Prosody Multiple Vulnerabilities Fixed by 0.9.9 and 0.10 build 196


Description   (#Several vulnerabilities have been identified in prosody:#- CVE-2016-1231: path traversal. A remote attacker could exploit it to read files outside of the configured public root directory. This vulnerability is located in the "mod_http_files" module#- CVE-2016-1232: weak encryption. A remote attacker in a man-in-the-middle position could exploit it to guess the private key of a server-to-server communication to intercept and modify sensitive data. This vulnerability is located in the "mod_dialback" module.##The prosody packages provided by Debian Squeeze 6 are vulnerable (CVE-2016-1232).)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 22, 23FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 6, 7, 8
     
Solution   Following a regression, new fixed prosody packages for Debian Squeeze 6 are available in LTS section (CVE-2016-1232).
     
CVE   CVE-2016-1232
CVE-2016-1231
     
References   - prosody : Prosody security advisory 2016/01/08 - 1
https://prosody.im/security/advisory_20160108-1/
- prosody : Prosody security advisory 2016/01/08 - 2
https://prosody.im/security/advisory_20160108-2/
- DSA 3439-1 : prosody security update
https://lists.debian.org/debian-security-announce/2016/msg00007.html
- Debian Security Tracker : prosody
https://security-tracker.debian.org/tracker/CVE-2016-1232
- VuXML : prosody -- multiple vulnerabilities
http://www.vuxml.org/freebsd/842cd117-ba54-11e5-9728-002590263bf5.html
- DLA 391-1 : prosody security update
https://lists.debian.org/debian-lts-announce/2016/01/msg00015.html
- FEDORA-2016-38e48069f8 : Fedora 23 Update: prosody-0.9.9-2.fc23
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html
- FEDORA-2016-e289f41b76 : Fedora 22 Update: prosody-0.9.9-2.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html
- DLA 407-1 : prosody security update
https://lists.debian.org/debian-lts-announce/2016/01/msg00032.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-01-08 

 Target Type 
Server 

 Possible exploit 
Remote