Debian has issued an advisory on April 6: https://www.debian.org/security/2014/dsa-2895 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => pterjanWhiteboard: (none) => MGA4TOO, MGA3TOO
I believe this oss-security thread is related to this: http://openwall.com/lists/oss-security/2014/04/07/7 No CVEs have been allocated yet, but may be at a later time.
CVEs and more details: http://openwall.com/lists/oss-security/2014/04/09/1
Summary: prosody, lua-expat new denial of service security issue => prosody, lua-expat new denial of service security issue (CVE-2014-2744 and CVE-2014-2745)
A regression in the initial prosody update has been corrected: http://lwn.net/Alerts/595553/
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated prosody and lua-expat packages fix security vulnerabilities: A denial-of-service vulnerability has been reported in Prosody before 0.9.4. If compression is enabled, an attacker might send highly-compressed XML elements (attack known as "zip bomb") over XMPP streams and consume all the resources of the server (CVE-2014-2744, CVE-2014-2745). The SAX XML parser lua-expat, prior to 1.3.0, is also affected by these issues. Both packages have been patches to correct these flaws. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2745 http://openwall.com/lists/oss-security/2014/04/09/1 https://www.debian.org/security/2014/dsa-2895 ======================== Updated packages in core/updates_testing: ======================== prosody-0.8.2-6.1.mga3 lua-expat-1.2.0-3.1.mga3 prosody-0.8.2-7.1.mga4 lua-expat-1.2.0-4.1.mga4 from SRPMS: prosody-0.8.2-6.1.mga3.src.rpm lua-expat-1.2.0-3.1.mga3.src.rpm prosody-0.8.2-7.1.mga4.src.rpm lua-expat-1.2.0-4.1.mga4.src.rpm
CC: (none) => thierry.vignaudVersion: Cauldron => 4Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Lua-expat is a require of prosody, which itself is an XMPP/Jabber server. Testing by ensuring prosody service can be started. Testing mga4 64 # systemctl start prosody.service Job for prosody.service failed. See 'systemctl status prosody.service' and 'journalctl -xn' for details. # systemctl status -a prosody.service prosody.service - LSB: The prosody small XMPP/Jabber server Loaded: loaded (/etc/rc.d/init.d/prosody) Active: failed (Result: exit-code) since Fri 2014-05-02 17:02:11 BST; 1min 8s ago Process: 2542 ExecStart=/etc/rc.d/init.d/prosody start (code=exited, status=1/FAILURE) su[2547]: (to prosody) root on none prosody[2542]: Starting prosody: lua: /usr/bin/prosody:339: invalid escape sequence near '\s' prosody[2542]: [FAILED] systemd[1]: prosody.service: control process exited, code=exited status=1 systemd[1]: Failed to start LSB: The prosody small XMPP/Jabber server. systemd[1]: Unit prosody.service entered failed state. Seems this was reported in mga2 and eventually closed as old :( bug 7682 Adding lua-filesystem has no effect.
Whiteboard: MGA3TOO => MGA3TOO feedback
Assigning back to you David. Please reassign when there you're ready. Thanks.
Assignee: qa-bugs => luigiwalserWhiteboard: MGA3TOO feedback => MGA3TOO
CC: (none) => qa-bugs
Assigning to tv, who last updated the package.
Assignee: luigiwalser => thierry.vignaud
CC'ing Remà who was working on these packages in Cauldron and might be able to help fix this.
CC: (none) => remi
Fedora has now fixed this in Fedora 20: https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157595.html It sounds like they may also have a solution for the lua5.1/lua5.2 issue.
do we keep this old prosody release or do we update ?
CC: (none) => mageia
If updating it helps, I see no reason not to. I don't think that solves the lua issue though. Remà can say more about that.
As far as I remember, prosody never worked because it's badly packaged. And nobody seems to care about it, that's why we dropped it from cauldron. So IMO we should patch lua-expat, and maybe update the source tarball of prosody if we want to make sure that there is no underlying security vulnerability that could hit people who fixed their prosody install. But we probably shouldn't bother making it work out of the box.
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it. This package has been dropped and no longer exists in Mageia as of Mageia 5. Closing this as OLD.
Status: NEW => RESOLVEDResolution: (none) => OLD