ejabberd 2.1.7, 3.0.0-alpha-3 and exmpp 0.9.7 -- security release

Update: ejabberd 2.1.8 was released with a PubSub fix.

ejabberd 2.1.7, and ejabberd 3.0.0-alpha-3, and exmpp 0.9.7 have been released, after a few months of development. They contain a lot of bugfixes, improvements and some new features.

If you have ejabberd running in a public server, please update it immediately: those releases contain a security fix that disables entity expansion completely to prevent billion laughs DoS attack (CVE-2011-1753).

ejabberd 2.1.7

This release contains many bugfixes, improvements and a few new features.

A short list of changes:

  • BOSH: Keep the order of stanzas when BOSH sends several (EJAB-1374)
  • CAPTCHA in MUC: New whitelist option
  • CAPTCHA: New captcha_limit option
  • Core: Disable all entity expansions (EJAB-1451)
  • Core: Do not accept XML with undefined prefixes (EJAB-680)
  • ejabberdctl: New DIST_USE_INTERFACE restricts IP erlang listen (EJAB-1404)
  • ejabberdctl: New ERL_EPMD_ADDRESS that works since Erlang/OTP R14B03
  • extauth: If script crashes, ejabberd should restart it (EJAB-1428)
  • If a module start fails during server start, stop erlang (EJAB-1446)
  • mod_blocking: New XEP-0191 Simple Communications Blocking (EJAB-695)
  • mod_pres_counter: Prevent subscription flood (EJAB-1388)
  • mod_register: Access now also controls account unregistrations
  • mod_shared_roster: Fix support for anonymous accounts in @all@ (EJAB-1264)
  • mod_shared_roster: New @online@ directive (EJAB-1391)
  • New Indonesian translation (EJAB-1407)
  • Pubsub: Apply filtered notification to PEP last items (EJAB-1456)
  • Pubsub: Owner can delete any items from its own node (EJAB-1445)

Check the 2.1.7 Release Notes for the full list of fixes and improvements.

The list of solved tickets since the previous version is available on ProcessOne bug tracker: http://redir.process-one.net/ejabberd-2.1.7

If you upgrade from ejabberd 2.0.7 or older, read carefully the release notes of ejabberd 2.1.0 too, because there were several changes in the installation path and the configuration options.

The source package and binary installers for Linux 32 bits, 64 bits, Mac OS X Intel, and Windows are available in the ejabberd ProcessOne download page.

ejabberd 3.0.0-alpha-3

Regarding ejabberd 3.0.0-alpha-3, it contains several changes. The related tickets can be found on the bug tracker.

Please note that the database schema used in this preliminary release is not yet definitive, and it will probably change in the next alpha and beta releases.

When compiling the source code, it is necessary to install exmpp.

Recommendation: try this alpha release far away from a production server. Try it with an empty database, or with a copy of your existing database. Please report bugs you find, including logged errors if any, in the usual https://support.process-one.net/browse/EJAB or in the ejabberd mailing list.

For more information check the release notes included in the release and in
https://git.process-one.net/ejabberd/mainline/blobs/raw/master/doc/relea...

Source tarball and binary installers for preliminary releases can be downloaded here:
http://download.process-one.net/ejabberd/

exmpp 0.9.7

This release of exmpp contains only those fixes:

  • Add new function failure/2 (EJAB-1425)
  • Bugfix to allow a resource have / characters
  • Disable all entity expansions (EJAB-1451)

exmpp home page:
http://support.process-one.net/doc/display/EXMPP/
or easier to remember: http://exmpp.org/

Download exmpp 0.9.7 source code package from:
http://download.process-one.net/exmpp/

You can also check the ProcessOne Labs page:
http://www.process-one.net/en/labs/

Syndicate content