Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package prosody for openSUSE:Factory checked in at 2021-05-15 01:23:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/prosody (Old) and /work/SRC/openSUSE:Factory/.prosody.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "prosody" Sat May 15 01:23:48 2021 rev:23 rq:893045 version:0.11.9 Changes: -------- --- /work/SRC/openSUSE:Factory/prosody/prosody.changes 2021-02-16 22:51:05.610713667 +0100 +++ /work/SRC/openSUSE:Factory/.prosody.new.2988/prosody.changes 2021-05-15 01:23:55.343080910 +0200 @@ -1,0 +2,37 @@ +Thu May 13 18:16:14 UTC 2021 - Carsten Ziepke <[email protected]> + +- Update to 0.11.9: + Security: + * mod_limits, prosody.cfg.lua: Enable rate limits by default + * certmanager: Disable renegotiation by default + * mod_proxy65: Restrict access to local c2s connections by default + * util.startup: Set more aggressive defaults for GC + * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits + * mod_authinternal{plain,hashed}: Use constant-time string comparison for secrets + * mod_dialback: Remove dialback-without-dialback feature + * mod_dialback: Use constant-time comparison with hmac + Minor changes + * util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp) + * mod_c2s: Don???t throw errors in async code when connections are gone + * mod_c2s: Fix traceback in session close when conn is nil + * core.certmanager: Improve detection of LuaSec/OpenSSL capabilities + * mod_saslauth: Use a defined SASL error + * MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info + * mod_saslauth: Don???t throw errors in async code when connections are gone + * mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco) + * prosodyctl check config: Add ???gc??? to list of global options + * prosodyctl about: Report libexpat version if known + * util.xmppstream: Add API to dynamically configure the stanza size limit for a stream + * util.set: Add is_set() to test if an object is a set + * mod_http: Skip IP resolution in non-proxied case + * mod_c2s: Log about missing conn on async state changes + * util.xmppstream: Reduce internal default xmppstream limit to 1MB +- Relevant: https://prosody.im/security/advisory_20210512 + * boo#1186027: Prosody XMPP server advisory 2021-05-12 + * CVE-2021-32919 + * CVE-2021-32917 + * CVE-2021-32917 + * CVE-2021-32920 + * CVE-2021-32918 + +------------------------------------------------------------------- Old: ---- prosody-0.11.8.tar.gz prosody-0.11.8.tar.gz.asc New: ---- prosody-0.11.9.tar.gz prosody-0.11.9.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ prosody.spec ++++++ --- /var/tmp/diff_new_pack.7ED0vW/_old 2021-05-15 01:23:55.859079097 +0200 +++ /var/tmp/diff_new_pack.7ED0vW/_new 2021-05-15 01:23:55.863079082 +0200 @@ -18,7 +18,7 @@ %define _piddir /run Name: prosody -Version: 0.11.8 +Version: 0.11.9 Release: 0 Summary: Communications server for Jabber/XMPP License: MIT ++++++ prosody-0.11.8.tar.gz -> prosody-0.11.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/.hg_archival.txt new/prosody-0.11.9/.hg_archival.txt --- old/prosody-0.11.8/.hg_archival.txt 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/.hg_archival.txt 2021-05-12 17:22:02.000000000 +0200 @@ -1,4 +1,4 @@ repo: 3e3171b59028ee70122cfec6ecf98f518f946b59 -node: 774811e2c6abfc5a1b1dd60007cf564bb7c1f969 +node: d0e9ffccdef934af554ea2d4a5beb9a52e9e951d branch: 0.11 -tag: 0.11.8 +tag: 0.11.9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/core/certmanager.lua new/prosody-0.11.9/core/certmanager.lua --- old/prosody-0.11.8/core/certmanager.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/core/certmanager.lua 2021-05-12 17:22:02.000000000 +0200 @@ -36,9 +36,13 @@ local resolve_path = require"util.paths".resolve_relative_path; local config_path = prosody.paths.config or "."; +local function test_option(option) + return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }}); +end + local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); -local luasec_has = softreq"ssl.config" or { +local luasec_has = ssl.config or softreq"ssl.config" or { algorithms = { ec = luasec_version >= 5; }; @@ -46,11 +50,12 @@ curves_list = luasec_version >= 7; }; options = { - cipher_server_preference = luasec_version >= 2; - no_ticket = luasec_version >= 4; - no_compression = luasec_version >= 5; - single_dh_use = luasec_version >= 2; - single_ecdh_use = luasec_version >= 2; + cipher_server_preference = test_option("cipher_server_preference"); + no_ticket = test_option("no_ticket"); + no_compression = test_option("no_compression"); + single_dh_use = test_option("single_dh_use"); + single_ecdh_use = test_option("single_ecdh_use"); + no_renegotiation = test_option("no_renegotiation"); }; }; @@ -115,6 +120,7 @@ no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; single_dh_use = luasec_has.options.single_dh_use; single_ecdh_use = luasec_has.options.single_ecdh_use; + no_renegotiation = luasec_has.options.no_renegotiation; }; verifyext = { "lsec_continue", "lsec_ignore_purpose" }; curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_auth_internal_hashed.lua new/prosody-0.11.9/plugins/mod_auth_internal_hashed.lua --- old/prosody-0.11.8/plugins/mod_auth_internal_hashed.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_auth_internal_hashed.lua 2021-05-12 17:22:02.000000000 +0200 @@ -16,6 +16,7 @@ local hex = require"util.hex"; local to_hex, from_hex = hex.to, hex.from; local saslprep = require "util.encodings".stringprep.saslprep; +local secure_equals = require "util.hashes".equals; local log = module._log; local host = module.host; @@ -39,7 +40,7 @@ end if credentials.password ~= nil and string.len(credentials.password) ~= 0 then - if saslprep(credentials.password) ~= password then + if not secure_equals(saslprep(credentials.password), password) then return nil, "Auth failed. Provided password is incorrect."; end @@ -59,7 +60,7 @@ local stored_key_hex = to_hex(stored_key); local server_key_hex = to_hex(server_key); - if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then + if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then return true; else return nil, "Auth failed. Invalid username, password, or password hash information."; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_auth_internal_plain.lua new/prosody-0.11.9/plugins/mod_auth_internal_plain.lua --- old/prosody-0.11.8/plugins/mod_auth_internal_plain.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_auth_internal_plain.lua 2021-05-12 17:22:02.000000000 +0200 @@ -9,6 +9,7 @@ local usermanager = require "core.usermanager"; local new_sasl = require "util.sasl".new; local saslprep = require "util.encodings".stringprep.saslprep; +local secure_equals = require "util.hashes".equals; local log = module._log; local host = module.host; @@ -26,7 +27,7 @@ return nil, "Password fails SASLprep."; end - if password == saslprep(credentials.password) then + if secure_equals(password, saslprep(credentials.password)) then return true; else return nil, "Auth failed. Invalid username or password."; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_bosh.lua new/prosody-0.11.9/plugins/mod_bosh.lua --- old/prosody-0.11.8/plugins/mod_bosh.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_bosh.lua 2021-05-12 17:22:02.000000000 +0200 @@ -45,6 +45,7 @@ local consider_bosh_secure = module:get_option_boolean("consider_bosh_secure"); local cross_domain = module:get_option("cross_domain_bosh", false); +local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256); if cross_domain == true then cross_domain = "*"; end if type(cross_domain) == "table" then cross_domain = table.concat(cross_domain, ", "); end @@ -115,7 +116,7 @@ local body = request.body; local context = { request = request, response = response, notopen = true }; - local stream = new_xmpp_stream(context, stream_callbacks); + local stream = new_xmpp_stream(context, stream_callbacks, stanza_size_limit); response.context = context; local headers = response.headers; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_c2s.lua new/prosody-0.11.9/plugins/mod_c2s.lua --- old/prosody-0.11.8/plugins/mod_c2s.