|Description||It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|prosody (PTS)||buster, buster (security)||0.11.2-1+deb10u4||fixed|
|bullseye (security), bullseye||0.11.9-2+deb11u2||fixed|
The information below is based on the following data on fixed versions.
[stretch] - prosody <ignored> (websocket module introduced in 0.10.0; internal XML API only used on trusted data)
Regression fix: https://hg.prosody.im/trunk/rev/e5e0ab93d7f4