Prosody 0.11.9

This release addresses a number of important security issues that affect most deployments of Prosody. Full details are available in a separate security advisory. Upstream recommends that all deployments upgrade or apply the mitigations described in the advisory: https://prosody.im/security/advisory_20210512/

Note: Upstream updated the default config file. DNF or RPM will create a /etc/prosody/prosody.cfg.lua.rpmnew file, so make sure you update your existing /etc/prosody/prosody.cfg.lua to enable mod_limits after the upgrade.

Security

• mod_limits, prosody.cfg.lua: Enable rate limits by default
• certmanager: Disable renegotiation by default
• mod_proxy65: Restrict access to local c2s connections by default
• util.startup: Set more aggressive defaults for GC
• mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits
• mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
• mod_dialback: Remove dialback-without-dialback feature
• mod_dialback: Use constant-time comparison with hmac

Minor changes

• util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)
• mod_c2s: Don’t throw errors in async code when connections are gone
• mod_c2s: Fix traceback in session close when conn is nil
• core.certmanager: Improve detection of LuaSec/OpenSSL capabilities
• mod_saslauth: Use a defined SASL error
• MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info
• mod_saslauth: Don’t throw errors in async code when connections are gone
• mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing pubsub feature in disco)
• prosodyctl check config: Add gc to list of global options
• prosodyctl about: Report libexpat version if known
• util.xmppstream: Add API to dynamically configure the stanza size limit for a stream
• util.set: Add is_set() to test if an object...