0.9.8 Release Notes

Released: 2015-03-26

We are pleased to announce Prosody 0.9.8, the latest release of our stable 0.9 branch. This release contains mainly bug fixes, including an important security fix.

Note: If you are upgrading from 0.8.x or earlier, please read the 0.9.0 upgrade notes!

A summary of changes in this release:

High:

• Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059) that libidn can read beyond the boundaries of the provided buffer when an input string contains invalid UTF-8 sequences.

Systems where Prosody is compiled to use libICU are not affected by this issue.

Medium:

• DNS: Fix traceback caused when DNS server IP is unroutable (issue 473)
• HTTP client: More robust handling of chunked encoding across packet boundaries
• Stanza router: Fix handling of 'error' <iq>'s with multiple children

Minor:

• c2s: Fix error reply when clients try to bind multiple resources on the same stream (issue 484)
• s2s: Ensure to/from attributes are always present on stream headers, even if empty (issue 468)
• Build scripts: Add –libdir option to ./configure to simplify building on some platforms
• Fix traceback in datamanager when used outside of Prosody (e.g. in some migration tools)
• mod_admin_telnet: Fix potential traceback in server:memory() command (issue 471)
• HTTP server: Improved debug logging

hg clone https://hg.prosody.im/0.9 prosody-0.9