Openfire

Improvement

• [OF-536] - Upgrade JmDNS from pre 1.0 to 3.6.3
• [OF-1927] - Show TCP port used for server-to-server connections
• [OF-2694] - Add support for channel binding
• [OF-2970] - Have Cache-control headers on HTTP responses
• [OF-3037] - Admin console page to review failed S2S connection attempts
• [OF-3074] - Prevent hardcoded IV when encrypting parameters
• [OF-3075] - Weak SHA1 hash used as key for blowfish
• [OF-3102] - Improve Embedded DB error handling
• [OF-3105] - Improve MUC Avatar support
• [OF-3111] - Gracefully stop Jetty
• [OF-3115] - Improve detection of improperly ending user session
• [OF-3122] - Stop by default using Common Name based identities
• [OF-3128] - PluginMonitor to immediately reload parent/child plugins
• [OF-3150] - Eliminate unnecessary database lookups for MUC service identifiers by relying on in-memory mucServices data.
• [OF-3154] - Disable automatic kicking of inactive MUC occupants by default; make behavior configurable.
• [OF-3159] - Limit iteration over certificate Subject Alternative Names (SANs)
• [OF-3169] - Fix concurrency, ordering, and flush correctness issues in CachingPubsubPersistenceProvider
• [OF-3176] - Offload blocking operations from Netty event loop threads to improve performance
• [OF-3179] - Enforce deterministic ordering of ConnectionCloseListener execution
• [OF-3181] - Allow static configuration of cluster node ID
• [OF-3182] - Reuse EventLoopGroup and EventExecutorGroup for outbound S2S connections
• [OF-3184] - Have a healthcheck in the Docker image
• [OF-3185] - Improve error handling when inbound S2S does not offer any auth mechanism
• [OF-3186] - Generate less verbose log messages for network scanners
• [OF-3195] - Avoid writing closing stream stanza when Netty channel is inactive
• [OF-3196] - DefaultPubSubPersistenceProvider.loadNodes() has O(n²) complexity causing multi-hour startup times at scale
• [OF-3202] - Replace queue-emptiness check in PacketsProcessor.isDone() with an explicit completion flag
• [OF-3203] - HappyEyeballsResolver's 'done' method name can be confusing
• [OF-3204] - readSerializableMap incorrectly casts key type to String, violating Serializable contract
• [OF-3206] - Upgrade OJDBC from 23.7.0.25.01 to 23.26.2.0.0
• [OF-3211] - Make plugin directory destruction timeout configurable
• [OF-3214] - Check that the payload size does not exceed the node's configured maximum (XEP-0060 §7.1.3.5)
• [OF-3220] - Server does not parse client ACKs from BOSH requests
• [OF-3233] - Add timeout/fallback for synchronous cluster statistics request in admin page
• [OF-3240] - Modernize DB capability detection in DbConnectionManager to reduce stale hard-coded assumptions
• [OF-3242] - Add partial wildcard support to dnsutil.dnsOverride (for example *.external.com)
• [OF-3245] - DefaultPubSubPersistenceProvider should use DbConnectionManager large-text helpers for payload columns
• [OF-3250] - Support Recursive Re-lookup for DNS Override Resolution
• [OF-3251] - Add explicit IPv6 support to DNS Override
• [OF-3252] - Update org.apache.commons:commons-dbcp2 from 2.9.0 to 2.14.0 and commons-pool2 from 2.9.0 to 2.13.1
• [OF-3257] - Guard against timing attacks in ScramSha1SaslServer
• [OF-3258] - Guard against user enumeration in ScramSha1SaslServer
• [OF-3260] - Support RFC 7239 Forwarded header in addition to X-Forwarded-*
• [OF-3261] - Add configuration for trusted reverse proxies when using forwarded headers
• [OF-3262] - Replace IP-only login tracking with per-username + IP tracking
• [OF-3264] - IpUtils: handle IPv6 zone/scope ID suffixes in string-based address methods
• [OF-3268] - Refactor inbound S2S SASL EXTERNAL flow to remove duplicate post-auth checks in SASLAuthentication
• [OF-3273] - SASLAuthentication accepts mechanisms not advertised for the current connection/session
• [OF-3275] - Update log4j from 2.25.4 to 2.26.0
• [OF-3283] - Improve clustered outgoing session setup to reuse routes created by other nodes
• [OF-3286] - Replace fragmented/inconsistent locking strategy in GroupManager
• [OF-3288] - Unify cache clearing of paginated and non-paginated group names

Story

• [OF-3170] - Implement configurable rate limiting for new connections (C2S and S2S)

Task

• [OF-2554] - Merge docker documentation
• [OF-2957] - Upgrade to Netty 4.2
• [OF-3163] - Remove code marked to be removed in Openfire 5.1.0
• [OF-3207] - Update database used by unit tests (to 38)
• [OF-3235] - Fix malformed link markup in installation guide (hre instead of href)
• [OF-3237] - Add Firebird database support to Openfire
• [OF-3238] - Add CockroachDB database support to Openfire
• [OF-3239] - Add MariaDB database support to Openfire
• [OF-3253] - Update org.jsmpp:jsmpp library from version 2.3.10 to 3.0.2
• [OF-3254] - Update Jaxen
• [OF-3259] - Phase out legacy property self-signed certificate acceptance
• [OF-3271] - Improve admin UI labels for idle user kick and ping settings
• [OF-3289] - Bump slf4j 2.0.17 -> 2.0.18
• [OF-3290] - Update junit from 6.0.3 to 6.1.0
• [OF-3291] - Upgrade org.json:json from 20231013 to 20260522
• [OF-3292] - Remove ResourceServlet (dead code)
• [OF-3293] - Bump com.twelvemonkeys.imageio 3.12.0 -$gt; 3.13.1
• [OF-3294] - Bump org.apache.httpcomponents:httpclient 4.5.13 -$gt; 4.5.14
• [OF-3295] - Update all maven build plugins to latest releases

