github processone/ejabberd 26.04
on GitHub

10 hours ago

Release notes copied from the original ejabberd 26.04 announcement post:

We are publishing this security release ejabberd 26.04, which includes options to limit XML parser, and other minor bugfixes. It is strongly encouraged that you update ejabberd as soon as possible.

Contents:

  • New limits options for XML parser
  • ChangeLog
  • Acknowledgments
  • ejabberd 26.04 download & feedback

New limits options for XML parser

This release adds new options that limit max memory used by XML parser used to process XMPP payloads, to prevent potential Denial of Service attack. The default values for pre-auth provide sufficient protection for ejabberd against non-authenticated users on c2s and s2s, so there is no need to change your configuration.

The option max_stanza_elements sets a limit on the maximum number of XML elements that an individual stanza can contain. By default, this option is set to infinity.

The pair of options pre_auth_max_stanza_elements and pre_auth_max_stanza_size define separate limits for sessions that haven't authenticated yet. The session will switch to the limits defined by the options max_stanza_elements and max_stanza_size after the client has successfully authenticated. The default values for these options are: 32 for pre_auth_max_stanza_elements and 8192 for pre_auth_max_stanza_size.

All those options are recognized inside listener sections, and can be applied to ejabberd_c2s and ejabberd_s2s_in listeners.

ChangeLog

Core

  • Add new listener options to limit xml parser accepted input
  • Improve leave_cluster command to work even in own node
  • New predefined keyword DATABASE_PATH that points to the Mnesia spool dir
  • Support HOST keyword in sql_database toplevel option, set nice default value
  • Provide more details in log messages when using SQLite
  • Update documentation of jwt_key to match the Docs site
  • ejabberd_config: New default_ram_db/3 clause that checks module support
  • ejabberd_sm: Remove session_counter, used for get_vh_session_number now removed

Modules

  • mod_http_fileserver: Use integer in ejabberd_hooks:add as expected by "make hooks"
  • mod_invites: Add --enable-bootstrap=no to configure options to bypass download (#4558)
  • mod_invites: don't crash in get_invite_by_invitee_t for sql backend (#4566)
  • mod_invites: quick howto for creating integrity check checksums
  • mod_invites: remove dependency on jquery
  • mod_mqtt: Define RAM callbacks as optional
  • mod_mqtt: Use default_ram_db only if it really supports RAM storage
  • mod_roster: Fix bug introduced in 26.03 in commit d5c1440 (#4564)
  • mod_roster_sql: Cast approved integer as boolean when exporting Mnesia to SQL
  • mod_shared_roster_sql: Fix typo introduced 10 years ago in commit 0ea0ba3

Container and Installers

  • Bump Erlang/OTP 28.4.2
  • make-binaries: Bump OpenSSL to 3.5.6

Full Changelog

26.03...26.04

Acknowledgments

We would like to thank the contributions to the source code, documentation, and translation provided for this release by:

And also to all the people contributing in the ejabberd chatroom, issue tracker...

ejabberd 26.04 download & feedback

As usual, the release is tagged in the Git source code repository on GitHub.

The source package and installers are available in ejabberd Downloads page. To check the *.asc signature files, see How to verify ProcessOne downloads integrity.

For convenience, there are alternative download locations like the ejabberd DEB/RPM Packages Repository and the GitHub Release / Tags.

The ecs container image is available in docker.io/ejabberd/ecs and ghcr.io/processone/ecs. The alternative ejabberd container image is available in ghcr.io/processone/ejabberd.

If you consider that you've found a bug, please search or fill a bug report on GitHub Issues.

Check out latest releases or
releases around processone/ejabberd 26.04

Don't miss a new ejabberd release

NewReleases is sending notifications on new releases.

Get notifications