[3.7] prosody: insufficient stream header validation (CVE-2018-10847)
Due to insufficient validation of client-provided parameters during
XMPP
stream restarts, authenticated users may override the realm associated
with their session, potentially bypassing security policies and
allowing
impersonation.
Affected versions:
0.9.x prior to 0.9.14, 0.10.x prior to 0.10.2. All prior series affected.
Fixed in version:
0.9.14, 0.10.2
Reference:
http://openwall.com/lists/oss-security/2018/05/31/2
(from redmine: issue id 9038, created on 2018-06-26, closed on 2018-07-30)
- Changesets:
- Revision 087f28e2 by Natanael Copa on 2018-07-30T08:52:37Z:
community/prosody: security upgrade to 0.10.2 (CVE-2018-10847)
fixes #9038