Debian Lua-Expat vulnerabilities

CVE-2014-2744 [HIGH] CVE-2014-2744: lua-expat - plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metro... plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack. Scope: local bookworm: resolved (fixed in 1.3.0-1)

CVE-2011-2188 [MEDIUM] CVE-2011-2188: lua-expat - LuaExpat before 1.2.0 does not properly detect recursion during entity expansion... LuaExpat before 1.2.0 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. Scope: local bookworm: resolved (fixed in 1.2.0-1) bullseye: resolved (fixed in