SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for prosody-0.12.4-3.3.x86_64.rpm :

* Mon Feb 05 2024 Benoît Monin - add provides group(prosody) for rpm 4.19 (boo#1219648)
* Wed Sep 27 2023 Reinhard Max - Lua 5.1 is deprecated, switch to 5.4.- Stop packaging example keys and certificates. It is bad security practice and the examples sometimes interfer with actual configurations.- Drop prosody-lua51coexist.patch- Add prosody-lua54coexist.patch
* Thu Sep 07 2023 Michael Vetter - Update to 0.12.4:
* core.certmanager: Update Mozilla TLS config to version 5.7
* util.error: Fix error on conversion of invalid error stanza #1805
* util.array: Fix new() library function
* util.array: Expose new() on module table
* prosodyctl: Fix output of error messages containing ‘%’
* util.prosodyctl.check: Correct suggested replacement for ‘disallow_s2s’
* util.prosodyctl.check: Allow same config syntax variants as in Prosody for some options #896
* util.prosodyctl.check: Fix error where hostname can’t be turned into A label
* util.prosodyctl.check: Hint about the ‘external_addresses’ config option
* util.prosodyctl.check: Suggest ‘http_cors_override’ instead of older CORS settings
* util.prosodyctl.check: Validate format of module list options
* mod_websocket: Add a ‘pre-session-close’ event #1800
* mod_smacks: Fix stray watchdog closing sessions
* mod_csi_simple: Disable revert-to-inactive timer when going to active mode
* mod_csi_simple: Clear delayed active mode timer on disable
* mod_admin_shell: Fix display of remote cert status when expired etc
* mod_smacks: Replace existing watchdog when starting hibernation
* mod_http: Fix error if ‘access_control_allow_origins’ is set
* mod_pubsub: Send correct ‘jid’ attribute in disco#items
* mod_http: Unhook CORS handlers only if active to fix an error #1801
* mod_s2s: Add event where resolver for s2sout can be tweaked
* Wed Feb 22 2023 Michael Vetter - Update to 0.12.3: Fixes and improvements:
* mod_storage_sql: Don’t avoid initialization under prosodyctl (fix #1787: mod_storage_sql changes (d580e6a57cbb) breaks prosodyctl)
* mod_storage_sql: Fix for breaking change in certain MySQL versions (#1639)
* prosodyctl check dns: Check for Direct TLS SRV records even if not configured (#1793) Minor changes:
* mod_websocket: Fire pre-session-close event (fixes #1800: mod_websocket: cleanly-closed sessions are hibernated by mod_smacks)
* sessionmanager: Mark session as destroyed to prevent reentry (fixes #1781)
* mod_admin_socket: Return error on unhandled input to prevent apparent freeze
* configure: Fix quoting of $LUA_SUFFIX (thanks shellcheck/Zash)
* net.http.parser: Improve handling of responses without content-length
* net.http.parser: Fix off-by-one error in chunk parser
* net.http.server: Add new API to get HTTP request from a connection
* net.http.server: Fix double close of file handle in chunked mode with opportunistic writes (#1789)
* util.prosodyctl.shell: Close state on exit to fix saving shell history
* mod_invites: Prefer landing page over xmpp URI in shell command
* mod_muc_mam: Add mam#extended form fields #1796
* mod_muc_mam: Copy “include total” behavior from mod_mam
* util.startup: Close state on exit to ensure GC finalizers are called
* Wed Feb 15 2023 Bernhard Wiedemann - Add pregenerated example crt+key files to make builds reproducible
* Wed Jan 25 2023 Michal Suchanek - Opencode %make_build to prevent build failure when not defined.
