Bugzilla – Bug 1092882
VUL-0: CVE-2017-18265: prosody: denial of service related to an incompatibility with certain versions of the LuaSocket library
Last modified: 2019-07-11 15:08:50 UTC
CVE-2017-18265 Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18265 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875829 http://www.debian.org/security/2018/dsa-4198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18265 https://hg.prosody.im/0.9/rev/176b7f4e4ac9 https://prosody.im/issues/issue/987 https://hg.prosody.im/0.9/rev/adfffc5b4e2a
Mathias, Michael, could you please have a look?
i can't open the link to the description... what IS this "smash.suse.de" host?
Sorry, only saw this now. Created https://bugzilla.suse.com/show_bug.cgi?id=1093088 this morning. Update to prosody 0.9.13 should solve this.
SR#606983 got accepted. Alexander, please decide whether this can be closed.
This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime
15.0 has 0.10.1 -> fixed