This release contains important fixes for two security issues recently discovered in Prosody. It also contains various other fixes and improvements we have made since 0.9.8. We strongly recommend that you upgrade your server as soon as possible.
Another important note is that for a number of reasons we have dropped Windows support with this release. If you are affected by this, please contact us directly via email at email@example.com.
A summary of changes:
Fix path traversal vulnerability in mod_http_files (CVE-2016-1231)
Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232)
Improve handling of CNAME records in DNS
Fix traceback when deleting a user in some configurations (issue #496)
MUC: restrict_room_creation could prevent users from joining rooms (issue #458)
MUC: fix occasional dropping of iq stanzas sent privately between occupants
Fix a potential memory leak in mod_pep
Add http:list() command to telnet to view active HTTP services
Simplify IPv4/v6 address selection code for outgoing s2s
Add support for importing SCRAM hashes from ejabberd
Add v0.9.9 to the tree, with KEYWORDS="~amd64 ~arm ~x86".
Will send to stabilization in 10 days unless there are bugs/objections.
(In reply to Tobias Klausmann from comment #1)
> Will send to stabilization in 10 days unless there are bugs/objections.
Based on it being a security fix and upstream recommending an upgrade "as soon as possible", could we expedite this please?
Arches, please test & mark stable:
Any concerns about expedited stable can be raised here or with me personally.
(In reply to Tony Vroon from comment #3)
> Arches, please test & mark stable:
> Any concerns about expedited stable can be raised here or with me personally.
I am idiot and filed 571764 separately.
I have done the stabilization on amd64, x86 and arm are still open.
arm stable, all arches done.
The mod_dialback module in Prosody before 0.9.9 does not properly generate
random values for the secret token for server-to-server dialback
authentication, which makes it easier for attackers to spoof servers via a
brute force attack.
Directory traversal vulnerability in the HTTP file-serving module
(mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to
read arbitrary files via a .. (dot dot) in an unspecified path.
Cleanup complete by maintainer:
GLSA Vote: No