* Wed Dec 14 2022 Michael Vetter - Update to 0.12.2: Fixes and improvements:
* util.stanza: Allow U+7F when constructing stazas
* net.unbound: Preserve built-in defaults and Prosodys settings for luaunbound (fixes #1763: luaunbound not reading resolv.conf)
* mod_smacks: Disable not implemented resumption behavior on s2s
* mod_http: Allow disabling CORS in the http_cors_override option and by default Minor changes:
* util.json: Accept empty arrays with whitespace (fixes #1782: util.json fails to parse empty array with whitespace)
* util.stanza: Adjust number of return values to handle change in dependency of test suite (fix test with luassert >=1.9)
* util.startup: Ensure import() is available in prosodyctl
* mod_storage_sql: Fix initialization when called from prosodyctl
* mod_storage_sql: Fix the summary API with Postgres (#1766)
* mod_admin_shell: Fixes for showing data related to disconnected sessions (fixes #1777)
* core.s2smanager: Don’t remove unrelated session on close of bidi session
* mod_smacks: Don’t send redundant requests for acknowledgement (#1761)
* mod_admin_shell: Rename commands user:roles() to user:setroles() and user:showroles() to user:roles()
* mod_smacks: Bounce unhandled stanzas from local origin (fix #1759)
* mod_bookmarks: Reduce log level of message about not having any bookmarks
* mod_s2s: Fix firing buffer drain events
* mod_http_files: Log warning about legacy modules using mod_http_files
* util.startup: Wait for last shutdown steps
* util.datamapper: Improve handling of schemas with non-obvious “type”
* util.jsonschema: Fix validation to not assume presence of “type” field
* util.jsonschema: Use same integer/float logic on Lua 5.2 and 5.3
* Thu Jun 09 2022 Michael Vetter - Update to 0.12.1: Fixes and improvements:
* mod_http (and dependent modules): Make CORS opt-in by default (#1731)
* mod_http: Reintroduce support for disabling or limiting CORS (#1730)
* net.unbound: Disable use of hosts file by default (fixes #1737)
* MUC: Allow kicking users with the same affiliation as the kicker (fixes #1724 and improves Jitsi Meet compatibility)
* mod_tombstones: Add caching to improve performance on busy servers (fixes #1728: mod_tombstone: inefficient I/O with internal storage) Minor changes:
* prosodyctl check config: Report paths of loaded configuration files (#1729)
* prosodyctl about: Report version of lua-readline
* prosodyctl: check config: Skip bare JID components in orphan check
* prosodyctl: check turn: Fail with error if our own address is supplied for the ping test
* prosodyctl: check turn: warn about external port mismatches behind NAT
* mod_turn_external: Update status and friendlier handling of missing secret option (#1727)
* prosodyctl: Pass server when listing (outdated) plugins (fix #1738: prosodyctl list --outdated does not handle multiple versions of a module)
* util.prosodyctl: check turn: ensure a result is always returned from a check (thanks eTaurus)
* util.prosodyctl: check turn: Report lack of TURN services as a problem #1749
* util.random: Ensure that native random number generator works before using it, falling back to /dev/urandom (#1734)
* mod_storage_xep0227: Fix mapping of nodes without explicit configuration
* mod_admin_shell: Fix error in ‘module:info()’ when statistics is not enabled (#1754)
* mod_admin_socket: Compat for luasocket prior to unix datagram support
* mod_admin_socket: Improve error reporting when socket can’t be created (#1719)
* mod_cron: Record last time a task runs to ensure correct intervals (#1751)
* core.moduleapi, core.modulemanager: Fix internal flag affecting logging in in some global modules, like mod_http (#1736, #1748)
* core.certmanager: Expand debug messages about cert lookups in index
* configmanager: Clearer errors when providing unexpected values after VirtualHost (#1735)
* mod_storage_xep0227: Support basic listing of PEP nodes in absence of pubsub#admin data
* mod_storage_xep0227: Handle missing {pubsub#owner}pubsub element (fixes #1740: mod_storage_xep0227 tracebacks reading non-existent PEP store)
* mod_storage_xep0227: Fix conversion of SCRAM into internal format (#1741)
* mod_external_services: Move error message to correct place (fix #1725: mod_external_services: Misplaced textual error message)
* mod_smacks: Fix handling of unhandled stanzas on disconnect (#1759)
* mod_smacks: Fix counting of handled stanzas
