Hi Lonnie,
On Thu, 13 May 2021 at 13:36, Lonnie Abelbeck <[email protected]> wrote:
> Hi Matthew,
>
> Any chance a 0.10.4 version will be released with just the security fixes ?
Sorry, we're no longer maintaining the 0.10 branch at this point. I'm
pretty sure our build infrastructure wouldn't succeed at a 0.10
release even if we tried. As a reminder, our policy is generally to
support a branch for as long as that branch is included in a supported
Debian release. With the EOL of Debian 9 in July 2020, we're now only
maintaining 0.11.x.
I've just updated the security advisory with the commits relevant to
each issue to make it easier for packagers who want to cherry-pick or
backport changes.
Some notes/pointers:
- 0.10 will usually be running on Lua 5.1, which is far less
susceptible to the memory exhaustion issue.
- 0.10 is lacking util.startup and support for the 'gc' config
option, so you'll need to plug in collectgarbage("setstepmul", 500)
somewhere during startup
- Backporting the timing attack patches should be trivial enough
(just patch the new function into util-src/hashes.c and fix the
appropriate modules, which have probably changed little since 0.10).
- mod_proxy65 has also not changed much (at all?) and it should be
easy to apply the patch for 0.11.
- mod_dialback should be a similar story.
- I can't say how much work the stanza size limits patches will be
in 0.10, but hopefully not too tricky.
Hope this helps! Let me know if you have any further questions.
Regards,
Matthew
--
You received this message because you are subscribed to the Google Groups
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prosody-dev/CAJt9-x5tJso5KA1_dwA3P-p27Pwhy%2Bd5odNK19XhNS2kh9ekRQ%40mail.gmail.com.
