Prosody IM Website

file doc/release/ in changeset 0291c434b4a1

View latest ↓ Download file

line wrap: on
line source

title: '0.9.14'

Released: *2018-05-31*

# Summary

This is an important security release for our old stable branch. It fixes a cross-host
authentication vulnerability, CVE-2018-10847.

The issue affects Prosody instances that have multiple virtual hosts (including
anonymous authenticated hosts). All versions of Prosody before 0.9.14 and 0.10.2 are

A full security advisory is available at

## Changes

Summary of all changes in this release:

### Security

- mod\_c2s: Do not allow the stream 'to' to change across stream restarts (fixes [#1147](

## Download

There is no updated 'prosody' package for our 0.9 branch. If you installed from our repository, switch to
the 'prosody-0.9' nightly package or upgrade the 'prosody' package to receive 0.10.2. If upgrading to 0.10
from 0.9, be sure to read the [0.10 upgrade notes](

If you installed Prosody from your distribution, you may expect updated packages from them (they were notified in
advance of this release).

**Nightly users:** ensure you have at least builds 485 (0.10) or 294 (0.9) or 904 (trunk).

If you have any questions, comments or other issues with this release, [let us know!](