FEDORA-EPEL-2015-6149 created by robert 8 years ago for Fedora EPEL 5

Prosody 0.9.8

A summary of changes in this release:


  • Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059) that libidn can read beyond the boundaries of the provided buffer when an input string contains invalid UTF-8 sequences.

Systems where Prosody is compiled to use libICU are not affected by this issue.


  • DNS: Fix traceback caused when DNS server IP is unroutable (issue 473)
  • HTTP client: More robust handling of chunked encoding across packet boundaries
  • Stanza router: Fix handling of 'error' <iq>'s with multiple children


  • c2s: Fix error reply when clients try to bind multiple resources on the same stream (issue 484)
  • s2s: Ensure to/from attributes are always present on stream headers, even if empty (issue 468)
  • Build scripts: Add --libdir option to ./configure to simplify building on some platforms
  • Fix traceback in datamanager when used outside of Prosody (e.g. in some migration tools)
  • mod_admin_telnet: Fix potential traceback in server:memory() command (issue 471)
  • HTTP server: Improved debug logging

Prosody 0.9.7

A summary of changes in this release:

  • util.stanza: Don't XML-escape whitespace
  • prosodyctl: Fix traceback in 'about' command with LuaRocks 2.2.0

Prosody 0.9.6

Note: This release disables SSLv3 by default, which has been shown to be insecure when used by clients. Clients that only support SSLv3 will no longer be able to connect. There are not many of these nowadays, but they exist.

A summary of changes in this release:

  • certmanager, net.http: Disable SSLv3 by default
  • net.http.parser: Support status code 101 and allow handling of the received data by plugins
  • util.filters: Ignore filters being added twice (fixes issues on removal, i.e. when some plugins are reloaded/unloaded)
  • mod_s2s: Close offending s2s streams missing an 'id' attribute with a stream error instead of throwing an unhandled error
  • Networking API: Add 'ondetach' callback for listener objects, to prevent leaks when connections have their listener changed
  • core.stanza_router: Stricter validation of stanzas
  • mod_admin_adhoc: Mark 'accountjids' field as required in 'end user sessions' command (thanks Lloyd)
  • mod_admin_adhoc: Add required to field in user deletion form too
  • net.dns: Avoid duplicate cache entries
  • util.stanza: Escape newlines and tabs ( ) when serializing stanzas.
  • util/dataforms: Make sure we iterate over field tags only
  • mod_s2s: Capitalize log message
  • mod_pubsub: Fix error type of 'forbidden' (change from 'cancel' to 'auth')

Prosody 0.9.5

A summary of changes in this release:

  • C2S: Fix traceback if a client opens a stream to component, which could cause a crash in combination with some versions of LuaEvent
  • C2S, S2S: Log received invalid stream headers
  • S2S: Fix case where stream headers were sometimes sent twice
  • DNS: Ensure all pending requests get notified of a timeout when looking up a record
  • DNS: Fix duplicated cache insertions by limiting outstanding queries per name to one
  • xmppstream: Disable LuaExpat's buffering
  • xmppstream: Disable CharacterData merging after stream restarts
  • xmppstream: Pass invalid stream headers to error handling
  • Privacy lists: Correctly sort privacy list rules by order
  • prosody: Check dependencies later in the startup sequence
  • Config: Delay importing LuaFileSystem until needed by an Include line
  • Config: Normalize VirtualHost and Component names
  • prosodyctl: Normalize JIDs for adduser/passwd/deluser
  • POSIX: Fix error reporting from disk space allocation
  • POSIX: Verify that 'pidfile' is a string, show friendly error otherwise
  • Dependency checking: Check that prosody is running under Lua 5.1. We don't currently support any other versions. (LuaJIT identifies as 5.1)
  • Compliance: Reset stream ID when resetting stream
  • Compression: Log compression setup errors
  • Console: Fix commands for adding and replacing name servers
  • Console MUC commands: Fix error when a non-existent host is entered
  • Filters: Prevent filters from being added twice
  • Network: Transfer all available data between linked sockets
  • dataforms: Add support for XEP-0221: Data Forms Media Element

Prosody 0.9.4

A summary of changes in this release:

  • Compression: Disallow compression on unauthenticated streams
  • Core: Limit default read size and maximum stanza size
  • Core: Enable SASL EXTERNAL by default for component s2s
  • S2S: Warn if s2s_secure_auth and s2s_require_encryption have been set in conflicting ways
  • S2S: Warn if no local network addresses were found, preventing successful s2s
  • MUC: Fix traceback when a non-occupant tried to change an occupant's role
  • MUC: API: Fire an event when temporary rooms are destroyed after the last person leaves
  • Telnet: Fixed traceback when listing users
  • Telnet: Apply normalization to JIDs in user management commands
  • HTTP: Fix directory detection in file server on Windows
  • Plugins: Fix paths on Windows
  • MOTD: Don't strip blank lines from the message provided in the config
  • prosodyctl: Better error reporting when generating certificates
  • Makefile: Improve FreeBSD compatibility
  • Multiple fixes to our migration tools, and support for importing MUCs from ejabberd

Prosody 0.9.3

A summary of changes in this release:

  • A config file passed as command line argument is no longer forgotten when config is reloaded
  • MUC: Allow admins to always bypass restrict_room_creation
  • Strip trailing '.' when normalizing hostnames
  • HTTP: Prevent silent connection failures
  • Components: Alow easier overriding of component authentication by plugins
  • Components: Enable TCP keepalives
  • Migrator: Better error reporting and improved robustness
  • S2S: Include IP in log messages, if hostname is unavailable
  • TLS: Log error when initialization fails

Prosody 0.9.2

Note: If you are upgrading from 0.8.x or earlier, please read the 0.9.0 upgrade notes at!

