We are pleased to announce Prosody 0.9.8, the latest release of our stable 0.9 branch. This release contains mainly bug fixes, including an important security fix.
Note: If you are upgrading from 0.8.x or earlier, please read the 0.9.0 upgrade notes!
A summary of changes in this release:
Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059
) that libidn can read beyond the boundaries of the provided buffer when an input string contains invalid UTF-8 sequences.
Systems where Prosody is compiled to use libICU are not affected by this issue.
c2s: Fix error reply when clients try to bind multiple resources on the same stream (issue 484)
s2s: Ensure to/from attributes are always present on stream headers, even if empty (issue 468)
Build scripts: Add –libdir option to ./configure to simplify building on some platforms
Fix traceback in datamanager when used outside of Prosody (e.g. in some migration tools)
mod_admin_telnet: Fix potential traceback in server:memory() command (issue 471)
HTTP server: Improved debug logging
You can grab a tarball of prosody-0.9.8.tar.gz (OpenPGP signed), or grab the latest 0.9 source from Mercurial with:
hg clone https://hg.prosody.im/0.9 prosody-0.9
More information on dealing with Prosody's source can be found at these links: