• Files Changed
• Browse Source

- Lua 5.1 is deprecated, switch to 5.4.
- Stop packaging example keys and certificates. It is bad security
  practice and the examples sometimes interfer with actual
  configurations.
- Drop prosody-lua51coexist.patch
- Add prosody-lua54coexist.patch

• Files Changed
• Browse Source

- Update to 0.12.4:
  * core.certmanager: Update Mozilla TLS config to version 5.7
  * util.error: Fix error on conversion of invalid error stanza #1805
  * util.array: Fix new() library function
  * util.array: Expose new() on module table
  * prosodyctl: Fix output of error messages containing ‘%’
  * util.prosodyctl.check: Correct suggested replacement for ‘disallow_s2s’
  * util.prosodyctl.check: Allow same config syntax variants as in Prosody for some options #896
  * util.prosodyctl.check: Fix error where hostname can’t be turned into A label
  * util.prosodyctl.check: Hint about the ‘external_addresses’ config option
  * util.prosodyctl.check: Suggest ‘http_cors_override’ instead of older CORS settings
  * util.prosodyctl.check: Validate format of module list options
  * mod_websocket: Add a ‘pre-session-close’ event #1800
  * mod_smacks: Fix stray watchdog closing sessions
  * mod_csi_simple: Disable revert-to-inactive timer when going to active mode
  * mod_csi_simple: Clear delayed active mode timer on disable
  * mod_admin_shell: Fix display of remote cert status when expired etc
  * mod_smacks: Replace existing watchdog when starting hibernation
  * mod_http: Fix error if ‘access_control_allow_origins’ is set
  * mod_pubsub: Send correct ‘jid’ attribute in disco#items
  * mod_http: Unhook CORS handlers only if active to fix an error #1801
  * mod_s2s: Add event where resolver for s2sout can be tweaked

• Files Changed
• Browse Source

- Update to 0.12.3:
  Fixes and improvements:
  * mod_storage_sql: Don’t avoid initialization under prosodyctl
    (fix #1787: mod_storage_sql changes (d580e6a57cbb) breaks prosodyctl)
  * mod_storage_sql: Fix for breaking change in certain MySQL versions (#1639)
  * prosodyctl check dns: Check for Direct TLS SRV records even if not configured (#1793)
  Minor changes:
  * mod_websocket: Fire pre-session-close event (fixes #1800: mod_websocket:
    cleanly-closed sessions are hibernated by mod_smacks)
  * sessionmanager: Mark session as destroyed to prevent reentry (fixes #1781)
  * mod_admin_socket: Return error on unhandled input to prevent apparent freeze
  * configure: Fix quoting of $LUA_SUFFIX (thanks shellcheck/Zash)
  * net.http.parser: Improve handling of responses without content-length
  * net.http.parser: Fix off-by-one error in chunk parser
  * net.http.server: Add new API to get HTTP request from a connection
  * net.http.server: Fix double close of file handle in chunked mode with opportunistic writes (#1789)
  * util.prosodyctl.shell: Close state on exit to fix saving shell history
  * mod_invites: Prefer landing page over xmpp URI in shell command
  * mod_muc_mam: Add mam#extended form fields #1796
  * mod_muc_mam: Copy “include total” behavior from mod_mam
  * util.startup: Close state on exit to ensure GC finalizers are called

• Files Changed
• Browse Source

• Files Changed
• Browse Source

Forwarded request #1060926 from michals

- Opencode %make_build to prevent build failure when not defined.

