See upstream's blog post at https://blog.prosody.im/prosody-0-10-2-security-release/ for a full overview of the release changes.
Prosody 0.10.2 fixes a cross-host authentication vulnerability, CVE-2018-10847. The issue affects Prosody instances that have multiple virtual hosts (including anonymous authenticated hosts). All versions of Prosody before 0.9.14 and 0.10.2 are affected. A full security advisory is available at https://prosody.im/security/advisory_20180531
- mod_c2s: Do not allow the stream ‘to’ to change across stream restarts (fixes #1147)
- mod_websocket: Store the request object on the session for use by other modules (fixes #1153)
- mod_c2s: Avoid concatenating potential nil value (fixes #753)
- core.certmanager: Allow all non-whitespace in service name (fixes #1019)
- mod_disco: Skip code specific to disco on user accounts (avoids invoking usermanager, fixes #1150)
- mod_bosh: Store the normalized hostname on session (fixes #1151)
- MUC: Fix error logged when no persistent rooms present (fixes #1154)
- Changed log rotation from weekly/52 to local system defaults
Please login to add feedback.