It was discovered that Prosody's generation of the secret token for server-to-server dialback authentication relied upon a weak random number generator that was not cryptographically secure. This allows an attacker to guess at probable values of the secret key. A successful guess allows impersonation of the affected domain to other servers on the network. External References: https://prosody.im/security/advisory_20160108-2/
Affected configurations ----------------------- Configurations with mod_dialback loaded (default configuration) are affected. Servers with s2s_secure_auth = true will not be susceptible to incoming attempts to spoof other domains on the network. However if mod_dialback is loaded, a server's domain's may still be spoofed by an attacker in connections to other servers. Not affected are configurations with a strong custom dialback_secret set (though periodically regenerating the dialback_secret is still advisable). Temporary mitigation -------------------- Set the 'dialback_secret' option in your configuration file to a long random string. A strong dialback_secret can be generated (for example) using the command: head -c 32 /dev/urandom | base64 Alternatively disable mod_dialback by adding it to your modules_disabled option in your configuration file. In this case communication with servers that only support dialback or have untrusted certificates will not be possible.
This has been fixed in: prosody-0.9.9-1.fc24 prosody-0.9.9-1.fc22 prosody-0.9.9-1.el5 prosody-0.9.9-1.fc23 prosody-0.9.9-1.el7 prosody-0.9.9-1.el6
prosody-0.9.9-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
prosody-0.9.9-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
prosody-0.9.9-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
prosody-0.9.9-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
prosody-0.9.9-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.