This is a security and bugfix release for the 0.8 branch. This release contains fixes for a couple of major issues, and it is strongly recommended that you upgrade.
Some of you may already be aware of the “billion laughs” denial-of-service attack which was discovered to work against a number of XMPP servers recently. Due to accidental oversight the Prosody team was not notified ahead of the issue being made public, so we have worked hard the past few days to prepare this release as soon as we could.
In addition to upgrading Prosody, you MUST also upgrade the LuaExpat library to 1.2.0 to prevent the attack - this should hopefully be arriving in your distribution shortly, alternatively it can be installed using luarocks. See our dependencies page for details.
If you are a packager and are looking for backported patches to older Prosody versions, please see the 0.8.1 release notes.
A summary of changes in this release:
Reject XML DTDs, comments and processing instructions, preventing the “billion laughs” attack
Switch to MEDIUMTEXT in the schema for MySQL to avoid truncating large data (such as large avatars) Prosody automatically upgrades the table in-place if possible, see our MySQL documentation for more information.
Fix for endless loop when parsing certain invalid JSON
Fix PostgreSQL compatibility in prosody-migrator
Fix timestamp parsing for DST (affecting MUC scrollback retrieval)
mod_legacyauth now correctly disabled for unencrypted connections by default
Components properly inherit SSL settings and certificates from their ‘parent’ hosts
Prevent startup with no VirtualHost entries in the config file
As usual if you need help or have any questions about installing/upgrading, feel free to ask.
Source tarball: prosody-0.8.1.tar.gz