CVE-2021-32917: 
NixOS vulnerability analysis and mitigation

CVE-2021-32917 affects Prosody, a flexible communications server for Jabber/XMPP, in versions prior to 0.11.9. The vulnerability was discovered and disclosed on May 12, 2021. The issue exists in the proxy65 component, which is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients (Prosody Advisory).

The vulnerability has a CVSS score of 5.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C) and is associated with CWE-862 and CWE-400. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. The default configuration does not enable modproxy65 and is not affected, but with modproxy65 enabled, all configurations without a 'proxy65_acl' setting configured are affected (OSS Security).

The vulnerability allows unrestricted use of the server's bandwidth through the proxy65 component, potentially leading to resource exhaustion and affecting server performance. This could impact service availability for legitimate users (Debian Security).

As a temporary mitigation, administrators should configure 'proxy65acl' to a list of XMPP domains that should be allowed to use the file transfer proxy. The permanent solution is to upgrade to Prosody version 0.11.9 or later, which restricts access to local c2s connections by default. In version 0.11.9, the default behavior allows only local clients to initiate a data stream through the proxy if proxy65acl is unconfigured (OSS Security).

Multiple Linux distributions including Debian, Fedora, and Gentoo have released security advisories and patches for this vulnerability. The issue was part of a larger security update that addressed multiple vulnerabilities in Prosody, leading to widespread attention in the XMPP server community (Gentoo Security, Fedora Update).