A security and bug fix release. The security aspect is to mitigate the
"billion laughs" denial-of-service attack against XML parsers and XMPP
servers.
Other changes:
- Reject XML DTDs, comments and processing instructions, preventing
the "billion laughs" attack
- Switch to MEDIUMTEXT in the schema for MySQL to avoid truncating
large data (such as large avatars)
Prosody automatically upgrades the table in-place if possible, see:
http://prosody.im/doc/mysql
- Fix for endless loop when parsing certain invalid JSON
- Fix PostgreSQL compatibility in prosody-migrator
- Fix timestamp parsing for DST (affecting MUC scrollback retrieval)
- mod_legacyauth now correctly disabled for unencrypted connections by default
- Components properly inherit SSL settings and certificates from their
'parent' hosts
- Prevent startup with no VirtualHost entries in the config file
Small list of changes:
2.1.7
* BOSH: Keep the order of stanzas when BOSH sends several
* CAPTCHA in MUC: New whitelist option
* CAPTCHA: New captcha_limit option
* Core: Disable all entity expansions
* Core: Do not accept XML with undefined prefixes
* ejabberdctl: New DIST_USE_INTERFACE restricts IP erlang listen
* ejabberdctl: New ERL_EPMD_ADDRESS that works since Erlang/OTP R14B03
* extauth: If script crashes, ejabberd should restart it
* If a module start fails during server start, stop erlang
* mod_blocking: New XEP-0191 Simple Communications Blocking
* mod_pres_counter: Prevent subscription flood
* mod_register: Access now also controls account unregistrations
* mod_shared_roster: Fix support for anonymous accounts in @all@
* mod_shared_roster: New @online@ directive
* New Indonesian translation
* Pubsub: Apply filtered notification to PEP last items
* Pubsub: Owner can delete any items from its own node
2.1.6
* BOSH: Fix rare loop, support vhosts, allow module restart
* Config: Default configuration allows registrations only from localhost
* Config: Support to change loglevel per module at runtime
* Erlang/OTP: Fix compatibility from R10B-9 to R14B01
* ODBC: Compatibility with PostgreSQL 9.0
* Privacy lists: Fix to allow block by group and subscription again
* Pubsub: Fix cross domain eventing
* Register: Added CAPTCHA, password strength and ip_access to mod_register
* Register: New mod_register_web, with CAPTCHA support
* S2S: New options to require encryption, and verify certificates
* Shared Rosters: Added mod_shared_roster_ldap
* Bind listener ports early and start accepting connections later
* Prevent the "billion laughs" attack against expat by disabling internal
entity expansion.
* Shortcut DNS resolution failure in cases when given domain name is invalid
* Explicitly link libcrypt to authreg_mysql
* Removed xconfig - it's not used anywhere
* require python builtin sqlite3 module, PR#44968.
* require python>=25.
* drop avahi option from suggested. it require avahi-python, but python option
of net/avahi is disabled by default.
Bump PKGREVISION.
- warn the user if the IRCHOST may be wrong
- make /save save /ignore'd things
- remove K&R C support
- remove many old UNIX platforms support
- avoid a spurious SIGALRM
- avoid printing some 8-bit unprintable chars
- add support for modern qnx
General:
* Our bundled libgadu should now build on HP-UX.
* Fix some instances of file transfers never completing.
Pidgin:
* Sort by Status no longer causes buddies to move around when you click them.
* Fix embedding in the system tray on older GTK+ releases (such as on CentOS
5.5 and older Fedora).
* No longer require libstartup-notification for startup notification support.
GTK+ has included support for years, so use it instead.
AIM:
* Fix a bug where some buddies from your buddy list might not show up.
Affected non-English ICQ users the most.
* Send keepalives for all types of network connections. Will hopefully make
chat rooms more reliable.
MSN:
* Fix bug that prevented added buddies to your buddy list in certain
circumstances.
MXit:
* MXit plugin and reported client version now follow the libpurple version.
* Don't try to request profile information for non-user contacts.
* Allow Re-Invite for contacts in Deleted or Rejected state.
* Ensure we don't send packets too fast to the MXit server and trigger its
flood-detection mechanism. Also increased the internal packet queue to 32
packets.
XMPP:
* Fix building on platforms with an older glib (inadvertantly broken in 2.7.10).
* Don't treat the on-join status storms as 'new arrivals'.
* Extend the /join command to support room JIDs, enabling you to join a room on
any server.
* Add support for receiving a limited amount of history when joining a room
(not currently supported by Pidgin and Finch).
Yahoo!/Yahoo! JAPAN:
* Fix CVE-2011-1091, denials of service caused by NULL pointer dereferences due
to improper handling of malformed YMSG packets.
Fix for SA43543 and update kindly provided by gls@
This is a major release, with lot of bugs fixed and major new features.
Among the new features:
- 256 colors support, with unlimited number of nick colors
- irc proxy (relay plugin)
- redirection of IRC commands
- command /notify
- rmodifier plugin
- regular expressions for highlights
- color support for timestamp in chat buffer
- irc option to force color for some nicks
- share input line between buffers.
Upstream changes:
After ~5 years without a release 0.5.10 is now available. This is actually just
0.5.9 with one security fix:
CVE-2011-0050: XSS in R param in nonjs interface
Thanks to Michael Brooks (Sitewatch) for discovering this.
pkgsrc changes:
- Update MASTER_SITES and HOMEPAGE to point to cgiirc.org
- Add LICENSE
