Today brings an important security release for both our stable branches. This fixes a cross-host authentication vulnerability, CVE-2018-10847.
The issue affects Prosody instances that have multiple virtual hosts (including anonymous authenticated hosts). All versions of Prosody before 0.9.14 and 0.10.2 are affected.
A full security advisory is available at https://prosody.im/security/advisory_20180531
Summary of all changes in this release:
- mod_c2s: Do not allow the stream ‘to’ to change across stream restarts (fixes #1147)
- mod_websocket: Store the request object on the session for use by other modules (fixes #1153)
- mod_c2s: Avoid concatenating potential nil value (fixes #753)
- core.certmanager: Allow all non-whitespace in service name (fixes #1019)
- mod_disco: Skip code specific to disco on user accounts (avoids invoking usermanager, fixes #1150)
- mod_bosh: Store the normalized hostname on session (fixes #1151)
- MUC: Fix error logged when no persistent rooms present (fixes #1154)
As usual, download instructions for many platforms can be found on our download page
Note for 0.9.x users: There is no updated ‘prosody’ package for our 0.9 branch. If you installed from our repository, switch to the ‘prosody-0.9’ nightly package or upgrade the ‘prosody’ package to receive 0.10.2. If upgrading to 0.10 from 0.9, be sure to read the 0.10 upgrade notes. If you installed Prosody from your distribution, you may expect updated packages from them (they were notified in advance of this release).
Nightly users: ensure you have at least builds 485 (0.10) or 294 (0.9) or 904 (trunk).
If you have any questions, comments or other issues with this release, let us know!