π ~4 min read β’ Source: Fedora update FEDORA-2026-1efa008794
Related CVEs: CVE-2026-43507 CVE-2026-43504 CVE-2026-43505 CVE-2026-43506
Upstream summary: # Prosody 13.0.5
Upstream is pleased to announce a new minor release from their stable branch.
This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.
Full details about the security vulnerabilities can be found in upstream's [security advisory](https://prosody.im/security/advisory_735dd9d3/). Upstream encourages all Prosod
Table of contents
Symptom & Impact
On Fedora 42 hosts that have prosody installed, operators report behaviour consistent with Fedora update FEDORA-2026-1efa008794: dnf / dnf5 refuses to install or restart affected services, SELinux AVC denials appear in /var/log/audit/audit.log, and β for security-rated advisories β the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever prosody sits on the serving path.
Environment & Reproduction
Reproduction targets Fedora 42. Confirm release and the installed package:
cat /etc/fedora-release
cat /etc/os-release
rpm -q prosody
dnf info prosody | head -20
# Fedora 41+ ships dnf5 by default:
dnf5 info prosody | head -20Trigger the workflow that exposes prosody β multiple vulnerabilities (4 CVEs) β patch and remediation guide while collecting:
sudo journalctl -u prosody -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/dnf.log
sudo tail -200 /var/log/dnf5.log
sudo tail -200 /var/log/audit/audit.log
# For an evidence bundle with sosreport:
sudo sosreport --batchRoot Cause Analysis
Root cause is documented in Fedora update FEDORA-2026-1efa008794. Fedora packagers shipped fixes in the corresponding prosody update for Fedora 42; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate dnf history with system logs:
sudo dnf history | head
sudo dnf history list prosody
sudo dnf history info <id>
sudo dnf5 history list # Fedora 41+
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted # non-zero = tainted kernel / out-of-tree modulesQuick Triage
Run these on Fedora 42 to capture the current state of prosody:
rpm -q prosody # installed NVR
rpm -V prosody # verify shipped files
sudo dnf check-update --security
sudo dnf updateinfo list cves
sudo dnf5 check-upgrade --security # Fedora 41+
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce && sestatus
# If prosody ships a systemd unit (unit name may differ from pkg name, e.g.
# bindβnamed, postgresql-serverβpostgresql, php-fpmβphp-fpm):
systemctl list-unit-files | grep -i prosody | headStep-by-Step Diagnosis
-
List failed systemd units.
systemctl --failed --no-pager -
Tail the journal for
prosodyand the system bus.sudo journalctl -u prosody -f --no-pager sudo journalctl -xe -f --no-pager -
Inspect firewall posture.
sudo firewall-cmd --list-all-zones --permanent sudo nft list ruleset 2>/dev/null | head -50 -
Surface SELinux denials and author a local policy module if needed.
sudo ausearch -m AVC,USER_AVC -ts today sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix sudo semodule -i /tmp/local-fix.pp -
Verify
prosodyintegrity and reinstall if anything is altered.sudo rpm -V prosody sudo dnf reinstall prosody sudo dnf5 reinstall prosody # Fedora 41+ -
Correlate findings with
/var/log/dnf.log,dnf history, and Fedora update FEDORA-2026-1efa008794 to pin the change that introduced prosody β multiple vulnerabilities (4 CVEs) β patch and remediation guide.
Solution – Primary Fix
Before changing system packages on a btrfs-rooted Fedora 42 host take a cheap snapshot so a bad upgrade can be rolled back in seconds:
sudo btrfs subvolume snapshot / /.snapshots/pre-upgrade-$(date +%s)
sudo btrfs subvolume list / | tailApply the corrective dnf transaction referenced by Fedora update FEDORA-2026-1efa008794, then reload affected systemd units:
sudo dnf -y makecache
sudo dnf -y upgrade --security # apply ALL security errata (recommended)
# Fedora 41+ ships dnf5 by default β equivalent commands:
sudo dnf5 upgrade --refresh
sudo dnf5 upgrade-minimal --security
# Or target a single package:
sudo dnf -y upgrade prosody
sudo dnf5 upgrade prosody # Fedora 41+
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i prosody | head
sudo systemctl restart prosody
rpm -q prosody # confirm new NVR
systemctl is-active prosody 2>/dev/null # confirm running (if a unit exists)For kernel / glibc / systemd / openssl advisories a reboot is required (or kpatch where licensed):
sudo dnf needs-restarting -r # report whether reboot needed
sudo systemctl reboot # or: sudo shutdown -r now
# kpatch (where licensed) avoids reboot for many kernel CVEs:
sudo dnf install -y kpatch kpatch-dnf
sudo dnf kpatch auto # enable auto-patching
sudo kpatch listNeed help rolling this patch across a Fedora fleet? Our IT Solutions & Services team manages Fedora and CentOS Stream lifecycle with bodhi automation plus dnf-automatic. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary patch is not viable, choose from these:
-
Roll back the offending dnf transaction:
sudo dnf history list | head sudo dnf history info <id> sudo dnf history undo <id> sudo dnf5 history undo <id> # Fedora 41+ -
Version-lock the package so dnf cannot upgrade it:
sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add prosody sudo dnf versionlock list sudo dnf versionlock delete prosody # remove the lock -
Install an older NVR if a regression is suspected:
dnf --showduplicates list prosody | tac | head sudo dnf install -y --allowerasing prosody-<older-NVR> -
Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:
sudo setenforce 0 # reproduce, capture denials, author a custom module: sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal sudo semodule -i mylocal.pp sudo setenforce 1 -
Roll back via a btrfs snapshot taken before the upgrade (Fedora default root filesystem):
sudo btrfs subvolume list / # boot a rescue / live image, then promote the snapshot to /: sudo btrfs subvolume snapshot /.snapshots/pre-upgrade-<ts> /root-restored # update /etc/fstab and the bootloader to point at the restored subvolume. -
Where kpatch is available, apply kernel fixes without reboot:
sudo kpatch list sudo kpatch load /usr/lib/modules/$(uname -r)/extra/kpatch/*.ko
Verification & Acceptance Criteria
All of these should pass after the fix:
rpm -q prosody # expected fixed NVR
sudo dnf updateinfo list cves --installed # CVEs above no longer listed
systemctl is-active prosody 2>/dev/null
sudo journalctl -u prosody --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo dnf needs-restarting -rThe original reproduction for prosody β multiple vulnerabilities (4 CVEs) β patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
rpm -qa > /root/rpm-pre.txt
sudo dnf history list > /root/dnf-history-pre.txt
# Cheap btrfs snapshot of the root subvolume:
sudo btrfs subvolume snapshot / /.snapshots/pre-upgrade-$(date +%s)To revert if the patch is bad:
sudo dnf history undo <id>
sudo dnf5 history undo <id> # Fedora 41+
# Or downgrade just the package:
sudo dnf install -y --allowerasing prosody-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart prosody
# Or boot rescue and promote the btrfs snapshot back to /.
# Custom SELinux policy cleanup:
sudo semodule -r mylocalPrevention & Hardening
Reduce the chance of this recurring on Fedora 42:
-
Enable automatic security patching with dnf-automatic:
sudo dnf install -y dnf-automatic sudo sed -i 's/^upgrade_type.*/upgrade_type = security/' /etc/dnf/automatic.conf sudo sed -i 's/^apply_updates.*/apply_updates = yes/' /etc/dnf/automatic.conf sudo systemctl enable --now dnf-automatic.timer sudo systemctl enable --now dnf-automatic-install.timer dnf updateinfo list cves --available -
Subscribe to fedora-announce and watch the Bodhi security updates feed for upstream changes.
-
Mirror through a local repo for controlled rollouts:
sudo dnf install -y dnf-utils createrepo_c sudo reposync --download-metadata --downloadcomps -p /srv/mirror --repoid=fedora sudo createrepo_c /srv/mirror/fedora -
Version-lock sensitive packages so they cannot be auto-upgraded:
sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add prosody -
Monitor file integrity with AIDE:
sudo dnf install -y aide sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz sudo aide --check -
Enable kpatch (where available) so kernel CVEs can be remediated without reboot:
sudo dnf install -y kpatch kpatch-dnf sudo dnf kpatch auto sudo kpatch list -
Keep SELinux in enforcing mode and review custom modules in
/etc/selinux/targeted/after every package upgrade. -
Apply CIS Fedora 42 Benchmark hardening and remove unused packages.
Related Errors & Cross-Refs
Issues that commonly surface alongside prosody β multiple vulnerabilities (4 CVEs) β patch and remediation guide: dnf lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:
sudo dnf check
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo dnf needs-restarting -rView all fedora-42 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: Fedora update FEDORA-2026-1efa008794. Manual pages useful on Fedora 42:
man dnf
man dnf5
man dnf.conf
man systemctl
man journalctl
man firewall-cmd
man semanage
man audit2allow
man kpatch
man sosreport
man btrfsOther resources: docs.fedoraproject.org, Bodhi update system, Red Hat CVE database, and per-package notes in /usr/share/doc/prosody/ for components implicated in prosody β multiple vulnerabilities (4 CVEs) β patch and remediation guide.