• Files Changed
• Browse Source

- Update to 0.12.2:
  Fixes and improvements:
  * util.stanza: Allow U+7F when constructing stazas
  * net.unbound: Preserve built-in defaults and Prosodys settings for
    luaunbound (fixes #1763: luaunbound not reading resolv.conf)
  * mod_smacks: Disable not implemented resumption behavior on s2s
  * mod_http: Allow disabling CORS in the http_cors_override option and by default
  Minor changes:
  * util.json: Accept empty arrays with whitespace (fixes #1782: util.json
    fails to parse empty array with whitespace)
  * util.stanza: Adjust number of return values to handle change in
    dependency of test suite (fix test with luassert >=1.9)
  * util.startup: Ensure import() is available in prosodyctl
  * mod_storage_sql: Fix initialization when called from prosodyctl
  * mod_storage_sql: Fix the summary API with Postgres (#1766)
  * mod_admin_shell: Fixes for showing data related to disconnected sessions (fixes #1777)
  * core.s2smanager: Don’t remove unrelated session on close of bidi session
  * mod_smacks: Don’t send redundant requests for acknowledgement (#1761)
  * mod_admin_shell: Rename commands user:roles() to user:setroles()
    and user:showroles() to user:roles()
  * mod_smacks: Bounce unhandled stanzas from local origin (fix #1759)
  * mod_bookmarks: Reduce log level of message about not having any bookmarks
  * mod_s2s: Fix firing buffer drain events
  * mod_http_files: Log warning about legacy modules using mod_http_files
  * util.startup: Wait for last shutdown steps
  * util.datamapper: Improve handling of schemas with non-obvious “type”
  * util.jsonschema: Fix validation to not assume presence of “type” field
  * util.jsonschema: Use same integer/float logic on Lua 5.2 and 5.3

• Files Changed
• Browse Source

- Update to 0.12.1:
  Fixes and improvements:
  * mod_http (and dependent modules): Make CORS opt-in by default (#1731)
  * mod_http: Reintroduce support for disabling or limiting CORS (#1730)
  * net.unbound: Disable use of hosts file by default (fixes #1737)
  * MUC: Allow kicking users with the same affiliation as the kicker (fixes #1724 and improves Jitsi Meet compatibility)
  * mod_tombstones: Add caching to improve performance on busy servers (fixes #1728: mod_tombstone: inefficient I/O with internal storage)
  Minor changes:
  * prosodyctl check config: Report paths of loaded configuration files (#1729)
  * prosodyctl about: Report version of lua-readline
  * prosodyctl: check config: Skip bare JID components in orphan check
  * prosodyctl: check turn: Fail with error if our own address is supplied for the ping test
  * prosodyctl: check turn: warn about external port mismatches behind NAT
  * mod_turn_external: Update status and friendlier handling of missing secret option (#1727)
  * prosodyctl: Pass server when listing (outdated) plugins (fix #1738: prosodyctl list --outdated does not handle multiple versions of a module)
  * util.prosodyctl: check turn: ensure a result is always returned from a check (thanks eTaurus)
  * util.prosodyctl: check turn: Report lack of TURN services as a problem #1749
  * util.random: Ensure that native random number generator works before using it, falling back to /dev/urandom (#1734)
  * mod_storage_xep0227: Fix mapping of nodes without explicit configuration
  * mod_admin_shell: Fix error in ‘module:info()’ when statistics is not enabled (#1754)
  * mod_admin_socket: Compat for luasocket prior to unix datagram support
  * mod_admin_socket: Improve error reporting when socket can’t be created (#1719)
  * mod_cron: Record last time a task runs to ensure correct intervals (#1751)
  * core.moduleapi, core.modulemanager: Fix internal flag affecting logging in in some global modules, like mod_http (#1736, #1748)
  * core.certmanager: Expand debug messages about cert lookups in index
  * configmanager: Clearer errors when providing unexpected values after VirtualHost (#1735)
  * mod_storage_xep0227: Support basic listing of PEP nodes in absence of pubsub#admin data
  * mod_storage_xep0227: Handle missing {pubsub#owner}pubsub element (fixes #1740: mod_storage_xep0227 tracebacks reading non-existent PEP store)
  * mod_storage_xep0227: Fix conversion of SCRAM into internal format (#1741)
  * mod_external_services: Move error message to correct place (fix #1725: mod_external_services: Misplaced textual error message)

• Files Changed
• Browse Source

- Update to 0.12.0:
  Modules:
  * mod_mimicking: Prevent address spoofing
  * mod_s2s_bidi: Bi-directional server-to-server connections (XEP-0288)
  * mod_external_services: Generic XEP-0215 support
  * mod_turn_external: Easy setup of XEP-0215 for STUN/TURN for audio/video calls
  * mod_http_file_share: File sharing via HTTP (XEP-0363)
  * mod_http_openmetrics: Expose metrics to Prometheus and compatible monitoring systems
  * mod_smacks: Stream management and resumption (XEP-0198)
  * mod_auth_ldap: LDAP authentication
  * mod_cron: One module to rule all the periodic tasks
  * mod_admin_shell: New home of the Console admin interface
  * mod_admin_socket: Enable secure connections to the Console
  * mod_tombstones: Prevent re-registration of deleted accounts
  * mod_invites: Create and manage invites
  * mod_invites_register: Allow registering accounts using invites
  * mod_invites_adhoc: Create invites via ad-hoc command
  * mod_bookmarks: Synchronise open rooms between clients
  Security and authentication:
  * Unencrypted HTTP port (5280) restricted to loopback by default
  * require_encryption options default to ‘true’ if unspecified
  * Authentication module defaults to ‘internal_hashed’ if unspecified
  * SNI support (including automatic certificate selection)
  * ALPN support in mod_net_multiplex
  * DANE support in low-level network layer
  * Direct TLS support (c2s and s2s)
  * SCRAM-SHA-256
  * Direct TLS (including https) certificates are now updated on reload
  * Pluggable authorization providers (mod_authz_*)
  * Easy use of Mozilla TLS recommendations presets

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 0.11.13:
  * util.xml: Break reference to help the GC (fixes #1711)
  * util.xml: Deduplicate handlers for restricted XML

• Files Changed
• Browse Source

- Update to 0.11.12:
  * util.xml: Do not allow doctypes, comments or processing
    instructions (CVE-2022-0217)

• Files Changed
• Browse Source

- Update to 0.11.11:
  Fixes and improvements:
  * net.server_epoll: Prioritize network events over timers to improve
    performance under heavy load
  * mod_pep: Add some memory usage limits
  * mod_pep: Prevent creation of services for non-existent users
  * mod_pep: Free resources on user deletion (needed a restart previously)
  Minor changes:
  * mod_pep: Free resources on reload
  * mod_c2s: Indicate stream secure state in error text when no stream features to offer
  * MUC: Fix logic for access to affiliation lists
  * net.server_epoll: Improvements to shutdown procedure #1670
  * net.server_epoll: Fix potential issue with rescheduling of timers
  * prosodyctl: Fix to ensure LuaFileSystem is loaded when needed
  * util.startup: Fix handling of unknown command line flags (e.g. -h)
  * Fix version number reported as ‘unknown’ on *BSD

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 0.11.10:
  Security:
  * MUC: Fix logic for access to affiliation lists CVE-2021-37601
    https://prosody.im/security/advisory_20210722/
  Minor changes:
  * prosodyctl: Add ‘limits’ to known globals to warn about misplacing it
  * util.ip: Fix netmask for link-local address range
  * mod_pep: Remove obsolete node restoration code
  * util.pubsub: Fix traceback if node data not initialized
- Update is related to: bsc#1188976 CVE-2021-37601

• Files Changed
• Browse Source

- Update to 0.11.9:
  Security: 
  * mod_limits, prosody.cfg.lua: Enable rate limits by default
  * certmanager: Disable renegotiation by default
  * mod_proxy65: Restrict access to local c2s connections by default
  * util.startup: Set more aggressive defaults for GC
  * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits
  * mod_authinternal{plain,hashed}: Use constant-time string comparison for secrets
  * mod_dialback: Remove dialback-without-dialback feature
  * mod_dialback: Use constant-time comparison with hmac
  Minor changes
  * util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
  * mod_c2s: Don’t throw errors in async code when connections are gone
  * mod_c2s: Fix traceback in session close when conn is nil
  * core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
  * mod_saslauth: Use a defined SASL error
  * MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
  * mod_saslauth: Don’t throw errors in async code when connections are gone
  * mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco)
  * prosodyctl check config: Add ‘gc’ to list of global options
  * prosodyctl about: Report libexpat version if known
  * util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
  * util.set: Add is_set() to test if an object is a set
  * mod_http: Skip IP resolution in non-proxied case
  * mod_c2s: Log about missing conn on async state changes
  * util.xmppstream: Reduce internal default xmppstream limit to 1MB
- Relevant: https://prosody.im/security/advisory_20210512
  * boo#1186027: Prosody XMPP server advisory 2021-05-12
  * CVE-2021-32919
  * CVE-2021-32917

