Re: UnrealIRCd 4.0.5 released (Security fixes)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Apologies. The initial 4.0.5 download was killing innocent users ("flood from 
unknown connection") due to a silly mistake from me. The 4.0.5 download has 
now been replaced and checksums etc. have been updated.
If you were among one of the 41 downloaders (28 unique ip's) who downloaded 
UnrealIRCd 4.0.5 between initial release and this fix, then please re-download 
4.0.5 from www.unrealircd.org <https://www.unrealircd.org/> and install the 
fixed version.
I'm really sorry for the trouble. In case anyone wonders: automated testing 
didn't catch this issue because the tests ran on localhost/LAN, resulting in 
no recvq. And we couldn't push out any release candidate (which results in a 
lot more testing) because this was a security release... :(

Anyway, please still do upgrade to UnrealIRCd 4.0.5 somewhere in the next few 
days(now with this new fixed version). See the release announcement / security 
advisory below.

Bram Matthys wrote on 28-7-2016 16:22:
>
> Hi everyone,
>
> UnrealIRCd 4.0.5 has been released today. *We **recommend everyone to 
> upgrade* somewhere in the next few days. This release fixes the following 
> serious issues:
>
>   * Fix crash issue (read-after-free)
>   * Prevent flood from unknown connection
>   * Bans on IPv6 cloaked hosts had no effect
>
> These issues affect all 4.0.x versions until now.
>
> *Issue details
> *The crash is rare under normal circumstance. However, it is possible to 
> trigger the crash remotely on-purpose if you know how.
> The crash issue has a CVSS score of 7.5 (High): 
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RC:C
>
> The "unknown connection flood" issue allows an attacker to consume IRCd 
> resources. We have an "unknown flood" protection mechanism which was 
> supposed to kick in and kill the user, but it didn't always do this in time.
> The unknown connection flood issue has a CVSS score of 5.3 (Medium): 
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RC:C
>
> Finally, the IPv6 ban bug is an obvious mistake. Bans on nick, ident, hosts, 
> IPv4 real IP's, IPv6 real IPs, vhosts, etc.. all work.. but bans on IPv6 
> cloaked hosts do not (/+b *!*@XXXXXXX:YYYYYYY:ZZZZZZZ/). If you ban a user 
> with such a mask, they can still (re)join and speak. You can temporarily 
> work around this bug by replacing the colons with questionmarks (/+b 
> //*!*@XXXXXXX/*/?/*/YYYYYYY/*/?/*/ZZZZZZZ/).
>
> *Q&A*
> *Have there been any reports of these bugs being abused by anyone?
> *We have had no reports of the crash or flood bug being abused by anyone. 
> However, we recommend everyone to upgrade somewhere in the next coupe of days.
>
> *Should I upgrade?
> *Yes.
> *
> ****Are there any workarounds so I don't have to upgrade?*
> **For the IPv6 ban bug on cloaked hosts there's a workaround, see /Issue 
> details/ above. For the other bugs there is no workaround available.****
> *
> ***Can I upgrade without restarting the IRC server?
> **No. Although a lot of UnrealIRCd is modularized. These bugs are located in 
> the "core", which cannot be upgraded without a restart.*
> ****
> ****How serious are these bugs?
> *See the /Issue details/ above. These include CVSS scores.*
> *
> *When where these issues reported?*
> The IPv6 ban issue was reported yesterday. The crash issue was reported 
> before but the cause of it was very hard to trace. It was finally traced and 
> fixed today. The flood issue was found recently during our own tests. We 
> decided to bundle it with the other two fixes.*
> *
> *Updates to this advisory
> *This release announcement/advisory can be found here 
> <https://forums.unrealircd.org/viewtopic.php?f=1&t=8568>. Small 
> corrections/updates will be posted there, if any.*
>
> What's new in UnrealIRCd 4
> *A short overview of the most important changes:*
> *
>
>   * <https://www.unrealircd.org/docs/Modules>You decide what to load
>     <https://www.unrealircd.org/docs/Modules>. We have moved as much
>     functionality as possible to 150+ individually loadable modules
>     (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user
>     modes <https://www.unrealircd.org/docs/User_modes>, channel modes
>     <https://www.unrealircd.org/docs/Channel_modes>, extbans
>     <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You
>     decide which features your UnrealIRCd should have.
>   * Fine-grained IRCOp privileges
>     <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
>     privileges are granted has been redone entirely. This allows you to
>     configure oper privileges on a very detailed level. You don't want
>     OperOverride? You don't want opers to see secret channels? Or you want
>     an oper with a very minimal set of privileges? This is all possible.