* mod_smacks: Fix bounce of stanzas directed to full JID on unclean disconnect
* mod_pubsub: Don’t attempt to use server actor as publisher (#1723)
* mod_s2s: Improve robustness of outgoing s2s certificate verification
* mod_invites_adhoc: Fall back to generic allow_user_invites for role-less users
* mod_invites_register: Push invitee contact entry to inviter
* util.startup: Show error for unrecognized command-line arguments passed to ‘prosody’ (#1722)
* util.jsonpointer: Add tests, compat improvements and minor fixes
* util.jsonschema: Lua version compat improvements
* Fri Mar 18 2022 Michael Vetter - Update to 0.12.0: Modules:
* mod_mimicking: Prevent address spoofing
* mod_s2s_bidi: Bi-directional server-to-server connections (XEP-0288)
* mod_external_services: Generic XEP-0215 support
* mod_turn_external: Easy setup of XEP-0215 for STUN/TURN for audio/video calls
* mod_http_file_share: File sharing via HTTP (XEP-0363)
* mod_http_openmetrics: Expose metrics to Prometheus and compatible monitoring systems
* mod_smacks: Stream management and resumption (XEP-0198)
* mod_auth_ldap: LDAP authentication
* mod_cron: One module to rule all the periodic tasks
* mod_admin_shell: New home of the Console admin interface
* mod_admin_socket: Enable secure connections to the Console
* mod_tombstones: Prevent re-registration of deleted accounts
* mod_invites: Create and manage invites
* mod_invites_register: Allow registering accounts using invites
* mod_invites_adhoc: Create invites via ad-hoc command
* mod_bookmarks: Synchronise open rooms between clients Security and authentication:
* Unencrypted HTTP port (5280) restricted to loopback by default
* require_encryption options default to ‘true’ if unspecified
* Authentication module defaults to ‘internal_hashed’ if unspecified
* SNI support (including automatic certificate selection)
* ALPN support in mod_net_multiplex
* DANE support in low-level network layer
* Direct TLS support (c2s and s2s)
* SCRAM-SHA-256
* Direct TLS (including https) certificates are now updated on reload
* Pluggable authorization providers (mod_authz_
*)
* Easy use of Mozilla TLS recommendations presets HTTP:
* CORS handling now provided by mod_http
* Built-in HTTP server now handles HEAD requests
* Uploads can be handled incrementally API:
* Module statuses (API change)
* util.error for encapsulating errors
* Promise based API for sending queries
* API for adding periodic tasks
* More APIs supporting ES6 Promises
* Async can be used during shutdown Other:
* Plugin installer
* MUC presence broadcast controls
* MUC: support for XEP-0421 occupant identifiers
* prosodyctl check connectivity via observe.jabber.network
* STUN/TURN server tests in prosodyctl check
* libunbound for DNS queries
* The POSIX poll() API used by server_epoll on
*nix other than Linux Changed in this release:
* Improved rules for mobile optimizations in mod_csi_simple
* Improved rules for what messages should be archived in mod_mam
* mod_limits: Support for exempt JIDs
* mod_server_contact_info now loaded on components if enabled
* Statistics now based on OpenMetrics
* Statistics scheduling can be done by plugin
* Offline messages aren’t sent to MAM clients
* Archive quotas (maximum limit on items in an archive store)
* Rewritten migrator with archive support
* Improved automatic certificate locating and selecting
* Logging to syslog no longer missing startup messages
* Graceful shutdown sequence that closes ports first and waits for connections to close Removed in this release:
* daemonize option deprecated
* SASL DIGEST-MD5 removed
* mod_auth_cyrus (older LDAP support)
* Network backend server_select deprecated (not actually removed yet) Please see:
* https://blog.prosody.im/prosody-0.12.0-released/
* https://prosody.im/doc/release/0.12.0
* Fri Feb 18 2022 Jan Engelhardt - Do not replace config file on every upgrade
* Fri Jan 28 2022 Michael Vetter - Update to 0.11.13:
* util.xml: Break reference to help the GC (fixes #1711)
* util.xml: Deduplicate handlers for restricted XML
* Thu Jan 13 2022 Michael Vetter - Update to 0.11.12:
* util.xml: Do not allow doctypes, comments or processing instructions (CVE-2022-0217)
* Tue Jan 04 2022 Michael Vetter - Update to 0.11.11: Fixes and improvements:
* net.server_epoll: Prioritize network events over timers to improve performance under heavy load
* mod_pep: Add some memory usage limits
