openSUSE-SU-2021:0751-1

This update for prosody fixes the following issues:

prosody was updated to 0.11.9:

Security:

• mod_limits, prosody.cfg.lua: Enable rate limits by default
• certmanager: Disable renegotiation by default
• mod_proxy65: Restrict access to local c2s connections by default
• util.startup: Set more aggressive defaults for GC
• modc2s, mods2s, modcomponent, modbosh, mod_websockets: Set default stanza size limits
• mod_authinternal{plain,hashed}: Use constant-time string comparison for secrets
• mod_dialback: Remove dialback-without-dialback feature
• mod_dialback: Use constant-time comparison with hmac

Minor changes:

• util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
• mod_c2s: Don’t throw errors in async code when connections are gone
• mod_c2s: Fix traceback in session close when conn is nil
• core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
• mod_saslauth: Use a defined SASL error
• MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
• mod_saslauth: Don’t throw errors in async code when connections are gone
• modpep: Advertise base pubsub feature (fixes #1632: modpep missing pubsub feature in disco)
• prosodyctl check config: Add ‘gc’ to list of global options
• prosodyctl about: Report libexpat version if known
• util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
• util.set: Add is_set() to test if an object is a set
• mod_http: Skip IP resolution in non-proxied case
• mod_c2s: Log about missing conn on async state changes
• util.xmppstream: Reduce internal default xmppstream limit to 1MB

Relevant: https://prosody.im/security/advisory_20210512

• boo#1186027: Prosody XMPP server advisory 2021-05-12
• CVE-2021-32919
• CVE-2021-32917
• CVE-2021-32917
• CVE-2021-32920
• CVE-2021-32918

Update to 0.11.8:

Security: * mod_saslauth: Disable ‘tls-unique’ channel binding with TLS 1.3 (#1542)

Fixes and improvements:

• net.websocket.frames: Improve websocket masking performance by using the new util.strbitop
• util.strbitop: Library for efficient bitwise operations on strings

Minor changes:

• MUC: Correctly advertise whether the subject can be changed (#1155)
• MUC: Preserve disco ‘node’ attribute (or lack thereof) in responses (#1595)
• MUC: Fix logic bug causing unnecessary presence to be sent (#1615)
• mod_bosh: Fix error if client tries to connect to component (#425)
• mod_bosh: Pick out the ‘wait’ before checking it instead of earlier
• mod_pep: Advertise base PubSub feature (#1632)
• mod_pubsub: Fix notification stanza type setting (#1605)
• mod_s2s: Prevent keepalives before client has established a stream
• net.adns: Fix bug that sent empty DNS packets (#1619)
• net.http.server: Don’t send Content-Length on 1xx/204 responses (#1596)
• net.websocket.frames: Fix length calculation bug (#1598)
• util.dbuffer: Make length API in line with Lua strings
• util.dbuffer: Optimize substring operations
• util.debug: Fix locals being reported under wrong stack frame in some cases
• util.dependencies: Fix check for Lua bitwise operations library (#1594)
• util.interpolation: Fix combination of filters and fallback values #1623
• util.promise: Preserve tracebacks
• util.stanza: Reject ASCII control characters (#1606)
• timers: Ensure timers can’t block other processing (#1620)

Update to 0.11.7:

Security:

• mod_websocket: Enforce size limits on received frames (fixes #1593)

Fixes and improvements:

• modc2s, mods2s: Make stanza size limits configurable
• Add configuration options to control Lua garbage collection parameters
• net.http: Backport SNI support for outgoing HTTP requests (#409)
• mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234)
• util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572)

Update to 0.11.6:

Fixes and improvements:

• modstorageinternal: Fix error in time limited queries on items without ‘when’ field, fixes #1557
• mod_carbons: Fix handling of incoming MUC PMs #1540
• modcsisimple: Consider XEP-0353: Jingle Message Initiation important
• modhttpfiles: Avoid using inode in etag, fixes #1498: Fail to download file on FreeBSD
• modadmintelnet: Create a DNS resolver per console session (fixes #1492: Telnet console DNS commands reduced usefulness)
• core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
• mods2s: Escape invalid XML in loggin (same way as modc2s) (fixes #1574: Invalid XML input on s2s connection is logged unescaped)
• mod_muc: Allow control over the server-admins-are-room-owners feature (see #1174)
• modmucmam: Remove spoofed archive IDs before archiving (fixes #1552: MUC MAM may strip its own archive id)
• modmucmam: Fix stanza id filter event name, fixes #1546: modmucmam does not strip spoofed stanza ids
• modmucmam: Fix missing advertising of XEP-0359, fixes #1547: modmucmam does not advertise stanza-id

Minor changes:

• net.http API: Add request:cancel() method
• net.http API: Fix traceback on invalid URL passed to request()
• MUC: Persist affiliation_data in new MUC format
• mod_websocket: Fire event on session creation (thanks Aaron van Meerten)
• MUC: Always include ‘affiliation’/‘role’ attributes, defaulting to ‘none’ if nil
• mod_tls: Log when certificates are (re)loaded
• modvcard4: Report correct error condition (fixes #1521: modvcard4 reports wrong error)
• net.http: Re-expose destroy_request() function (fixes unintentional API breakage)
• net.http.server: Strip port from Host header in IPv6 friendly way (fix #1302)
• util.prosodyctl: Tell prosody do daemonize via command line flag (fixes #1514)
• SASL: Apply saslprep where necessary, fixes #1560: Login fails if password contains special chars
• net.http.server: Fix reporting of missing Host header
• util.datamanager API: Fix iterating over “users” (thanks marc0s)
• net.resolvers.basic: Default conn_type to ‘tcp’ consistently if unspecified (thanks marc0s)
• modstoragesql: Fix check for deletion limits (fixes #1494)
• modadmintelnet: Handle unavailable cipher info (fixes #1510: modadmintelnet backtrace)
• Log warning when using prosodyctl start/stop/restart
• core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes #1526)
• modstoragesql: Add index covering sort_id to improve performance (fixes #1505)
• modmam,modmuc_mam: Allow other work to be performed during archive cleanup (fixes #1504)
• modmucmam: Don’t strip MUC tags, fix #1567: MUC tags stripped by modmucmam
• modpubsub, modpep: Ensure correct number of children of (fixes #1496)
• modregisteribr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)
• modmucmam: Fix traceback saving message from non-occupant (fixes #1497)
• util.startup: Remove duplicated initialization of logging (fix #1527: startup: Logging initialized twice)

This update was imported from the openSUSE:Leap:15.2:Update update project.