@ -94,6 +94,7 @@
local proxy_address = module:get_option_string("proxy65_address", host);
local proxy_acl = module:get_option_array("proxy65_acl");
+ local proxy_open_access = module:get_option_boolean("proxy65_open_access", false);
-- COMPAT w/pre-0.9 where proxy65_port was specified in the components section of the config
local legacy_config = module:get_option_number("proxy65_port");
@@ -110,13 +111,20 @@
-- check ACL
-- using 'while' instead of 'if' so we can break out of it
- while proxy_acl and #proxy_acl > 0 do --luacheck: ignore 512
+ local allow;
+ if proxy_acl and #proxy_acl > 0 then
local jid = stanza.attr.from;
- local allow;
for _, acl in ipairs(proxy_acl) do
- if jid_compare(jid, acl) then allow = true; break; end
+ if jid_compare(jid, acl) then
+ allow = true;
+ break;
+ end
end
- if allow then break; end
+ elseif proxy_open_access or origin.type == "c2s" then
+ allow = true;
+ end
+
+ if not allow then
module:log("warn", "Denying use of proxy for %s", tostring(stanza.attr.from));
origin.send(st.error_reply(stanza, "auth", "forbidden"));
return true;
diff -Nru prosody-0.11.8/plugins/mod_s2s/mod_s2s.lua prosody-0.11.9/plugins/mod_s2s/mod_s2s.lua
--- prosody-0.11.8/plugins/mod_s2s/mod_s2s.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_s2s/mod_s2s.lua 2021-05-12 17:22:02.000000000 +0200
@@ -37,7 +37,7 @@
local secure_domains, insecure_domains =
module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
local require_encryption = module:get_option_boolean("s2s_require_encryption", false);
-local stanza_size_limit = module:get_option_number("s2s_stanza_size_limit"); -- TODO come up with a sensible default (util.xmppstream defaults to 10M)
+local stanza_size_limit = module:get_option_number("s2s_stanza_size_limit", 1024*512);
local measure_connections = module:measure("connections", "amount");
local measure_ipv6 = module:measure("ipv6", "amount");
@@ -276,7 +276,7 @@
end
--- Helper to check that a session peer's certificate is valid
-function check_cert_status(session)
+local function check_cert_status(session)
local host = session.direction == "outgoing" and session.to_host or session.from_host
local conn = session.conn:socket()
local cert
diff -Nru prosody-0.11.8/plugins/mod_saslauth.lua prosody-0.11.9/plugins/mod_saslauth.lua
--- prosody-0.11.8/plugins/mod_saslauth.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_saslauth.lua 2021-05-12 17:22:02.000000000 +0200
@@ -44,6 +44,9 @@
end
local function handle_status(session, status, ret, err_msg)
+ if not session.sasl_handler then
+ return "failure", "temporary-auth-failure", "Connection gone";
+ end
if status == "failure" then
module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
session.sasl_handler = session.sasl_handler:clean_clone();
diff -Nru prosody-0.11.8/plugins/mod_websocket.lua prosody-0.11.9/plugins/mod_websocket.lua
--- prosody-0.11.8/plugins/mod_websocket.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/mod_websocket.lua 2021-05-12 17:22:02.000000000 +0200
@@ -28,7 +28,7 @@
local t_concat = table.concat;
-local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 10 * 1024 * 1024);
+local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024 * 256);
local frame_buffer_limit = module:get_option_number("websocket_frame_buffer_limit", 2 * stanza_size_limit);
local frame_fragment_limit = module:get_option_number("websocket_frame_fragment_limit", 8);
local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5);
diff -Nru prosody-0.11.8/plugins/muc/members_only.lib.lua prosody-0.11.9/plugins/muc/members_only.lib.lua
--- prosody-0.11.8/plugins/muc/members_only.lib.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/plugins/muc/members_only.lib.lua 2021-05-12 17:22:02.000000000 +0200
