0.9.9 Release Notes

Released: 2016-01-08

This release contains important fixes for two security issues recently discovered in Prosody. It also contains various other fixes and improvements we have made since 0.9.8. We strongly recommend that you upgrade your server as soon as possible.

Another important note is that for a number of reasons we have dropped Windows support with this release. If you are affected by this, please contact us directly via email at .

A summary of changes:

Security fixes:

  • Fix path traversal vulnerability in mod_http_files (CVE-2016-1231)
  • Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232)


  • Improve handling of CNAME records in DNS
  • Fix traceback when deleting a user in some configurations (issue #496)
  • MUC: restrict_room_creation could prevent users from joining rooms (issue #458)
  • MUC: fix occasional dropping of iq stanzas sent privately between occupants
  • Fix a potential memory leak in mod_pep


  • Add http:list() command to telnet to view active HTTP services
  • Simplify IPv4/v6 address selection code for outgoing s2s
  • Add support for importing SCRAM hashes from ejabberd
  • Support for IPv6 DNS resolvers in resolv.conf (issue #352)


As usual, download instructions for many platforms can be found on our download page: https://prosody.im/download

If you have any questions, comments or other issues with this release, let us know! https://prosody.im/discuss


For packages, please see our download page.


You can grab a tarball of prosody-0.9.9.tar.gz (OpenPGP signed), or grab the latest 0.9 source from Mercurial with:

hg clone https://hg.prosody.im/0.9 prosody-0.9

More information on dealing with Prosody's source can be found at these links: