This is a security release addressing CVE-2016-2851.
- Fix an integer overflow bug that can cause a heap buffer overflow (and
from there remote code execution) on 64-bit platforms
- Fix possible free() of an uninitialized pointer
- Be stricter about parsing v3 fragments
- Add a testsuite ("make check" to run it), but only on Linux for now,
since it uses Linux-specific features such as epoll
- Fix a memory leak when reading a malformed instance tag file
- Protocol documentation clarifications
we are pleased to announce the availability of Swift 3.0, an XMPP client
focused on usability and security.
It is our first release for 3 years and includes bug fixes and new features
like:
- File-transfer using Jingle File Transfer
- Simple continuation of 1-to-1 chats in group chats
- Keyword highlighting ( http://swift.im/blog/keyword-highlighting )
- Simple blocking of contacts using Blocking Command
- Compact roster setting that hides avatars and status messages
- Quick contact search filter in roster
- and more.
For the full changelog see https://swift.im/docs/changelog-3-0.html .
* 2.3.5 to 2.3.6 upgrade:
What changed:
- Support WebSocket fragmented packets
- Fixed delivering directed presence (to self)
- Reset in-sess 'from' to FullJID on non-Presence packets
This is mainly a bugfix release.
The main change is that WebSocket connections work stable now.
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.6
Telegram is a cloud-based instant messaging service. Telegram clients exist for
both mobile (Android, iOS, Windows Phone, Ubuntu Touch) and desktop systems
(Windows, OS X, Linux). Users can send messages and exchange photos, videos,
stickers and files of any type up to 1.5 GB in size. Telegram also provides
optional end-to-end encrypted messaging with self-destruct timers.
This package contains a libpurple protocol plugin that adds support for the
Telegram messenger.
* Fix PR pkg/50358 partially using dynamic python library.
However if your system has python in /usr/bin and your current
working directory is not your home directory, your weechat
reads its library files and dies.
Changelog:
Among the new features:
- add a parent name in options, display inherited values if null in /set output
- add option weechat.look.paste_auto_add_newline
- add /fifo command
- track real names using extended-join and WHO (IRC)
- add support of SNI (Server Name Indication) in SSL connection to IRC server
- add support of IRC "cap-notify" capability
- add IRC command /cap
- add hex dump of messages in raw buffer when debug is enabled for irc plugin
- add option relay.irc.backlog_since_last_message
- add option script.scripts.download_timeout
- add scripts to build Debian packages
- many bugs fixed.
move requirement for cppunit to debug option
add db-update.pgsql, README.md
Updated to version 2.3.5
This file contains news, important changes
and upgrade instructions between different versions of jabberd2.
* 2.3.4 to 2.3.5 upgrade:
What changed:
- Module to verify users using e-mail
- Reordered MIO backends priority
- Skip non-existing blowfish i386 assembler code
- Use CSPRNG for dialback keys
- Allow presence probing own connections
- Use OpenSSL functions for base64 en/decoding when available
- Option to dump packet-filter matched packets to file
mod_verify requires CREATE TABLE "verify" in DB. Make sure you
created it before enabling the module in sm.xml.
MIO backends are prioritized from best to worst now, so if you
do not enforce a backend with ./configure it may change
in new build.
jabberd2 is now leaning strongly against OpenSSL. It is still
possible to use without, but not advisable.
