Prosody has published a security advisory that all prosody versions prior to 0.11.12 are vulnerable to a remote denial of service attack if XMPP via websockets are enabled: Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)
As the default jitsi installation has XMPP via websocket enabled to prosody (jitsi-meet/jitsi-meet.example at master · jitsi/jitsi-meet · GitHub), this seems relevant to this community.
Patches / Updates:
- jitsi-docker-image (fixed): docker-jitsi-meet/CHANGELOG.md at master · jitsi/docker-jitsi-meet · GitHub
- Debian (fixed): CVE-2022-0217
- Ubuntu: (not yet fixed): CVE-2022-0217 | Ubuntu
If your distro has not patched yet, the patch attached to the advisory can be manually applied as well, citing from the advisory:
- Navigate to the directory containing the
xml.luafile and apply the attached patch using
patch -p2 < 1.patch.
- Now restart Prosody. There is no known-to-be-safe way to reload the util/xml.lua file without a complete Prosody restart.
Alternatively one can install prosody package from upstream: [How to] How do I update Prosody?