It’s that time of the week! We have a new release for you, with some important and some minor fixes.
It is strongly recommended that all 0.9 users upgrade - these issues affect all versions of 0.9 since we released beta1 (~nightly build 119). Prosody 0.8 is not affected.
Summary of changes:
- [major] Fixed a segfault in our SCRAM authentication code that can allow unauthenticated users to crash a Prosody instance.
- [major] Fixed an issue that allows an attacker to bypass the new ‘s2s_secure_auth’ and ‘s2s_secure_domains’ options, and downgrade the connection to DNS authentication (dialback) if mod_dialback is loaded.
- [minor] Sometimes s2s certificate errors were not accurately reported (in debug logging and telnet console).
- [minor] HTTP/1.0 connections with Keep-Alive did not work correctly
Nightly users should upgrade to build 154. Users of the trunk nightly build should also upgrade, to build 408.
All download information can be found with our 0.9 release notes.
Happy Jabbering! The Prosody Team