A summary of changes in this release:

  • Debian/Ubuntu packages fixed to always generate per-system certs
  • TLS: Improved cipher string, and use Prosody's preferred ciphers instead of the client's
  • MUC: Fix for Spark clients not displaying room lists

For more details behind the security improvements, see the release announcement at

Prosody 0.9.1

Note: If you are upgrading from 0.8.x or earlier, please read the 0.9.0 upgrade notes at!

A summary of changes in this release:

  • Config: Fix the workaround for LuaSec 0.4.x to apply the ssl 'ciphers' option correctly
  • Config: Ability to specify the ssl 'dhparam' option simply as a path to a file, instead of a callback function
  • Windows: Fix s2s issues
  • Windows: Fix the ability to specify absolute paths to SSL certificates in the config
  • Build: Fix compilation issue on non-Linux systems that have glibc (such as Debian GNU/kFreeBSD)
  • API: Fix to our set library, that caused the :include() and :exclude() methods to behave incorrectly

Prosody 0.9.0

This release requires configuration changes to some existing Prosody installations, and breaks compatibility with some modules. Please read the section on upgrading below.

A summary of changes in this release:

  • IPv6 support for c2s, s2s and all other services (e.g. HTTP)
  • Server-to-server authentication using certificates (SASL EXTERNAL)
  • A new HTTP subsystem, supporting virtual hosts, and fully reloadable modules
  • Client and server connections are now handled by modules: mod_c2s, mod_s2s
  • mod_pubsub: Basic pubsub service (some features not yet implemented)
  • prosodyctl about - show information about a Prosody installation
  • prosodyctl cert - command to generate XMPP certificates and CSRs
  • Many very nice enhancements to our module API
  • MUC: Configurable per-room history length
  • MUC: Plugins can now extend the room configuration form

Upgrading from 0.8.x

Module compatibility

Prosody 0.9 breaks compatibility with some modules (something upstream very rarely does), by removing some APIs that have been replaced. All modules in prosody-modules should be working if you have the latest versions. Please let upstream know if you have any problems.

Upstream is also happy to help with the porting of other modules, it is usually quite straightforward.

The APIs that have been removed are:

  • net.connlisteners (used for opening ports), use the new API for network services.
  • net.httpserver (used by all modules accepting HTTP requests), use the new HTTP API.

Configuration changes

Due to the above, upstream has changed (for the better!) the config format for some things. If you encounter any issues not listed here then please, PLEASE let upstream know!

Upstream wants to help make the upgrade as smooth as possible for everyone, but upstream needs your help to report issues, even if you manage to work them out yourself.

HTTP configuration

All HTTP modules that had config options with names ending in '_ports' are replaced by new HTTP configuration. There are only two options for controlling HTTP ports now, http_ports and https_ports. These default to { 5280 } and { 5281 } respectively, and all HTTP modules can be accessed via both.

Also note that Prosody no longer ignores virtual hosts specified in requests! This could lead to some setups no longer working, especially where reverse proxies (such as an external web server forwarding requests) are involved. See our documentation on HTTP virtual hosts for more information.

Finally, mod_httpserver was renamed to mod_http_files to clarify that it is for serving static files only, and is unrelated to other Prosody HTTP services.

Port multiplexing

If you are using the ports or ssl_ports options, you now need to add "net_multiplex" to modules_enabled in your config file.


The disallow_s2s option has been deprecated, and in particular it no longer affects anonymous users, who are still prevented from sending stanzas to remote servers by default. To re-enable access to remote servers for anonymous users see Allowing anonymous users access to remote servers.


In previous versions mod_proxy65 allowed ports to be specified per-host. As of 0.9 this is no longer possible, proxy65_ports may only be set in the global section of the config file, like all other network and port configuration.

This update has been submitted for testing by robert.

8 years ago

This update is currently being pushed to the Fedora EPEL 5 testing updates repository.

8 years ago

This update has been pushed to testing

8 years ago

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

8 years ago

This update has been submitted for stable by robert.

8 years ago

This update is currently being pushed to the Fedora EPEL 5 stable updates repository.

8 years ago

This update has been pushed to stable

8 years ago

Please login to add feedback.

Content Type
Test Gating
Unstable by Karma
Stable by Karma
Stable by Time
8 years ago
in testing
8 years ago
in stable
8 years ago
BZ#985563 Logging, conf.d and log rotation
BZ#999473 Please package latest 0.9 release for EL6
BZ#1152126 prosody-0.9.8 is available

Automated Test Results