@@ -61,12 +61,20 @@
end
module:hook("muc-disco#info", function(event)
- event.reply:tag("feature", {var = get_members_only(event.room) and "muc_membersonly" or "muc_open"}):up();
+ local members_only_room = not not get_members_only(event.room);
+ local members_can_invite = not not get_allow_member_invites(event.room);
+ event.reply:tag("feature", {var = members_only_room and "muc_membersonly" or "muc_open"}):up();
table.insert(event.form, {
name = "{http://prosody.im/protocol/muc}roomconfig_allowmemberinvites";;
label = "Allow members to invite new members";
type = "boolean";
- value = not not get_allow_member_invites(event.room);
+ value = members_can_invite;
+ });
+ table.insert(event.form, {
+ name = "muc#roomconfig_allowinvites";
+ label = "Allow users to invite other users";
+ type = "boolean";
+ value = not members_only_room or members_can_invite;
});
end);
diff -Nru prosody-0.11.8/prosody.cfg.lua.dist prosody-0.11.9/prosody.cfg.lua.dist
--- prosody-0.11.8/prosody.cfg.lua.dist 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/prosody.cfg.lua.dist 2021-05-12 17:22:02.000000000 +0200
@@ -51,6 +51,7 @@
"blocklist"; -- Allow users to block communications with other users
"vcard4"; -- User profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+ "limits"; -- Enable bandwidth limiting for XMPP connections
-- Nice to have
"version"; -- Replies to server version requests
@@ -71,7 +72,6 @@
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
- --"limits"; -- Enable bandwidth limiting for XMPP connections
--"groups"; -- Shared roster support
--"server_contact_info"; -- Publish contact information for this service
--"announce"; -- Send announcement to all online users
@@ -121,6 +121,17 @@
--s2s_secure_domains = { "jabber.org" }
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+ c2s = {
+ rate = "10kb/s";
+ };
+ s2sin = {
+ rate = "30kb/s";
+ };
+}
+
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
diff -Nru prosody-0.11.8/prosodyctl prosody-0.11.9/prosodyctl
--- prosody-0.11.8/prosodyctl 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/prosodyctl 2021-05-12 17:22:02.000000000 +0200
@@ -413,7 +413,8 @@
print("");
print("# Lua module versions");
local module_versions, longest_name = {}, 8;
- local luaevent =dependencies.softreq"luaevent";
+ local luaevent = dependencies.softreq"luaevent";
+ local lxp = dependencies.softreq"lxp";
dependencies.softreq"ssl";
dependencies.softreq"DBI";
for name, module in pairs(package.loaded) do
@@ -428,6 +429,9 @@
if luaevent then
module_versions["libevent"] = luaevent.core.libevent_version();
end
+ if lxp then
+ module_versions["libexpat"] = lxp._EXPAT_VERSION;
+ end
local sorted_keys = array.collect(keys(module_versions)):sort();
for _, name in ipairs(sorted_keys) do
print(name..":"..string.rep(" ", longest_name-#name), module_versions[name]);
@@ -837,7 +841,7 @@
local known_global_options = set.new({
"pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize",
"umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings",
- "network_backend", "http_default_host",
+ "network_backend", "http_default_host", "gc",
"statistics_interval", "statistics", "statistics_config",
});
local config = configmanager.getconfig();
diff -Nru prosody-0.11.8/prosody.release prosody-0.11.9/prosody.release
--- prosody-0.11.8/prosody.release 2021-02-15 18:23:35.000000000 +0100
+++ prosody-0.11.9/prosody.release 2021-05-12 18:52:16.000000000 +0200
@@ -1 +1 @@
-0.11.8
+0.11.9
diff -Nru prosody-0.11.8/util/set.lua prosody-0.11.9/util/set.lua
--- prosody-0.11.8/util/set.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/util/set.lua 2021-05-12 17:22:02.000000000 +0200
@@ -6,8 +6,8 @@
-- COPYING file in the source package for more information.
