We are pleased to announce the release of Prosody 0.9.10.
This release fixes another dialback security issue. We strongly
encourage all Prosody servers to upgrade as soon as possible.
Successful exploitation of the issue allows an attacker to
impersonate your server on the XMPP network. A full security
advisory can be found at https://prosody.im/security/advisory-20160127/
Many thanks to Thijs Alkemade for discovering and reporting the issue.
We also have a number of other fixes and improvements made since 0.9.9.
A summary of changes since the previous release:
- mod_dialback: Adopt key generation algorithm from XEP-0185, to
prevent impersonation attacks (CVE-2016-0756)
Fixes and improvements
- Startup: Open /dev/urandom read-only, to fix a failure to start on
some systems (fixes #585)
- Networking: Improve handling of 'select' network backend running out
of file descriptors
- Networking: Increase default internal read size to prevent
connections stalling with LuaEvent (see #583)
- DNS: Discard queries that failed to send due to connection errors
- c2s, s2s: Lower priority of shutdown handler, so that modules such
as MUC can always send shutdown notifications to (remote) users
As usual, download instructions for many platforms can be found on our
download page: https://prosody.im/download
If you have any questions, comments or other issues with this release,
let us know! https://prosody.im/discuss
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
Visit this group at https://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.