* mod_pep: Prevent creation of services for non-existent users
* mod_pep: Free resources on user deletion (needed a restart previously) Minor changes:
* mod_pep: Free resources on reload
* mod_c2s: Indicate stream secure state in error text when no stream features to offer
* MUC: Fix logic for access to affiliation lists
* net.server_epoll: Improvements to shutdown procedure #1670
* net.server_epoll: Fix potential issue with rescheduling of timers
* prosodyctl: Fix to ensure LuaFileSystem is loaded when needed
* util.startup: Fix handling of unknown command line flags (e.g. -h)
* Fix version number reported as ‘unknown’ on
*BSD
* Wed Oct 20 2021 Johannes Segitz - Added hardening to systemd service(s) (bsc#1181400). Modified:
* prosody.service
* Mon Aug 16 2021 Michael Vetter - Update to 0.11.10: Security:
* MUC: Fix logic for access to affiliation lists CVE-2021-37601 https://prosody.im/security/advisory_20210722/ Minor changes:
* prosodyctl: Add ‘limits’ to known globals to warn about misplacing it
* util.ip: Fix netmask for link-local address range
* mod_pep: Remove obsolete node restoration code
* util.pubsub: Fix traceback if node data not initialized- Update is related to: bsc#1188976 CVE-2021-37601
* Thu May 13 2021 Carsten Ziepke - Update to 0.11.9: Security:
* mod_limits, prosody.cfg.lua: Enable rate limits by default
* certmanager: Disable renegotiation by default
* mod_proxy65: Restrict access to local c2s connections by default
* util.startup: Set more aggressive defaults for GC
* mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits
* mod_authinternal{plain,hashed}: Use constant-time string comparison for secrets
* mod_dialback: Remove dialback-without-dialback feature
* mod_dialback: Use constant-time comparison with hmac Minor changes
* util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
* mod_c2s: Don’t throw errors in async code when connections are gone
* mod_c2s: Fix traceback in session close when conn is nil
* core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
* mod_saslauth: Use a defined SASL error
* MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
* mod_saslauth: Don’t throw errors in async code when connections are gone
* mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco)
* prosodyctl check config: Add ‘gc’ to list of global options
* prosodyctl about: Report libexpat version if known
* util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
* util.set: Add is_set() to test if an object is a set
* mod_http: Skip IP resolution in non-proxied case
* mod_c2s: Log about missing conn on async state changes
* util.xmppstream: Reduce internal default xmppstream limit to 1MB- Relevant: https://prosody.im/security/advisory_20210512
* boo#1186027: Prosody XMPP server advisory 2021-05-12
* CVE-2021-32919
* CVE-2021-32917
* CVE-2021-32917
* CVE-2021-32920
* CVE-2021-32918
* Tue Feb 16 2021 Michael Vetter - Update to 0.11.8: Security:
* mod_saslauth: Disable ‘tls-unique’ channel binding with TLS 1.3 (#1542) Fixes and improvements:
* net.websocket.frames: Improve websocket masking performance by using the new util.strbitop
* util.strbitop: Library for efficient bitwise operations on strings Minor changes:
* MUC: Correctly advertise whether the subject can be changed (#1155)
* MUC: Preserve disco ‘node’ attribute (or lack thereof) in responses (#1595)
* MUC: Fix logic bug causing unnecessary presence to be sent (#1615)
* mod_bosh: Fix error if client tries to connect to component (#425)
* mod_bosh: Pick out the ‘wait’ before checking it instead of earlier
* mod_pep: Advertise base PubSub feature (#1632)
* mod_pubsub: Fix notification stanza type setting (#1605)
* mod_s2s: Prevent keepalives before client has established a stream
* net.adns: Fix bug that sent empty DNS packets (#1619)
* net.http.server: Don’t send Content-Length on 1xx/204 responses (#1596)
* net.websocket.frames: Fix length calculation bug (#1598)
* util.dbuffer: Make length API in line with Lua strings
* util.dbuffer: Optimize substring operations
* util.debug: Fix locals being reported under wrong stack frame in some cases
* util.dependencies: Fix check for Lua bitwise operations library (#1594)
* util.interpolation: Fix combination of filters and fallback values #1623
* util.promise: Preserve tracebacks
* util.stanza: Reject ASCII control characters (#1606)
* timers: Ensure timers can’t block other processing (#1620)
  
ICM