prosody is vulnerable to privilege escalation. The vulnerability exists due to an open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the serverβs bandwidth.
www.openwall.com/lists/oss-security/2021/05/13/1
www.openwall.com/lists/oss-security/2021/05/14/2
blog.prosody.im/prosody-0.11.9-released/
lists.debian.org/debian-lts-announce/2021/06/msg00016.html
lists.fedoraproject.org/archives/list/[email protected]/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
lists.fedoraproject.org/archives/list/[email protected]/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
lists.fedoraproject.org/archives/list/[email protected]/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
secdb.alpinelinux.org/edge/community.yaml
secdb.alpinelinux.org/v3.13/community.yaml
security.gentoo.org/glsa/202105-15
www.debian.org/security/2021/dsa-4916