0.8.1 Release Notes

Released 2011-06-03

This is a security and bugfix release for the 0.8 branch. This release contains fixes for a couple of major issues, and it is strongly recommended that you upgrade.

Some of you may already be aware of the "billion laughs" denial-of-service attack which was discovered to work against a number of XMPP servers recently. Due to accidental oversight the Prosody team was not notified ahead of the issue being made public, so we have worked hard the past couple of days to prepare this release as soon as we could.

In addition to upgrading Prosody, you MUST also upgrade the LuaExpat library to 1.2.0 to prevent the attack - this should hopefully be arriving in your distribution shortly, alternatively it can be installed using luarocks. See here for details.

A summary of changes in this release:

  • Reject XML DTDs, comments and processing instructions, preventing the "billion laughs" attack
  • Switch to MEDIUMTEXT in the schema for MySQL to avoid truncating large data (such as large avatars)
  • Prosody automatically upgrades the table in-place if possible, see: http://prosody.im/doc/mysql
  • Fix for endless loop when parsing certain invalid JSON
  • Fix PostgreSQL compatibility in prosody-migrator
  • Fix timestamp parsing for DST (affecting MUC scrollback retrieval)
  • mod_legacyauth now correctly disabled for unencrypted connections by default
  • Components properly inherit SSL settings and certificates from their 'parent' hosts
  • Prevent startup with no VirtualHost entries in the config file

Backporting

We have selected all of the changes in 0.8.1 to be only those important enough to be distributed to all users of 0.8.0. However if you are a packager looking to backport only the urgent security fixes, these are the patches you need:

0.8

The last 2 issues above are specific to 0.8 and potentially allow remote DoS when combined.

0.7

0.6