>   * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
>     documentation has been moved to a wiki
>     <https://www.unrealircd.org/docs/>. It's even better than before and
>     more accessible to people who are new to IRCd's. The wiki also allows
>     easy translation
>     <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
>     community members.
>   * New directory structure
>     <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
>     *NIX the IRCd is now always installed to a different directory than
>     where you compile from (~/unrealircd by default). No more mess. On both
>     *NIX and Windows configuration files go in conf/, modules go in
>     modules/, etc.. Configuration files can be identical on Windows and
>     *NIX. This new directory structure also allows easier packaging.
>   * New I/O system using kqueue & epoll. The IRCd can now handle thousands
>     of users more easily.
>   * Improved SSL/TLS support. SSL has always been a major feature in
>     UnrealIRCd but has been enhanced. UnrealIRCd is now always built with
>     SSL support (both on *NIX and Windows). SSL client certificate
>     fingerprints are visible in /WHOIS, a new certfp extban
>     <https://www.unrealircd.org/docs/Extended_bans>
>     (~S:certificatefingerprint), better defaults including 4096 bit keys and
>     Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>,
>     etc.
>   * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
>     (DNSBL/RBL). Great for combating drones and other abusers.
>   * Better and more helpful error messages. Especially regarding the
>     configuration file.
>   * More modern server-to-server protocol.
>     <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
>     UID/SID's. Resulting in less desynch. issues.
>   * Lowering the bar for Spamfilter
>     <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
>     now choose between 'regex' and 'simple' matching. Simple matching allows
>     using the usual '?' and '*' wildcards that everyone knows about. The
>     regex engine has been moved from TRE to PCRE (=about twice as fast).
>   * Configuration is more logical
>     <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of
>     the configuration blocks have been restructured. Don't worry, we include
>     an UnrealIRCd 3.2.x to 4.x configuration file converter.
>   * Easier 3rd party module management. On *NIX you now just put your 3rd
>     party modules in /src/modules/third/ and then each time you run 'make'
>     they will be compiled if needed.
>   * Easier upgrading. On *NIX, when upgrading to a new version, ./Config
>     will ask you to import settings from a previous installation,
>     remembering your installation directory and other settings. It will also
>     copy the 3rd party modules from the old to the new installation and
>     re-compile them.
>   * More secure. Even better secure defaults, more warnings about insecure
>     behavior, ..
>   * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
>
> For developers:
>
>   * Easier source navigation. Because we moved almost everything to modules,
>     it's now much easier to see all the code for a particular feature.
>   * Cleaner code. There have been a lot of source code cleanups. Code has
>     been restructured or rewritten. Old irrelevant code has been deleted.
>   * Development documentation can be found on the wiki
>     <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
>     module in C and list all the details on the various Module API's such as
>     how to write commands, channel modes, plug-in by using Hooks, etc...
>
> *Upgrading from 3.2.x**to UnrealIRCd 4*
> If you are upgrading from 3.2.x to 4.x then there are three important things 
> to know:
> *1) New file locations*
> In UnrealIRCd 4 the location of the configuration files and other files have 
> been changed. On *NIX the directory where you compile the IRCd from 
> (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
> the directory where the IRCd will be running from.
> By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
> On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
>
> The new directory structure is as follows (both on Windows and *NIX):
> conf/           contains all configuration files
> logs/           for log files
> modules/   all modules (.so files on *NIX, .dll files on Windows)
>
> *2) Configuration file changes
> *There have also been changes in various configuration blocks and settings. 
> Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files 
> to UnrealIRCd 4 format. There's no need to start from scratch.
> Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
> information on the config file conversion.
>
> *3) Third party modules*
> If you are using 3rd party modules (modules not developed by the UnrealIRCd 
> team) then they will require an update before they can run on UnrealIRCd 4. 
> Contact your developer for a new version or ask on our Modules forum 
> <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
> enough to convert the module for you if you ask nicely. Due to the many core 
> changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
> out-of-the-box on 4.x as well.
>
> *Running a mixed 3.2.x / 4.x network*
> You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
> <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
>
> *End of the 3.2.x series*
> With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
> All support for the 3.2.x series will stop after December 31, 2016.
> See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
>
> *Download*
> As always, you can download UnrealIRCd from https://www.unrealircd.org/
> All releases are signed with our PGP key (short key id 0x108FF4A9 and long 
> id 0xA7A21B0A108FF4A9)
>
> Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
> -- 
> Bram Matthys
> Software developer/IT con...@vu...
> Website:www.vulnscan.org
> PGP key:www.vulnscan.org/pubkey.asc
> PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6