openSUSE-SU-2018:1632-1: moderate: Security update for prosody

openSUSE Security Update: Security update for prosody

Announcement ID: openSUSE-SU-2018:1632-1
Rating: moderate
References: #1094890
Cross-References: CVE-2018-10847
Affected Products:
openSUSE Leap 15.0

An update that fixes one vulnerability is now available.


This update for prosody to version 0.10.2 fixes the following issues:

This security issue was fixed:

– CVE-2018-10847: Prevent insufficient validation of client-provided
parameters during XMPP stream restarts. Authenticated users may have
overriden the realm associated with their session, potentially bypassing
security policies and allowing impersonation (bsc#1094890).

These non-security issues were fixed:

– mod_websocket: Store the request object on the session for use by other
– mod_c2s: Avoid concatenating potential nil value
– core.certmanager: Allow all non-whitespace in service name
– mod_disco: Skip code specific to disco on user accounts
– mod_bosh: Store the normalized hostname on session
– MUC: Fix error logged when no persistent rooms present

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-596=1

Package List:

– openSUSE Leap 15.0 (x86_64):



To unsubscribe, e-mail:
For additional commands, e-mail: