-------------------------------------------------------------------------------- Fedora EPEL Update Notification FEDORA-EPEL-2026-c907654c37 2026-05-10 03:16:49.655585+00:00 --------------------------------------------------------------------------------
Name : prosody Product : Fedora EPEL 10.2 Version : 13.0.5 Release : 1.el10_2 URL : https://prosody.im/ Summary : Flexible communications server for Jabber/XMPP Description : Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. -------------------------------------------------------------------------------- Update Information: Prosody 13.0.5 Upstream is pleased to announce a new minor release from their stable branch. This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release. Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations. A summary of changes in this release: Security mod_proxy65: Consistently apply authorization checks mod_proxy65: Donât proxy data until after bytestream activation mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit Add limit for stanza max child elements mod_c2s: Remove timers immediately on disconnection net.server_epoll: Clean up timers after disconnection Fixes and improvements net.http.parser: Fix handling of chunked request MUC: Advertise hats feature on room JID moduleapi: Use multitable add/remove instead of set (fixes memory leak) mod_cloud_notify: Fix leaking iq response handlers by using send_iq() Improve federation with servers using only IP addresses prosody: Prevent loading local code when installed system-wide mod_http_file_share: Improve handling of Range requests mod_carbons: Fix some carbons decision-making bugs Minor changes net.resolvers: Fix to avoid SRV lookups for IP addresses prosody: Abort earlier on incompatible Lua version mod_turn_external: hand out credentials for type == turns too mod_s2s: Fully validate stream addressing prosodyctl check features: Warn if http file sharing enabled on both host and component util.prosodyctl: Donât check for mod_posix being disabled, itâs deprecated util.startup: Improve error message when failing to load config file util.x509: Add support for iPAddress certs prosodyctl: Trim any trailing newline from password entry mod_admin_shell: Make cert index search path relative to config file mod_admin_shell: Improve multi-host command handling mod_admin_shell: Show help listing when specifying only a section name mod_admin_shell: Ensure password validity when setting passwords for new/existing users mod_account_activity: Handle authentication provider returning no user info config: Use default value when enum option has incorrect value mod_http: âHandleâ streaming requests to avoid invoking redirect handler -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 30 2026 Robert Scheck <[email protected]> 13.0.5-1 - Upgrade to 13.0.5 (#2463898) * Thu Apr 16 2026 Tom Callaway <[email protected]> - 13.0.4-3 - rebuild * Sun Mar 15 2026 Tom Callaway <[email protected]> - 13.0.4-2 - rebuild for lua 5.5 - apply upstream fix for configure - make a new patch to actually support lua 5.5 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2464363 - CVE-2026-43507 Prosody: Prosody: Denial of Service via XML parsing resource amplification https://bugzilla.redhat.com/show_bug.cgi?id=2464363 [ 2 ] Bug #2464412 - CVE-2026-43504 Prosody: mod_proxy65: Prosody: Unauthenticated traffic relay due to access control mishandling in mod_proxy65 https://bugzilla.redhat.com/show_bug.cgi?id=2464412 [ 3 ] Bug #2464452 - CVE-2026-43505 Prosody: mod_proxy65: Prosody: Unauthorized traffic relay via mod_proxy65 access control flaw https://bugzilla.redhat.com/show_bug.cgi?id=2464452 [ 4 ] Bug #2464492 - CVE-2026-43506 Prosody: Prosody: Denial of Service via memory exhaustion from unauthenticated connections https://bugzilla.redhat.com/show_bug.cgi?id=2464492 -------------------------------------------------------------------------------- This update can be installed with the "yum" update programs. Use su -c 'yum update prosody' at the command line. For more information, refer to "YUM", available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7\ /html/System_Administrators_Guide/ch-yum.html All packages are signed with the Fedora EPEL GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
-- _______________________________________________ epel-package-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
