processone/ejabberd 26.03

on GitHub

Release notes copied from the original ejabberd 26.03 announcement post:

We are pleased to announce another bugfix release: ejabberd 26.03. This brings support for roster pre-approval, and more than 100 commits with bugfixes all around, many of them dedicated to the new mod_invites, including also many security fixes.

If you are upgrading from a previous version, there is a change in the SQL schemas, please read below. There are no changes in configuration, API commands or hooks.

Contents:

• Changes in SQL schemas
• SASL channel binding changes
• ChangeLog
• Acknowledgments
• Improvements in ejabberd Business Edition
• ejabberd 26.03 download & feedback

Changes in SQL schema

This release adds a new column to the rosterusers table in the SQL database schemas to support roster pre-approval. This task is performed automatically by ejabberd by default.

However, if your configuration file has disabled update_sql_schema toplevel option, you must perform the SQL schema update manually yourself. Those instructions are valid for MySQL, PostgreSQL and SQLite, both default and new schemas:

ALTER TABLE rosterusers ADD COLUMN approved boolean NOT NULL AFTER subscription;

SASL channel binding changes

This version adds ability to configure handling of client flag "wanted to use channel-bindings but was not offered one".
By default ejabberd will abort connections that present this flag, as that could mean that between server and client is
rogue MITM proxy that strips exchanged data with informations that are required for this.

This can cause problems for servers that use proxy server that terminated TLS connection (there is MITM proxy, but approved by server admin). To be able to handle this situation, we added code that ignore this flag, if server admin disable channel-binding handling by disabling -PLUS auth mechanisms in config file:

disable_sasl_mechanisms:
  - SCRAM-SHA-1-PLUS
  - SCRAM-SHA-256-PLUS
  - SCRAM-SHA-512-PLUS

We also ignore this flag for SASL2 connections if offered authentication methods filtered by available user passwords did disable all -PLUS mechaninsms

ChangeLog

Core

• Fix mysql authentication for tls connections that required auth plugin switch
• Improve handling of scram "wanted to use channel-bindings but was not offered one" flag
• Add ability for mod_options values to depend on other options
• Don't fail to classify stand-alone chat states
• Fix some warnings compiling with Erlang/OTP 29 (#4527)
• ejabberd_ctl: Document how to set empty lists in ejabberdctl and WebAdmin
• ejabberd_http: Add handling of Etag and If-Modified-Since headers to files served by mod_http_upload
• ejabberd_http: Ignore whitespaces at end of host header
• SQL: Add ability to mark that column can be null in e_sql_schema
• Tests: Add tests for sasl2
• Tests: Make table cleanup in test more robust

Modules

• mod_fast_auth: Offered methods are based on available channel bindings
• mod_http_api: Always hide password in log entries
• mod_mam: Call store_mam_message hook for messages that user_mucsub_from_muc_archive was filtering out
• mod_mam_sql: Only provide the new XEP-0431 fulltext field, not old custom withtext
• mod_muc_room: Fix duplicate stanza-id in muc mam responses generated from local history (#4544)
• mod_muc_room: Fix hook name in commit 7732984 (#4526)
• mod_pubsub_serverinfo: Don't use gen_server:call for resolving pubsub host
• mod_roster: Add support for roster pre-approval (#4512)
• mod_roster: Fix display of groups in WebAdmin when it's a list
• mod_roster: in WebAdmin page, first execute SET actions, later GET
• mod_roster_mnesia: Improve transformation code

mod_invites

• Makefile: Run invites-deps only when files are missing
• Fix path to bootstrap files
• Check at start time the syntax of landing_page option (#4525)
• Send 'Link' http header (#4531)
• Set meta.pre-auth to skip redirect_url if token validated (#4535)
• Many security fixes (#4539)
• Add favicon and change color to match ejabberd branding
• Enable dark mode
• Add support for webchat_url
• Migrate to bootstrap5 and update jquery
• No inline scripts
• Make format csrf token
• Add csrf token to failed post
• Include js/css deps in static dir
• Correct hashes for bootstrap 4.6.2
• Hint at type for landing_page opt
• Many more security fixes (#4538)
• Check CSRF token in register form
• Add integrity hashes to scripts and css
• Comment unused resources
• Add security headers
• Remove debug log of whole query parameters (including pw)
• Don't crash on unknown host from http host header
• Make creating invite transactional
• Set overuse limits (#4540)
• Fix broken path when behind proxy with prefix (#4547)

Container and Installers

• Bump Erlang/OTP 28.4.1
• make-binaries: Bump libexpat to 2.7.5
• make-binaries: Bump zlib to 1.3.2
• make-binaries: Enable missing crypto features (#4542)

Translations

• Update Bulgarian translation
• Update Catalan and Spanish translations
• Update Chinese Simplified translation
• Update Czech translation
• Update French translation
• Update German translation

Acknowledgments

We would like to thank the contributions to the source code, documentation, and translation provided for this release by:

• Stefan Strigler for the roster pre-approval feature, sponsored by NLnet
• Stefan Strigler for the improvements in mod_invites
• Holger Weiß for improvements in binary installers
• Mr. EddX for updating the Bulgarian translation
• Sketch6580 for updating the Chinese (Simplified) translation
• ffunk for updating the Czech translation
• Dyxux for updating the French translation
• Stefan Strigler for updating the German translation

And also to all the people contributing in the ejabberd chatroom, issue tracker...

Improvements in ejabberd Business Edition

Customers of the ejabberd Business Edition, in addition to all those improvements and bugfixes, also get the following changes:

• Add p1db backend for mod_auth_fast
• Fix issue when cleaning MAM messages stored in p1db
• mod_unread fixes
• Web push fixes

Full Changelog

26.02...26.03

ejabberd 26.03 download & feedback

As usual, the release is tagged in the Git source code repository on GitHub.

The source package and installers are available in ejabberd Downloads page. To check the *.asc signature files, see How to verify ProcessOne downloads integrity.

For convenience, there are alternative download locations like the ejabberd DEB/RPM Packages Repository and the GitHub Release / Tags.

The ecs container image is available in docker.io/ejabberd/ecs and ghcr.io/processone/ecs. The alternative ejabberd container image is available in ghcr.io/processone/ejabberd.

If you consider that you've found a bug, please search or fill a bug report on GitHub Issues.