0.9.8 Release Notes

Released: 2015-03-26

We are pleased to announce Prosody 0.9.8, the latest release of our stable 0.9 branch. This release contains mainly bug fixes, including an important security fix.

Note: If you are upgrading from 0.8.x or earlier, please read the 0.9.0 upgrade notes!

A summary of changes in this release:

High:

  • Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059) that libidn can read beyond the boundaries of the provided buffer when an input string contains invalid UTF-8 sequences.

Systems where Prosody is compiled to use libICU are not affected by this issue.

Medium:

  • DNS: Fix traceback caused when DNS server IP is unroutable (issue 473)
  • HTTP client: More robust handling of chunked encoding across packet boundaries
  • Stanza router: Fix handling of 'error' <iq>'s with multiple children

Minor:

  • c2s: Fix error reply when clients try to bind multiple resources on the same stream (issue 484)
  • s2s: Ensure to/from attributes are always present on stream headers, even if empty (issue 468)
  • Build scripts: Add –libdir option to ./configure to simplify building on some platforms
  • Fix traceback in datamanager when used outside of Prosody (e.g. in some migration tools)
  • mod_admin_telnet: Fix potential traceback in server:memory() command (issue 471)
  • HTTP server: Improved debug logging

Download

For packages, please see our download page.

Source

You can grab a tarball of prosody-0.9.8.tar.gz (OpenPGP signed), or grab the latest 0.9 source from Mercurial with:

hg clone https://hg.prosody.im/0.9 prosody-0.9

More information on dealing with Prosody's source can be found at these links: