This is a new maintenance release to our old stable 0.9 branch, with many bug fixes, including some important security improvements.
In particular there is an issue where using Prosody 0.9 with LuaSocket 3.0rc1 (which is commonly packaged in distributions) can allow an unauthenticated remote entity to trigger Prosody to exit.
If you are using our nightly packages (‘prosody-0.9’) from our repository, this issue was already fixed last year in nightly build 285. Simply upgrade the prosody-0.9 package to ensure you have all the latest fixes in this branch.
If you are using the ‘prosody’ package and it is at version 0.9, we recommend you upgrade it - our repository provides 0.10.0 since the release in October last year. Alternatively please switch to using the prosody-0.9 nightly packages to ensure you continue to get updates on the 0.9 branch.
NOTE for 0.10.x users: none of the security issues in this release affect 0.10. However 0.10.1 release will follow shortly with some bug fixes relevant to that branch.
Note that there is currently no deprecation plan for the 0.9 branch. We will continue to provide security and major bug fixes for the immediate future, although we do encourage you to upgrade to 0.10.
A summary of changes in this release:
- Fix for compatibility with LuaSocket 3.0rc1 (fixes denial of service from remote)
- mod_register: Require encryption before registration if c2s_require_encryption is set (fixes #595)
- MUC: Ensure that
elements which match our from are stripped (fixes #1055)
Fixes and improvements
- Compatibility fix with newer LuaSec 0.6 (fixes #781)
- mod_presence: Send probe once subscribed (fixes #794)
- mod_net_multiplex: Enable SSL on the SSL port (fixes #803)
- core.rostermanager: Add method for checking if the user is subscribed to a contact
- mod_saslauth: Log SASL failure reason
- mod_disco: Correctly set the ‘node’ attr (fixes #449)
- mod_bosh: Update session.conn to point to the current connection (fixes #890)
- net.dns: Simplify expiry calculation (fixes #919)
- mod_watchregistrations: Return the pointer to the root of the stanza, fixes #922.
- mod_disco: Add an account/registered identity on subscribed accounts, fixes #826.
- mod_welcome: Return the pointer to the root of the stanza, fixes a bug similar to #922.
- net.dns: Prevent answers from immediately expiring even if TTL=0 (see #919)
- mod_saslauth: Use correct varible name (thanks Roi)
- mod_c2s: Iterate over child tags instead of child nodes in stream error (fixes traceback from #987)
- mod_component, mod_s2s: Iterate over child tags instead of child nodes (can include text) in stream error (same as 176b7f4e4ac9)
- MUC: Always send subject message, even if it is empty (fixes #1053)
- MUC: fix the @from on
in history replay (fixes #1054)
- MUC: Rename variable to make it clearer that it is the room JID and not the MUC host
Debian/Ubuntu and derivatives: Install ‘prosody-0.9’ from our package repository to receive nightly build 289 or higher.
If your Prosody is installed from your distribution, look to them for updates.
If you have any questions, comments or other issues with this release, let us know!