Hi folks,

Today brings an important security release for both our stable
branches. This fixes a cross-host authentication vulnerability,
CVE-2018-10847.

The issue affects Prosody instances that have multiple virtual hosts
(including anonymous authenticated hosts). All versions of Prosody
before 0.9.14 and 0.10.2 are affected.

A full security advisory is available at
https://prosody.im/security/advisory_20180531

Summary of all changes in this release:

- mod_c2s: Do not allow the stream 'to' to change across stream
restarts (fixes #1147)
- mod_websocket: Store the request object on the session for use by
other modules (fixes #1153)
- core.certmanager: Allow all non-whitespace in service name (fixes #1019)
- mod_c2s: Avoid concatenating potential nil value (fixes #753)
- mod_disco: Skip code specific to disco on user accounts (avoids
invoking usermanager, fixes #1150)
- mod_bosh: Store the normalized hostname on session (fixes #1151)
- MUC: Fix error logged when no persistent rooms present (fixes #1154)

# Download

As usual, download instructions for many platforms can be found on our
download page: https://prosody.im/download

Note for 0.9.x users: There is no updated 'prosody' package for our
0.9 branch. If you installed from our repository, switch to the
'prosody-0.9' nightly package or upgrade the 'prosody' package to
receive 0.10.2. If upgrading to 0.10 from 0.9, see the upgrade notes
at https://prosody.im/doc/release/0.10.0 . If you installed Prosody
from your distribution, you may expect updated packages from them
(they were notified in advance of this release).

Nightly users: ensure you have at least builds 485 (0.10) or 294 (0.9)
or 904 (trunk).

If you have any questions, comments or other issues with this release,
let us know! https://prosody.im/discuss