Security
- mod_dialback: Adopt key generation algorithm from XEP-0185,
to prevent impersonation attacks (CVE-2016-0756)
Fixes and improvements
- Startup: Open /dev/urandom read-only, to fix a failure to start
on some systems (fixes#585)
- Networking: Improve handling of the 'select' network backend
running out of file descriptors
Minor changes
- Networking: Increase default internal read size to prevent
connections stalling with LuaEvent (see #583)
- DNS: Discard queries that failed to send due to connection
errors (fixes#598)
- c2s, s2s: Lower priority of shutdown handler, so that modules
such as MUC can always send shutdown notifications to (remote)
users (fixes#601)
Security fixes:
- Fix path traversal vulnerability in mod_http_files (CVE-2016-1231)
- Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232)
Bugs:
- Improve handling of CNAME records in DNS
- Fix traceback when deleting a user in some configurations
- MUC: restrict_room_creation could prevent users from joining rooms
- MUC: fix occasional dropping of iq stanzas sent privately between
occupants
- Fix a potential memory leak in mod_pep
Additions:
- Add http:list() command to telnet to view active HTTP services
- Simplify IPv4/v6 address selection code for outgoing s2s
- Add support for importing SCRAM hashes from ejabberd
Security
- Improve Dialback Key Generation and Validation support (XEP-0185)
- More generally, improve random number generator to avoid timing /
guessing attacks on any random value.
Database
- Use BLOB instead of TEXT on mysql in stanza storage
- Use UTF8MB4 character set in MySQL tables
- Make Riak working on Erlang R18
MAM
- Use stanza-id tags for deduplication
- Advertise MAM in disco info for account/room JID
- Improve MUC support
- Don't store resent messages
- Do not forget to include xmlns in mam prefs response (#859)
- Honor Message Processing Hints (XEP-0334)
MUC
- Add support for muc#roomconfig_presencebroadcast option
- Only filter rooms in Service Disco when more than 100 (EJAB-343)
- List in Service Disco non-empty rooms and provide Node for empty (EJAB-343)
- When user joins logged room, he must be warned (EJAB-726)
Pubsub
- Fix pubsub virtual nodetree plugin
- Use correct notification_type for last items (#827)
- PubSub plugin for online users only
- Disable use of multi-subscribe and subscription-option on standard
plugins
- Limit number of subscriptions per node and allow custom default node
configuration
- Don't force max_items_node to MAXITEMS if not defined
- Don't read pubsub options when plugin does not use them
Elixir
- Upgrade Elixir to v1.1.0
Admin
- Add plugin for passing extra erl_opts flags to deps, and use it
for hipe
- Add --enable-latest-deps to configure
- Remove "--enable-nif" flag
- New send_stanza command
- ejabberdctl: new --no-timout flag
- ejabberdctl: Don't let "reopen_log" rotate files (EJAB-1243)
- ejabberdctl: Improve escaping of arguments passed to ejabberdctl
- OpenSSL minimum required version: raised from 0.9.8 to 1.0.0
Config
- New option accept_interval in ejabberd_listener
- Webadmin console visual refresh (EJAB-1142)
- If mod_register access_from is 'none', then don't advertise IBR (#857)
- Fix handling of some options in old style configs
- Fix parsing option trusted_proxies
- Fix ipv6 configuration processing (#803)
- ejabberd_service: simplify configuration: no need for 'hosts', just
provide 'password'
Cleanup and optimisations
- Faster string_to_jid/1 implementation
- Move JID related functions from jlib.erl to jid.erl (#847)
- Remove usage of erlang's now()
- Update dependency name from p1_cache_tab to cache_tab
- Use crypto:rand_uniform instead of random:uniform
- Fix randoms.erl on R17 that don't have random:seed(integer())
- Faster and more memory efficient XML parsing.
- Faster stringprep library.
Other changes
- ejabberd_http: Cope with large POST/PUT requests
- ejabberd_http: Log debug message on receive errors
- mod_offline: Discard chat states notifications
- mod_offline: Honor store hint
- mod_http_upload: various fixes
- XEP-0198: Fix stanza counting corner case issue
- Adding WEBIRC, custom realname & ident, ISO-8859-15
- Update hebrew translation
gstreamer is not an option any longer.
version 2.10.12 (MM/DD/YY):
Windows-Specific Changes:
* Updates to dependencies:
* Cyrus SASL 2.1.26
* libxml2 2.9.2
* NSS 3.17.3 and NSPR 4.10.7
* Perl 5.20.1
* SILC 1.1.12
* Remove support for Tcl plugins
Gadu-Gadu:
* Updated internal libgadu to version 1.12.1.
