0.11.9

Released: 2021-05-12

Summary

This release addresses a number of important security issues that affect most deployments of Prosody. Full details are available in a separate security advisory. We recommend that all deployments upgrade or apply the mitigations described in the advisory.

Note: We have updated the default config file. Your package manager may warn you about this, and ask if you want to use the new file or keep your existing one. You should usually keep your existing one, but make sure you update it to enable mod_limits after the upgrade.

Changes

Summary of all changes in this release:

Security

  • mod_limits, prosody.cfg.lua: Enable rate limits by default
  • certmanager: Disable renegotiation by default
  • mod_proxy65: Restrict access to local c2s connections by default
  • util.startup: Set more aggressive defaults for GC
  • mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits
  • mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
  • mod_dialback: Remove dialback-without-dialback feature
  • mod_dialback: Use constant-time comparison with hmac

Minor changes

  • util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
  • mod_c2s: Don’t throw errors in async code when connections are gone
  • mod_c2s: Fix traceback in session close when conn is nil
  • core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
  • mod_saslauth: Use a defined SASL error
  • MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
  • mod_saslauth: Don’t throw errors in async code when connections are gone
  • mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco)
  • prosodyctl check config: Add ‘gc’ to list of global options
  • prosodyctl about: Report libexpat version if known
  • util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
  • util.set: Add is_set() to test if an object is a set
  • mod_http: Skip IP resolution in non-proxied case
  • mod_c2s: Log about missing conn on async state changes
  • util.xmppstream: Reduce internal default xmppstream limit to 1MB

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!