Today a serious security vulnerability in the popular encryption
library OpenSSL was publicly announced. This issue affects all
software using OpenSSL, including Prosody.

The bug allows external attackers to read the memory of any process
using OpenSSL, by connecting to it and sending specially crafted
packets. In Prosody's case this puts at risk lots of data, including
(but not limited to) passwords, messages, and your certificate's key
file used to protect SSL/TLS traffic.

Our advice is to upgrade OpenSSL immediately, Debian, Ubuntu and many
other distributions already have fixes available. On Debian/Ubuntu

  sudo apt-get update
  sudo apt-get upgrade
  sudo service prosody restart

Don't forget to restart any other services you have as well that use
OpenSSL, such as your web server or mail server. Alternatively you may
simply reboot to ensure all services are restarted.

More generic information on the issue can be found at

I'll try and finish off with some good news:

  - if your client used the more advanced SCRAM-SHA-1 mechanism to
authenticate to Prosody and you use hashed password storage, your
password is probably safe (it would take considerable targeted effort
to recover)

  - if you used OTR or some other end-to-end encryption mechanism with
your contacts, your message contents are probably safe

  - if you used TLS ciphers with forward secrecy then generally your
encrypted traffic could not easily be decrypted even if your
certificate's key file was compromised (though individual connections
active around the time of an attack could still be compromised)

  - the flaw in OpenSSL has existed for around two years, but we
cannot know for sure that it has actually been exploited by anyone

Further reading:
  Information and FAQ:
  OpenSSL advisory:
  Debian advisory:
  Ubuntu advisory:

You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
For more options, visit

Reply via email to