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_c2s.lua 2021-05-12 17:22:02.000000000 +0200 @@ -26,7 +26,7 @@ local c2s_timeout = module:get_option_number("c2s_timeout", 300); local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5); local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); -local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit"); -- TODO come up with a sensible default (util.xmppstream defaults to 10M) +local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256); local measure_connections = module:measure("connections", "amount"); local measure_ipv6 = module:measure("ipv6", "amount"); @@ -190,12 +190,12 @@ if not session.destroyed then session.log("warn", "Failed to receive a stream close response, closing connection anyway..."); sm_destroy_session(session, reason_text); - conn:close(); + if conn then conn:close(); end end end); else sm_destroy_session(session, reason_text); - conn:close(); + if conn then conn:close(); end end else local reason_text = (reason and (reason.name or reason.text or reason.condition)) or reason; @@ -226,11 +226,19 @@ end, 200); function runner_callbacks:ready() - self.data.conn:resume(); + if self.data.conn then + self.data.conn:resume(); + else + (self.data.log or log)("debug", "Session has no connection to resume"); + end end function runner_callbacks:waiting() - self.data.conn:pause(); + if self.data.conn then + self.data.conn:pause(); + else + (self.data.log or log)("debug", "Session has no connection to pause while waiting"); + end end function runner_callbacks:error(err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_component.lua new/prosody-0.11.9/plugins/mod_component.lua --- old/prosody-0.11.8/plugins/mod_component.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_component.lua 2021-05-12 17:22:02.000000000 +0200 @@ -27,6 +27,7 @@ local log = module._log; local opt_keepalives = module:get_option_boolean("component_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); +local stanza_size_limit = module:get_option_number("component_stanza_size_limit", module:get_option_number("s2s_stanza_size_limit", 1024*512)); local sessions = module:shared("sessions"); @@ -297,7 +298,7 @@ session.log("info", "Incoming Jabber component connection"); - local stream = new_xmpp_stream(session, stream_callbacks); + local stream = new_xmpp_stream(session, stream_callbacks, stanza_size_limit); session.stream = stream; session.notopen = true; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_dialback.lua new/prosody-0.11.9/plugins/mod_dialback.lua --- old/prosody-0.11.8/plugins/mod_dialback.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_dialback.lua 2021-05-12 17:22:02.000000000 +0200 @@ -13,6 +13,7 @@ local st = require "util.stanza"; local sha256_hash = require "util.hashes".sha256; local sha256_hmac = require "util.hashes".hmac_sha256; +local secure_equals = require "util.hashes".equals; local nameprep = require "util.encodings".stringprep.nameprep; local uuid_gen = require"util.uuid".generate; @@ -21,20 +22,6 @@ local dialback_requests = setmetatable({}, { __mode = 'v' }); local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true); -local dwd = module:get_option_boolean("dialback_without_dialback", false); - ---- Helper to check that a session peer's certificate is valid -function check_cert_status(session) - local host = session.direction == "outgoing" and session.to_host or session.from_host - local conn = session.conn:socket() - local cert - if conn.getpeercertificate then - cert = conn:getpeercertificate() - end - - return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); -end - function module.save() return { dialback_secret = dialback_secret }; @@ -56,7 +43,7 @@ end function verify_dialback(id, to, from, key) - return key == generate_dialback(id, to, from); + return secure_equals(key, generate_dialback(id, to, from)); end module:hook("stanza/jabber:server:dialback:verify", function(event) @@ -104,15 +91,6 @@ origin:close("improper-addressing"); end - if dwd and origin.secure then - if check_cert_status(origin, from) == false then - return - elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then - origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" })); - module:fire_event("s2s-authenticated", { session = origin, host = from }); - return true; - end - end origin.hosts[from] = { dialback_key = stanza[1] }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_http.lua new/prosody-0.11.9/plugins/mod_http.lua --- old/prosody-0.11.8/plugins/mod_http.