A denial-of-service vulnerability has been reported in Prosody, a XMPP server. If compression is enabled, an attacker might send highly-compressed XML elements (attack known as zip bomb) over XMPP streams and consume all the resources of the server. The SAX XML parser lua-expat is also affected by this issues.

For the stable distribution (wheezy), this problem has been fixed in version 0.8.2-4+deb7u1 of prosody. For the unstable distribution (sid), this problem has been fixed in version 0.9.4-1 of prosody. For the stable distribution (wheezy), this problem has been fixed in version 1.2.0-5+deb7u1 of lua-expat. For the unstable distribution (sid), this problem has been fixed in version 1.3.0-1 lua-expat. We recommend that you upgrade your prosody and lua-expat packages.

Prosody IM is a simple-to-use XMPP server. It is designed to be easy to extend via plugins, and light on resources.

prosody on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-2895.html

---

Updated on 2015-03-25