Prosodical Thoughts

News, announcements and thoughts from the Prosody IM team

Prosody 0.9.10 released

by The Prosody Team
Tags: release , security

We are pleased to announce a new minor release from our stable branch.

This release fixes another dialback security issue. We strongly encourage all Prosody servers to upgrade as soon as possible.

Successful exploitation allows an attacker to impersonate your server on the XMPP network. A full security advisory can be found here. Many thanks to Thijs Alkemade for discovering and reporting the issue.

We also have a number of other fixes and improvements made since 0.9.9.

A summary of changes in this release:

Security

  • mod_dialback: Adopt key generation algorithm from XEP-0185, to prevent impersonation attacks (CVE-2016-0756)

Fixes and improvements

  • Startup: Open /dev/urandom read-only, to fix a failure to start on some systems (fixes #585)
  • Networking: Improve handling of the ‘select’ network backend running out of file descriptors

Minor changes

  • Networking: Increase default internal read size to prevent connections stalling with LuaEvent (see #583)
  • DNS: Discard queries that failed to send due to connection errors (fixes #598)
  • c2s, s2s: Lower priority of shutdown handler, so that modules such as MUC can always send shutdown notifications to (remote) users (fixes #601)

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!


About

Prosody is a lightweight and flexible XMPP server designed with ease-of-use and extensibility in mind.

⚛️ Atom feed

Recent Posts