Prosody IM Website


file doc/release/0.9.14.md in changeset 0291c434b4a1

View latest ↓ Download file

line wrap: on
line source

---
title: '0.9.14'
---

Released: *2018-05-31*

# Summary

This is an important security release for our old stable branch. It fixes a cross-host
authentication vulnerability, CVE-2018-10847.

The issue affects Prosody instances that have multiple virtual hosts (including
anonymous authenticated hosts). All versions of Prosody before 0.9.14 and 0.10.2 are
affected.

A full security advisory is available at https://prosody.im/security/advisory_20180531

## Changes

Summary of all changes in this release:

### Security

- mod\_c2s: Do not allow the stream 'to' to change across stream restarts (fixes [#1147](https://prosody.im/issues/issue/1147))

## Download

There is no updated 'prosody' package for our 0.9 branch. If you installed from our repository, switch to
the 'prosody-0.9' nightly package or upgrade the 'prosody' package to receive 0.10.2. If upgrading to 0.10
from 0.9, be sure to read the [0.10 upgrade notes](https://prosody.im/doc/release/0.10.0).

If you installed Prosody from your distribution, you may expect updated packages from them (they were notified in
advance of this release).

**Nightly users:** ensure you have at least builds 485 (0.10) or 294 (0.9) or 904 (trunk).

If you have any questions, comments or other issues with this release, [let us know!](https://prosody.im/discuss)