Updated UnrealIRCd 4.0.10 for Windows

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

(You can unsubscribe here 
<https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of 
the page)

LibreSSL, the library we use for SSL/TLS on Windows, has released an update. 
There seemed to be a security issue in the way they implemented ECDSA. This is 
only an issue if you use /elliptic curve certificates/, not if you use /RSA 
/certificates (=the default).
We have replaced the Windows download of UnrealIRCd 4.0.10 on our website (new 
filename: /unrealircd-4.0.10-sslfix.exe/). If you use UnrealIRCd on Windows 
with an elliptic curve certificate then you should upgrade to this version.

For reference, the exact text from the LibreSSL folks is as follows:

     * Avoid a side-channel cache-timing attack that can leak the ECDSA
       private keys when signing. This is due to BN_mod_inverse() being
       used without the constant time flag being set. Reported by Cesar
       Pereida Garcia and Billy Brumley (Tampere University of Technology).
       The fix was developed by Cesar Pereida Garcia.

You can use /VERSION on IRC as an IRCOp(!) to figure out which LibreSSL 
version is in use.
If you see this then it's the *old *version with the ECDSA bug:
[08:18:08] -irc.test.net- LibreSSL 2.4.4
After upgrading you should see this, which confirms you are using the *new 
*version:
[08:30:24] -irc.test.net- LibreSSL 2.4.5

As always, you can download UnrealIRCd from www.unrealircd.org.

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: 2ABD 57FA 7783 5ADD C5EC  8ED7 DE93 B8B4 7E74 5EB3