Released: 2018-05-31


This is an important security release for our old stable branch. It fixes a cross-host authentication vulnerability, CVE-2018-10847.

The issue affects Prosody instances that have multiple virtual hosts (including anonymous authenticated hosts). All versions of Prosody before 0.9.14 and 0.10.2 are affected.

A full security advisory is available at https://prosody.im/security/advisory_20180531


Summary of all changes in this release:


  • mod_c2s: Do not allow the stream ‘to’ to change across stream restarts (fixes #1147)


There is no updated ‘prosody’ package for our 0.9 branch. If you installed from our repository, switch to the ‘prosody-0.9’ nightly package or upgrade the ‘prosody’ package to receive 0.10.2. If upgrading to 0.10 from 0.9, be sure to read the 0.10 upgrade notes.

If you installed Prosody from your distribution, you may expect updated packages from them (they were notified in advance of this release).

Nightly users: ensure you have at least builds 485 (0.10) or 294 (0.9) or 904 (trunk).

If you have any questions, comments or other issues with this release, let us know!