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_http.lua 2021-05-12 17:22:02.000000000 +0200 @@ -161,7 +161,7 @@ local function get_ip_from_request(request) local ip = request.conn:ip(); local forwarded_for = request.headers.x_forwarded_for; - if forwarded_for then + if forwarded_for and trusted_proxies[ip] then forwarded_for = forwarded_for..", "..ip; for forwarded_ip in forwarded_for:gmatch("[^%s,]+") do if not trusted_proxies[forwarded_ip] then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_limits.lua new/prosody-0.11.9/plugins/mod_limits.lua --- old/prosody-0.11.8/plugins/mod_limits.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_limits.lua 2021-05-12 17:22:02.000000000 +0200 @@ -31,7 +31,7 @@ burst = burst:match("^(%d+) ?s$"); end local n_burst = tonumber(burst); - if not n_burst then + if burst and not n_burst then module:log("error", "Unable to parse burst for %s: %q, using default burst interval (%ds)", sess_type, tostring(burst), default_burst); end return n_burst or default_burst; @@ -39,7 +39,16 @@ -- Process config option into limits table: -- limits = { c2s = { bytes_per_second = X, burst_seconds = Y } } -local limits = {}; +local limits = { + c2s = { + bytes_per_second = 10 * 1024; + burst_seconds = 2; + }; + s2sin = { + bytes_per_second = 30 * 1024; + burst_seconds = 2; + }; +}; for sess_type, sess_limits in pairs(limits_cfg) do limits[sess_type] = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_proxy65.lua new/prosody-0.11.9/plugins/mod_proxy65.lua --- old/prosody-0.11.8/plugins/mod_proxy65.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_proxy65.lua 2021-05-12 17:22:02.000000000 +0200 @@ -94,6 +94,7 @@ local proxy_address = module:get_option_string("proxy65_address", host); local proxy_acl = module:get_option_array("proxy65_acl"); + local proxy_open_access = module:get_option_boolean("proxy65_open_access", false); -- COMPAT w/pre-0.9 where proxy65_port was specified in the components section of the config local legacy_config = module:get_option_number("proxy65_port"); @@ -110,13 +111,20 @@ -- check ACL -- using 'while' instead of 'if' so we can break out of it - while proxy_acl and #proxy_acl > 0 do --luacheck: ignore 512 + local allow; + if proxy_acl and #proxy_acl > 0 then local jid = stanza.attr.from; - local allow; for _, acl in ipairs(proxy_acl) do - if jid_compare(jid, acl) then allow = true; break; end + if jid_compare(jid, acl) then + allow = true; + break; + end end - if allow then break; end + elseif proxy_open_access or origin.type == "c2s" then + allow = true; + end + + if not allow then module:log("warn", "Denying use of proxy for %s", tostring(stanza.attr.from)); origin.send(st.error_reply(stanza, "auth", "forbidden")); return true; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_s2s/mod_s2s.lua new/prosody-0.11.9/plugins/mod_s2s/mod_s2s.lua --- old/prosody-0.11.8/plugins/mod_s2s/mod_s2s.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_s2s/mod_s2s.lua 2021-05-12 17:22:02.000000000 +0200 @@ -37,7 +37,7 @@ local secure_domains, insecure_domains = module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; local require_encryption = module:get_option_boolean("s2s_require_encryption", false); -local stanza_size_limit = module:get_option_number("s2s_stanza_size_limit"); -- TODO come up with a sensible default (util.xmppstream defaults to 10M) +local stanza_size_limit = module:get_option_number("s2s_stanza_size_limit", 1024*512); local measure_connections = module:measure("connections", "amount"); local measure_ipv6 = module:measure("ipv6", "amount"); @@ -276,7 +276,7 @@ end --- Helper to check that a session peer's certificate is valid -function check_cert_status(session) +local function check_cert_status(session) local host = session.direction == "outgoing" and session.to_host or session.from_host local conn = session.conn:socket() local cert diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_saslauth.lua new/prosody-0.11.9/plugins/mod_saslauth.lua --- old/prosody-0.11.8/plugins/mod_saslauth.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_saslauth.lua 2021-05-12 17:22:02.000000000 +0200 @@ -44,6 +44,9 @@ end local function handle_status(session, status, ret, err_msg) + if not session.sasl_handler then + return "failure", "temporary-auth-failure", "Connection gone"; + end if status == "failure" then module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg }); session.sasl_handler = session.sasl_handler:clean_clone(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/mod_websocket.lua new/prosody-0.11.9/plugins/mod_websocket.lua --- old/prosody-0.11.8/plugins/mod_websocket.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/mod_websocket.lua 2021-05-12 17:22:02.000000000 +0200 @@ -28,7 +28,7 @@ local t_concat = table.concat; -local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 10 * 1024 * 1024); +local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024 * 256); local frame_buffer_limit = module:get_option_number("websocket_frame_buffer_limit", 2 * stanza_size_limit); local frame_fragment_limit = module:get_option_number("websocket_frame_fragment_limit", 8); local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/plugins/muc/members_only.lib.lua new/prosody-0.11.9/plugins/muc/members_only.lib.lua --- old/prosody-0.11.8/plugins/muc/members_only.lib.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/plugins/muc/members_only.lib.lua 2021-05-12 17:22:02.000000000 +0200 @@ -61,12 +61,20 @@ end module:hook("muc-disco#info", function(event) - event.reply:tag("feature", {var = get_members_only(event.room) and "muc_membersonly" or "muc_open"}):up(); + local members_only_room = not not get_members_only(event.room); + local members_can_invite = not not get_allow_member_invites(event.room); + event.reply:tag("feature", {var = members_only_room and "muc_membersonly" or "muc_open"}):up(); table.insert(event.form, { name = "{http://prosody.im/protocol/muc}roomconfig_allowmemberinvites";; label = "Allow members to invite new members"; type = "boolean"; - value = not not get_allow_member_invites(event.room); + value = members_can_invite; + }); + table.insert(event.form, { + name = "muc#roomconfig_allowinvites"; + label = "Allow users to invite other users"; + type = "boolean"; + value = not members_only_room or members_can_invite; }); end); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/prosody.cfg.lua.dist new/prosody-0.11.9/prosody.cfg.lua.dist --- old/prosody-0.11.8/prosody.cfg.lua.dist 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/prosody.cfg.lua.dist 2021-05-12 17:22:02.000000000 +0200 @@ -51,6 +51,7 @@ "blocklist"; -- Allow users to block communications with other users "vcard4"; -- User profiles (stored in PEP) "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard + "limits"; -- Enable bandwidth limiting for XMPP connections -- Nice to have "version"; -- Replies to server version requests @@ -71,7 +72,6 @@ --"http_files"; -- Serve static files from a directory over HTTP -- Other specific functionality - --"limits"; -- Enable bandwidth limiting for XMPP connections --"groups"; -- Shared roster support --"server_contact_info"; -- Publish contact information for this service --"announce"; -- Send announcement to all online users @@ -121,6 +121,17 @@ --s2s_secure_domains = { "jabber.org" } +-- Enable rate limits for incoming client and server connections + +limits = { + c2s = { + rate = "10kb/s"; + }; + s2sin = { + rate = "30kb/s"; + }; +} + -- Select the authentication backend to use. The 'internal' providers -- use Prosody's configured data storage to store the authentication data. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/prosody.release new/prosody-0.11.9/prosody.release --- old/prosody-0.11.8/prosody.release 2021-02-15 18:23:35.000000000 +0100 +++ new/prosody-0.11.9/prosody.release 2021-05-12 18:52:16.000000000 +0200 @@ -1 +1 @@ -0.11.8 +0.11.9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/prosodyctl new/prosody-0.11.9/prosodyctl --- old/prosody-0.11.8/prosodyctl 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/prosodyctl 2021-05-12 17:22:02.000000000 +0200 @@ -413,7 +413,8 @@ print(""); print("# Lua module versions"); local module_versions, longest_name = {}, 8; - local luaevent =dependencies.softreq"luaevent"; + local luaevent = dependencies.softreq"luaevent"; + local lxp = dependencies.softreq"lxp"; dependencies.softreq"ssl"; dependencies.softreq"DBI"; for name, module in pairs(package.loaded) do @@ -428,6 +429,9 @@ if luaevent then module_versions["libevent"] = luaevent.core.libevent_version(); end + if lxp then + module_versions["libexpat"] = lxp._EXPAT_VERSION; + end local sorted_keys = array.collect(keys(module_versions)):sort(); for _, name in ipairs(sorted_keys) do print(name..":"..string.rep(" ", longest_name-#name), module_versions[name]); @@ -837,7 +841,7 @@ local known_global_options = set.new({ "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings", - "network_backend", "http_default_host", + "network_backend", "http_default_host", "gc", "statistics_interval", "statistics", "statistics_config", }); local config = configmanager.getconfig(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/util/set.lua new/prosody-0.11.9/util/set.lua --- old/prosody-0.11.8/util/set.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/util/set.lua 2021-05-12 17:22:02.000000000 +0200 @@ -6,8 +6,8 @@ -- COPYING file in the source package for more information. -- -local ipairs, pairs, setmetatable, next, tostring = - ipairs, pairs, setmetatable, next, tostring; +local ipairs, pairs, getmetatable, setmetatable, next, tostring = + ipairs, pairs, getmetatable, setmetatable, next, tostring; local t_concat = table.concat; local _ENV = nil; @@ -31,6 +31,11 @@ return a; end +local function is_set(o) + local mt = getmetatable(o); + return mt == set_mt; +end + local function new(list) local items = setmetatable({}, items_mt); local set = { _items = items }; @@ -171,6 +176,7 @@ return { new = new; + is_set = is_set; union = union; difference = difference; intersection = intersection; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/util/startup.lua new/prosody-0.11.9/util/startup.lua --- old/prosody-0.11.8/util/startup.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/util/startup.lua 2021-05-12 17:22:02.000000000 +0200 @@ -12,7 +12,13 @@ local original_logging_config; -local default_gc_params = { mode = "incremental", threshold = 105, speed = 250 }; +local default_gc_params = { + mode = "incremental"; + -- Incremental mode defaults + threshold = 105, speed = 500; + -- Generational mode defaults + minor_threshold = 20, major_threshold = 50; +}; local short_params = { D = "daemonize", F = "no-daemonize" }; local value_params = { config = true }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/util/xmppstream.lua new/prosody-0.11.9/util/xmppstream.lua --- old/prosody-0.11.8/util/xmppstream.lua 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/util/xmppstream.lua 2021-05-12 17:22:02.000000000 +0200 @@ -22,7 +22,7 @@ local lxp_supports_xmldecl = pcall(lxp.new, { XmlDecl = false }); local lxp_supports_bytecount = not not lxp.new({}).getcurrentbytecount; -local default_stanza_size_limit = 1024*1024*10; -- 10MB +local default_stanza_size_limit = 1024*1024*1; -- 1MB local _ENV = nil; -- luacheck: std none @@ -188,6 +188,9 @@ stanza = t_remove(stack); end else + if lxp_supports_bytecount then + cb_handleprogress(stanza_size); + end if cb_streamclosed then cb_streamclosed(session); end @@ -290,6 +293,9 @@ return ok, err; end, set_session = meta.set_session; + set_stanza_size_limit = function (_, new_stanza_size_limit) + stanza_size_limit = new_stanza_size_limit; + end; }; end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/prosody-0.11.8/util-src/hashes.c new/prosody-0.11.9/util-src/hashes.c --- old/prosody-0.11.8/util-src/hashes.c 2021-02-15 16:29:13.000000000 +0100 +++ new/prosody-0.11.9/util-src/hashes.c 2021-05-12 17:22:02.000000000 +0200 @@ -23,6 +23,7 @@ #include "lua.h" #include "lauxlib.h" +#include <openssl/crypto.h> #include <openssl/sha.h> #include <openssl/md5.h> #include <openssl/hmac.h> @@ -189,6 +190,18 @@ return 1; } +static int Lhash_equals(lua_State *L) { + size_t len1, len2; + const char *s1 = luaL_checklstring(L, 1, &len1); + const char *s2 = luaL_checklstring(L, 2, &len2); + if(len1 == len2) { + lua_pushboolean(L, CRYPTO_memcmp(s1, s2, len1) == 0); + } else { + lua_pushboolean(L, 0); + } + return 1; +} + static const luaL_Reg Reg[] = { { "sha1", Lsha1 }, { "sha224", Lsha224 }, @@ -201,6 +214,7 @@ { "hmac_sha512", Lhmac_sha512 }, { "hmac_md5", Lhmac_md5 }, { "scram_Hi_sha1", LscramHi }, + { "equals", Lhash_equals }, { NULL, NULL } };
