Debian prosody package update from DSA 4916-1 breaks Jitsi

Hi,

we encountered a really strange issue today. Whenever
many participants (many = more than 20) joined a conference
it kept crashing with “Something went wrong” for all participants.

We got the crash on a Debian system with jitsi-meet package version 2.0.5390-3 and also
on another system with 2.0.5870-1. Both systems worked without problems before, but what
had changed? Nightly security updates by unattended-upgrades!

/var/log/unattended-upgrades/unattended-upgrades-dpkg.log:
Log started: 2021-05-18 06:45:50
Preparing to unpack …/prosody_0.11.2-1+deb10u1_amd64.deb …
Unpacking prosody (0.11.2-1+deb10u1) over (0.11.2-1) …
Setting up prosody (0.11.2-1+deb10u1) …
Installing new version of config file /etc/prosody/prosody.cfg.lua …

So I downgraded prosody to the old version and problem is gone away.

There are many security changes in prosody 0.11.9 that were backported
to 0.11.2, including also rate limiting for client connections in
/etc/prosody/prosody.cfg.lua.

Would be nice if a Jitsi developer could inspect the changes
from 0.11.2-1 to 0.11.2-1+deb10u1. Maybe it is not only the rate
limit that is problematic, there are also changes in mod_bosh
with a new option c2s_stanza_size_limit.

1 Like

I suspect it just the ratelimiting, jicofo uses a single connection to xmpp server to communicate all participants so I guess that is being limited and brings the problem, if you bump it to c2s to 512kb/s that should be fine. In newer version of mod_limits there is an option to whitelist jicofo, but that is still just in trunk.

1 Like

I have this very same problem.
How can I downgrade only prosody?
Or change this c2s module? In my /etc/prosody/prosody.cfg.lua this module is not active.
Can someone help me out here? Please?
Thank you.

What version of prosody are you running?

I have another server with version 0.11.2-1 that works very well. This new version is a new server.

I made a clean install and it installed prodosy 0.11.2-1+deb10u1.
I tried to sudo apt --purge remove prosody and sudo apt install prosody=0.11.2-1.
But it keeps reconnecting.
Looks like a dead end. :frowning_face:

I don’t believe 0.11.2 has mod_limits. Can you check to verify? If it doesn’t, this is likely not the issue you’re having.

It doesn’t have as far I can tell.
Would be it possible to install a fixed version of jitsi-meet that would brind the previous version of prosody?

The Prosody version is independent of Jitsi, really. So long as you’re on version 0.11+ of Prosody, you’re fine. If you ensure the version of Prosody you want to work with before you install Jitsi, you’re good to go.

So if I already prosody installed, the apt install jitsi-meet won’t overwrite it?

Noooo, Jitsi doesn’t overwrite your prosody installation. If it’s not installed already, it installs the current version on your kernel for you; but if it’s installed, it just goes on to do its own thing.

Alright!
I’ll try this way.
Thanks @Freddie

The installation worked.
Now I’ll stress it out.
Thanks again @Freddie

Glad to hear!

sed -i "/rate *=.*kb.s/  s/[0-9]*kb/512kb/" /etc/prosody/prosody.cfg.lua
systemctl reload prosody.service