New Feature

• [OF-2034] - Add support for XEP-0398 User Avatar to vCard-Based Avatars Conversion
• [OF-2684] - Add 'demoboot' to Windows distribution
• [OF-2879] - Add support for XEP-0440 SASL Channel-Binding Type Capability
• [OF-3099] - PubSub event listening
• [OF-3101] - Show Profile / vCard data in admin console
• [OF-3129] - PluginMonitor to offer blocking plugin reload
• [OF-3141] - Extend JMX to Include All Monitoring Statistics and Expose via Web API
• [OF-3188] - Add generic support for Service Discovery Extensions
• [OF-3210] - Support Java 25
• [OF-3244] - Add page to manage DNS override
• [OF-3277] - Helper method to determine which keyword to use for limiting an SQL result set

Sub-task

• [OF-3171] - Implement core rate limiting for new connections
• [OF-3172] - Add configuration UI for connection rate limiting in the Admin Console
• [OF-3173] - Expose metrics in Statistics API

Bug

• [OF-1387] - PubSub Admin Console - No confirmation dialogue when deleting a subscriber
• [OF-2309] - NPE at bootup when not loading a plugin
• [OF-3077] - Potential padding oracle CBC-mode encryption
• [OF-3094] - Client-to-Server SASL EXTERNAL incorrectly queries for authzid
• [OF-3119] - MacOS HappyEyeballs testAllResultsWhenPreferredHostProvidedSecondButWithinResolutionDelay failures
• [OF-3121] - Parent plugin classloader destroyed before plugin unloaded
• [OF-3131] - Chatroom subject not always sent upon join
• [OF-3142] - Rate-Type Statistic Reads Are Destructive and Affect Other Consumers
• [OF-3152] - loadHistory(room) does not respect HistoryStrategy's max
• [OF-3168] - Admin console opens wrong default page when item order attribute differs from XML definition
• [OF-3187] - AuthCheckFilter exclusions are lost when AdminConsolePlugin restarts
• [OF-3189] - Fix missing DOAP entries for Service Discovery Extensions
• [OF-3192] - concurrent.TimeoutException in WebsocketFramePingTask.run
• [OF-3193] - Silent packet loss when delivering to a closed outgoing server-to-server session
• [OF-3194] - EntityCapabilitiesManager sends duplicate disco#info requests to clients on login
• [OF-3199] - loadNode() (single-node overload) throws NullPointerException when loading a node that has a parent
• [OF-3201] - outgoingServerSessionCreated not called when exception occurs after addOutgoingDomainPair, leaving orphaned route in routing table
• [OF-3208] - Plugin unloading fails on Windows due to JVM file locks on extracted plugin files
• [OF-3209] - PluginManager fails to unload/reload plugins on Windows due to orphaned plugin directories being reloaded
• [OF-3212] - null rootCollectionNode in pubsub.CollectionNode.getSubscription(org.xmpp.packet.JID)
• [OF-3215] - Invoking Purge on a collection node should not throw exception
• [OF-3216] - Missing node attribute in disco#info requests breaks XEP-0115 compliance
• [OF-3217] - Improper handling of extended data forms leads to invalid capability processing
• [OF-3218] - Missing validation allows malformed disco#info responses to be accepted
• [OF-3219] - BOSH overactivity detection rejects valid requests
• [OF-3221] - Server includes redundant ACK attributes in BOSH responses
• [OF-3243] - DNS Wildcard Pattern Matching in DNSUtil.isNameCoveredByPattern() Needs Dot-Boundary Validation
• [OF-3256] - Plugin icon missing for some plugins
• [OF-3272] - Concurrency issue in CSI
• [OF-3276] - Autosetup should not update admin user when no data provided
• [OF-3285] - Changes to group sharing visibility are not immediately reflected in users' contact lists
• [OF-3287] - Group members' user cache not evicted for non-shared groups
• [OF-3296] - Encrypted XML properties can lose encryption during database migration
• [OF-3297] - Manual migration code overwrites already-migrated SystemProperty values with their defaults

sha256sum values

0686b30d4fb5e6f7c43bff7071ac425e45a19bbd528e301df065ef8d60355ef5  openfire-5.1.0-1.noarch.rpm
90b21993ba65d98357154183fd12e938547e68cbc59301f69b8506f483580269  openfire_5.1.0_all.deb
5fff05c4a689ae3431d5578f594e37cf7a68a2c0f36380b76d132d79217913c0  openfire_5_1_0.dmg
f72d766957eb09bedcbe8a5f64c38db85684af62bf5282534a162385f7b449ed  openfire_5_1_0.exe
0cc848b56339f07fdcbcbb92dea73a35c00661576d68f1908640ecf7c3b6febc  openfire_5_1_0.tar.gz
a830b0451770d6c8f8db81b3584299f54c48ca8c6d4bf42671325fef0b74c878  openfire_5_1_0_x64.exe
8b3f30505b3996b4b8261a99710ac2387131dac9b5a75fbbf65e9e3419aa22f5  openfire_5_1_0.zip