--
-local ipairs, pairs, setmetatable, next, tostring =
- ipairs, pairs, setmetatable, next, tostring;
+local ipairs, pairs, getmetatable, setmetatable, next, tostring =
+ ipairs, pairs, getmetatable, setmetatable, next, tostring;
local t_concat = table.concat;
local _ENV = nil;
@@ -31,6 +31,11 @@
return a;
end
+local function is_set(o)
+ local mt = getmetatable(o);
+ return mt == set_mt;
+end
+
local function new(list)
local items = setmetatable({}, items_mt);
local set = { _items = items };
@@ -171,6 +176,7 @@
return {
new = new;
+ is_set = is_set;
union = union;
difference = difference;
intersection = intersection;
diff -Nru prosody-0.11.8/util/startup.lua prosody-0.11.9/util/startup.lua
--- prosody-0.11.8/util/startup.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/util/startup.lua 2021-05-12 17:22:02.000000000 +0200
@@ -12,7 +12,13 @@
local original_logging_config;
-local default_gc_params = { mode = "incremental", threshold = 105, speed = 250 };
+local default_gc_params = {
+ mode = "incremental";
+ -- Incremental mode defaults
+ threshold = 105, speed = 500;
+ -- Generational mode defaults
+ minor_threshold = 20, major_threshold = 50;
+};
local short_params = { D = "daemonize", F = "no-daemonize" };
local value_params = { config = true };
diff -Nru prosody-0.11.8/util/xmppstream.lua prosody-0.11.9/util/xmppstream.lua
--- prosody-0.11.8/util/xmppstream.lua 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/util/xmppstream.lua 2021-05-12 17:22:02.000000000 +0200
@@ -22,7 +22,7 @@
local lxp_supports_xmldecl = pcall(lxp.new, { XmlDecl = false });
local lxp_supports_bytecount = not not lxp.new({}).getcurrentbytecount;
-local default_stanza_size_limit = 1024*1024*10; -- 10MB
+local default_stanza_size_limit = 1024*1024*1; -- 1MB
local _ENV = nil;
-- luacheck: std none
@@ -188,6 +188,9 @@
stanza = t_remove(stack);
end
else
+ if lxp_supports_bytecount then
+ cb_handleprogress(stanza_size);
+ end
if cb_streamclosed then
cb_streamclosed(session);
end
@@ -290,6 +293,9 @@
return ok, err;
end,
set_session = meta.set_session;
+ set_stanza_size_limit = function (_, new_stanza_size_limit)
+ stanza_size_limit = new_stanza_size_limit;
+ end;
};
end
diff -Nru prosody-0.11.8/util-src/hashes.c prosody-0.11.9/util-src/hashes.c
--- prosody-0.11.8/util-src/hashes.c 2021-02-15 16:29:13.000000000 +0100
+++ prosody-0.11.9/util-src/hashes.c 2021-05-12 17:22:02.000000000 +0200
@@ -23,6 +23,7 @@
#include "lua.h"
#include "lauxlib.h"
+#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/md5.h>
#include <openssl/hmac.h>
@@ -189,6 +190,18 @@
return 1;
}
+static int Lhash_equals(lua_State *L) {
+ size_t len1, len2;
+ const char *s1 = luaL_checklstring(L, 1, &len1);
+ const char *s2 = luaL_checklstring(L, 2, &len2);
+ if(len1 == len2) {
+ lua_pushboolean(L, CRYPTO_memcmp(s1, s2, len1) == 0);
+ } else {
+ lua_pushboolean(L, 0);
+ }
+ return 1;
+}
+
static const luaL_Reg Reg[] = {
{ "sha1", Lsha1 },
{ "sha224", Lsha224 },
@@ -201,6 +214,7 @@
{ "hmac_sha512", Lhmac_sha512 },
{ "hmac_md5", Lhmac_md5 },
{ "scram_Hi_sha1", LscramHi },
+ { "equals", Lhash_equals },
{ NULL, NULL }
};
--- End Message ---