Another minor release for you all. The most important change here is to disable SSLv3 by default, now it has been shown to be insecure when used by clients. This means that clients that support only SSLv3 will no longer be able to connect by default (which is why we had not been planning to make this change in a minor release).
A summary of changes in this release:
- certmanager, net.http: Disable SSLv3 by default
- net.http.parser: Support status code 101 and allow handling of the received data by plugins
- util.filters: Ignore filters being added twice (fixes issues on removal, i.e. when some plugins are reloaded/unloaded)
- mod_s2s: Close offending s2s streams missing an ‘id’ attribute with a stream error instead of throwing an unhandled error
- Networking API: Add ‘ondetach’ callback for listener objects, to prevent leaks when connections have their listener changed
- core.stanza_router: Stricter validation of stanzas
- mod_admin_adhoc: Mark ‘accountjids’ field as required in ‘end user sessions’ command (thanks Lloyd)
- mod_admin_adhoc: Add required to field in user deletion form too
- net.dns: Avoid duplicate cache entries
- util.stanza: Escape newlines and tabs (\r\n\t) when serializing stanzas.
- util/dataforms: Make sure we iterate over field tags only
- mod_s2s: Capitalize log message
- mod_pubsub: Fix error type of ‘forbidden’ (change from ‘cancel’ to ‘auth’)
Download instructions for many platforms can be found on our download page
If you have any questions, comments or other issues with this release, let us know!