CVE-2021-32920 - log back

CVE-2021-32920 edited at 13 May 2021 15:14:18
References
https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption
https://hg.prosody.im/trunk/rev/55ef50d6cf65
https://hg.prosody.im/trunk/rev/5a484bd050a7
https://hg.prosody.im/trunk/rev/aaf9c6b6d18d
- https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values
- https://hg.prosody.im/trunk/rev/c98aebe601f9
- https://hg.prosody.im/trunk/rev/13b84682518e
- https://hg.prosody.im/trunk/rev/6f56170ea986
CVE-2021-32920 edited at 13 May 2021 15:14:01
References
https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption
https://hg.prosody.im/trunk/rev/55ef50d6cf65
https://hg.prosody.im/trunk/rev/5a484bd050a7
https://hg.prosody.im/trunk/rev/aaf9c6b6d18d
+ https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values
+ https://hg.prosody.im/trunk/rev/c98aebe601f9
+ https://hg.prosody.im/trunk/rev/13b84682518e
+ https://hg.prosody.im/trunk/rev/6f56170ea986
CVE-2021-32920 edited at 13 May 2021 15:11:52
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server.
References
+ https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption
+ https://hg.prosody.im/trunk/rev/55ef50d6cf65
+ https://hg.prosody.im/trunk/rev/5a484bd050a7
+ https://hg.prosody.im/trunk/rev/aaf9c6b6d18d
Notes
+ Workaround
+ ==========
+
+ The issue can be mitigated by setting the following ssl option (or add to your existing one if you have one):
+
+ ssl = {
+ options = {
+ no_renegotiation = true;
+ }
+ }
CVE-2021-32920 created at 13 May 2021 14:59:33