0.11.7

Released: 2020-10-01

Summary

This is a security release for the 0.11.x stable branch. It is strongly recommended that all users upgrade to this release, especially those whose deployments have enabled mod_websocket.

As well as upgrading, we recommend all public deployments to review and configure the c2s_stanza_size_limit and s2s_stanza_size_limit options to values they are comfortable with. The value is specified in bytes, and the XMPP specification requires values to be at least 10000 bytes, however it also recommends against just setting the limit to 10000 bytes. We are working to obtain data on real-world stanza sizes in order to determine sensible defaults suitable for a future release.

Changes

Summary of all changes in this release:

Security

  • mod_websocket: Enforce size limits on received frames (fixes #1593)

Fixes and improvements

  • mod_c2s, mod_s2s: Make stanza size limits configurable
  • Add configuration options to control Lua garbage collection parameters
  • net.http: Backport SNI support for outgoing HTTP requests (#409)
  • mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234)
  • util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572)

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!