Travis Burtrum

**Name of the Vulnerable Software and Affected Versions** Mellium mellium.im/xmpp versions 0.21.0 and earlier **Description** An attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification. The issue allows for man-in-the-middle attacks via DNS spoofing, where the server TLS certificate is incorrectly validated using the name of the server returned by the TXT record request, not the name of the server being connected to. **Recommendations** For Mellium mellium.im/xmpp versions 0.21.0 and earlier, providing a `tls.Config` with a `ServerName` field set to the correct destination hostname will avoid this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Prosody versions prior to 0.11.9 **Description** An issue in Prosody allows remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. The problem is related to an error in the resource control mechanism, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 0.11.9, update to version 0.11.9 or later to resolve the issue. As a temporary workaround, consider restricting default settings to prevent memory exhaustion until a patch is applied.