Changelog:
Changes ordered by priority.
High:
* Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059)
that libidn can read beyond the boundaries of the provided buffer when an
input string contains invalid UTF-8 sequences.
Systems where Prosody is compiled with libICU are not affected by this issue.
Medium:
* DNS: Fix traceback caused when DNS server IP is unroutable (issue 473)
* HTTP client: More robust handling of chunked encoding across packet
boundaries
* Stanza router: Fix handling of 'error' <iq>'s with multiple children
Low:
* c2s: Fix error reply when clients try to bind multiple resources on the
same stream (issue 484)
* s2s: Ensure to/from attributes are always present on stream headers, even
if empty (issue 468)
* Build scripts: Add --libdir option to ./configure to simplify building on
some platforms
* Fix traceback in datamanager when used outside of Prosody
(e.g. in some migration tools)
* mod_admin_telnet: Fix potential traceback in server:memory()
command (issue 471)
* HTTP server: Improved debug logging
Clean up Makefile for readibility. Add SMF manifest.
Changes in 0.9.7:
- Fix server-to-server interoperability issue with Isode M-Link (since 0.9.6)
- Fix traceback in 'prosodyctl about' command with LuaRocks 2.2.0+ installed
Changes in 0.9.6:
- certmanager, net.http: Disable SSLv3 by default
- net.http.parser: Support status code 101 and allow handling of the received
data by plugins
- util.filters: Ignore filters being added twice (fixes issues on removal,
i.e. when some plugins are reloaded/unloaded)
- mod_s2s: Close offending s2s streams missing an 'id' attribute with
a stream error instead of throwing an unhandled error
- Networking API: Add 'ondetach' callback for listener objects, to prevent
leaks when connections have their listener changed
- core.stanza_router: Stricter validation of stanzas
- mod_admin_adhoc: Mark 'accountjids' field as required in 'end user sessions'
command (thanks Lloyd)
- mod_admin_adhoc: Add required to field in user deletion form too
- net.dns: Avoid duplicate cache entries
- util.stanza: Escape newlines and tabs (\r\n\t) when serializing stanzas.
- util/dataforms: Make sure we iterate over field tags only
- mod_s2s: Capitalize log message
- mod_pubsub: Fix error type of 'forbidden' (change from 'cancel' to 'auth')
Changes in 0.9.5:
- C2S: Fix traceback if a client opens a stream to component, which could
cause a crash in combination with some versions of LuaEvent
- C2S, S2S: Log received invalid stream headers
- S2S: Fix case where stream headers were sometimes sent twice
- DNS: Ensure all pending requests get notified of a timeout when looking
up a record
- DNS: Fix duplicated cache insertions by limiting outstanding queries
per name to one
- xmppstream: Disable LuaExpat's buffering
- xmppstream: Disable CharacterData merging after stream restarts
- xmppstream: Pass invalid stream headers to error handling
- Privacy lists: Correctly sort privacy list rules by order
- prosody: Check dependencies later in the startup sequence
- Config: Delay importing LuaFileSystem until needed by an Include line
- Config: Normalize VirtualHost and Component names
- prosodyctl: Normalize JIDs for adduser/passwd/deluser
- POSIX: Fix error reporting from disk space allocation
- POSIX: Verify that 'pidfile' is a string, show friendly error otherwise
- Dependency checking: Check that prosody is running under Lua 5.1. We don't
currently support any other versions. (LuaJIT identifies as 5.1)
- Compliance: Reset stream ID when resetting stream
- Compression: Log compression setup errors
- Console: Fix commands for adding and replacing name servers
- Console MUC commands: Fix error when a non-existent host is entered
- Filters: Prevent filters from being added twice
- Network: Transfer all available data between linked sockets
- dataforms: Add support for XEP-0221: Data Forms Media Element
Fix for a DoS vulnerability, see
https://www.debian.org/security/2014/dsa-2895
Changes in 0.9.4:
- Compression: Disallow compression on unauthenticated streams
- Core: Limit default read size and maximum stanza size
- Core: Enable SASL EXTERNAL by default for component s2s
- S2S: Warn if s2s_secure_auth and s2s_require_encryption have been
set in conflicting ways
- S2S: Warn if no local network addresses were found, preventing
successful s2s
- MUC: Fix traceback when a non-occupant tried to change an
occupant's role
- MUC: API: Fire an event when temporary rooms are destroyed after
the last person leaves
- Telnet: Fixed traceback when listing users
- Telnet: Apply normalization to JIDs in user management commands
- HTTP: Fix directory detection in file server on Windows
- Plugins: Fix paths on Windows
- MOTD: Don't strip blank lines from the message provided in the config
- prosodyctl: Better error reporting when generating certificates
- Makefile: Improve FreeBSD compatibility
- Multiple fixes to our migration tools, and support for importing MUCs
from ejabberd
Changes in 0.9.3:
- A config file passed as command line argument is no longer forgotten
when config is reloaded
- MUC: Allow admins to always bypass restrict_room_creation
- Strip trailing '.' when normalizing hostnames
- HTTP: Prevent silent connection failures
- Components: Allow easier overriding of component authentication by plugins
- Components: Enable TCP keepalives
- Migrator: Better error reporting and improved robustness
- S2S: Include IP in log messages, if hostname is unavailable
- TLS: Log error when initialization fails
Changes in 0.9.2:
- Debian/Ubuntu packages fixed to always generate per-system certs
- TLS: Improved cipher string, and use Prosody's preferred ciphers
- MUC: Fix for Spark clients not displaying room lists
Changes in 0.9.1:
* Config: Fix the workaround for LuaSec 0.4.x to apply the ssl 'ciphers'
option correctly
* Config: Ability to specify the ssl 'dhparam' option simply as a path to
a file, instead of a callback function
* Windows: Fix s2s issues
* Windows: Fix the ability to specify absolute paths to SSL certificates
in the config
* Build: Fix compilation issue on non-Linux systems that have glibc (such as
Debian GNU/kFreeBSD)
* API: Fix to our set library, that caused the :include() and :exclude()
methods to behave incorrectly
Changes in 0.9.0:
* IPv6 support for c2s, s2s and all other services (e.g. HTTP)
* Server-to-server authentication using certificates (SASL EXTERNAL)
* A new HTTP subsystem, supporting virtual hosts, and fully reloadable modules
* Client and server connections are now handled by modules: mod_c2s, mod_s2s
* mod_pubsub: Basic pubsub service (some features not yet implemented)
* prosodyctl about - show information about a Prosody installation
* prosodyctl cert - command to generate XMPP certificates and CSRs
* Many very nice enhancements to our module API
* MUC: Configurable per-room history length
* MUC: Plugins can now extend the room configuration form
See notes on upgrading from 0.8.x:
https://prosody.im/doc/release/0.9.0#upgrading
Just a small release for you this time, with a handful of bugfixes.
Thanks to '@eoranged' and the other PostgreSQL users who helped with
feedback and testing of the SQL fixes (the PostgreSQL server we use
for testing is now behaving properly!).
A summary of changes in this release:
* mod_storage_sql: Fix compatibility with PostgreSQL databases (0.8.1 issue)
* mod_bosh: Fix for sessions not timing out after inactivity in some cases
* mod_dialback: Fix multiple concurrent dialback requests for the same
domain (was sometimes causing s2s failure with certain ejabberds)
A security and bug fix release. The security aspect is to mitigate the
"billion laughs" denial-of-service attack against XML parsers and XMPP
servers.
Other changes:
- Reject XML DTDs, comments and processing instructions, preventing
the "billion laughs" attack
- Switch to MEDIUMTEXT in the schema for MySQL to avoid truncating
large data (such as large avatars)
Prosody automatically upgrades the table in-place if possible, see:
http://prosody.im/doc/mysql
- Fix for endless loop when parsing certain invalid JSON
- Fix PostgreSQL compatibility in prosody-migrator
- Fix timestamp parsing for DST (affecting MUC scrollback retrieval)
- mod_legacyauth now correctly disabled for unencrypted connections by default
- Components properly inherit SSL settings and certificates from their
'parent' hosts
- Prevent startup with no VirtualHost entries in the config file
Prosody is a flexible communications server for Jabber/XMPP written in Lua.
It aims to be easy to use, and light on resources. For developers it aims
to be easy to extend and give a flexible system on which to rapidly develop
added functionality, or prototype new protocols.
(Based on wip/prosody.)