• Files Changed
• Browse Source

- Update to 0.11.8:
  Security:
  * mod_saslauth: Disable ‘tls-unique’ channel binding with TLS 1.3 (#1542)
  Fixes and improvements:
  * net.websocket.frames: Improve websocket masking performance by using the new util.strbitop
  * util.strbitop: Library for efficient bitwise operations on strings
  Minor changes:
  * MUC: Correctly advertise whether the subject can be changed (#1155)
  * MUC: Preserve disco ‘node’ attribute (or lack thereof) in responses (#1595)
  * MUC: Fix logic bug causing unnecessary presence to be sent (#1615)
  * mod_bosh: Fix error if client tries to connect to component (#425)
  * mod_bosh: Pick out the ‘wait’ before checking it instead of earlier
  * mod_pep: Advertise base PubSub feature (#1632)
  * mod_pubsub: Fix notification stanza type setting (#1605)
  * mod_s2s: Prevent keepalives before client has established a stream
  * net.adns: Fix bug that sent empty DNS packets (#1619)
  * net.http.server: Don’t send Content-Length on 1xx/204 responses (#1596)
  * net.websocket.frames: Fix length calculation bug (#1598)
  * util.dbuffer: Make length API in line with Lua strings
  * util.dbuffer: Optimize substring operations
  * util.debug: Fix locals being reported under wrong stack frame in some cases
  * util.dependencies: Fix check for Lua bitwise operations library (#1594)
  * util.interpolation: Fix combination of filters and fallback values #1623
  * util.promise: Preserve tracebacks
  * util.stanza: Reject ASCII control characters (#1606)
  * timers: Ensure timers can’t block other processing (#1620)

• Files Changed
• Browse Source

- Update to 0.11.7:
  Security:
  * mod_websocket: Enforce size limits on received frames (fixes #1593)
  Fixes and improvements:
  * mod_c2s, mod_s2s: Make stanza size limits configurable
  * Add configuration options to control Lua garbage collection parameters
  * net.http: Backport SNI support for outgoing HTTP requests (#409)
  * mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234)
  * util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572)

• Files Changed
• Browse Source

- Update to 0.11.6:
  Fixes and improvements:
  * mod_storage_internal: Fix error in time limited queries on items without ‘when’ field, fixes #1557
  * mod_carbons: Fix handling of incoming MUC PMs #1540
  * mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important
  * mod_http_files: Avoid using inode in etag, fixes #1498: Fail to download file on FreeBSD
  * mod_admin_telnet: Create a DNS resolver per console session (fixes #1492: Telnet console DNS commands reduced usefulness)
  * core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
  * mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes #1574: Invalid XML input on s2s connection is logged unescaped)
  * mod_muc: Allow control over the server-admins-are-room-owners feature (see #1174)
  * mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552: MUC MAM may strip its own archive id)
  * mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam does not strip spoofed stanza ids
  * mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547: mod_muc_mam does not advertise stanza-id
  Minor changes:
  * net.http API: Add request:cancel() method
  * net.http API: Fix traceback on invalid URL passed to request()
  * MUC: Persist affiliation_data in new MUC format
  * mod_websocket: Fire event on session creation (thanks Aaron van Meerten)
  * MUC: Always include ‘affiliation’/‘role’ attributes, defaulting to ‘none’ if nil
  * mod_tls: Log when certificates are (re)loaded
  * mod_vcard4: Report correct error condition (fixes #1521: mod_vcard4 reports wrong error)
  * net.http: Re-expose destroy_request() function (fixes unintentional API breakage)
  * net.http.server: Strip port from Host header in IPv6 friendly way (fix #1302)
  * util.prosodyctl: Tell prosody do daemonize via command line flag (fixes #1514)
  * SASL: Apply saslprep where necessary, fixes #1560: Login fails if password contains special chars
  * net.http.server: Fix reporting of missing Host header
  * util.datamanager API: Fix iterating over “users” (thanks marc0s)
  * net.resolvers.basic: Default conn_type to ‘tcp’ consistently if unspecified (thanks marc0s)
  * mod_storage_sql: Fix check for deletion limits (fixes #1494)
  * mod_admin_telnet: Handle unavailable cipher info (fixes #1510: mod_admin_telnet backtrace)

• Files Changed
• Browse Source

- Update to 0.11.5:
  Fixes and improvements:
  * prosody / mod_posix: Support for command-line flags to
    override ‘daemonize’ config option
  Minor changes:
  * mod_websocket: Clear mask bit when reflecting ping frames
    (fixes #1484: Websocket masks pong answer)

• Files Changed
• Browse Source