jabberd-2.6.1 release

[Tomasz Sterna]

It is time for next jabberd2 release.

Get 2.6.1 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a security bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.1/NEWS


This release fixes a bug allowing anyone to authenticate using SASL
ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled.

https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.1







-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

ANONYMOUS auth bug

[Tomasz Sterna]

Current 2.6.0 release has some kind of bug, that allows ANONYMOUS login
even when sasl.anonymous is disabled in c2s.xml.

Yesterday I noticed, that spammers are using this bug to send spam via
my server, using ANONYMOUS logins.

I am working on a fix.
This mail is to serve as a warning.

I've been able to workaround this bug by disabling "auto-create" in
sm.xml, so the spammer can log in ANONYMOUS, but is not able to create
SM session for not-existing account.

Will keep you informed about a progress of the fix.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/