Prosody has published a security advisory that all prosody versions prior to 0.11.12 are vulnerable to a remote denial of service attack if XMPP via websockets are enabled: Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)

As the default jitsi installation has XMPP via websocket enabled to prosody (jitsi-meet/jitsi-meet.example at master · jitsi/jitsi-meet · GitHub), this seems relevant to this community.

Patches / Updates:

• jitsi-docker-image (fixed): docker-jitsi-meet/CHANGELOG.md at master · jitsi/docker-jitsi-meet · GitHub
• Debian (fixed): CVE-2022-0217
• Ubuntu: (not yet fixed): CVE-2022-0217 | Ubuntu

If your distro has not patched yet, the patch attached to the advisory can be manually applied as well, citing from the advisory:

1. Locate prosody/util/xml.lua, eg. /usr/share/lua/5.1/prosody/util/xml.lua
2. Navigate to the directory containing the xml.lua file and apply the attached patch using patch -p2 < 1.patch .
3. Now restart Prosody. There is no known-to-be-safe way to reload the util/xml.lua file without a complete Prosody restart.

Alternatively one can install prosody package from upstream: [How to] How do I update Prosody?

FYI: A followup prosody version 0.11.13 was released fixes a memory leak caused by the security fix in 0.11.12. For details, see Prosody 0.11.13 released | Prosodical Thoughts