UnrealIRCd 4.0.16.1 & 4.0.17-rc1

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Not one but two UnrealIRCd releases today. But they are not for
everyone.. ;)

UnrealIRCd *4.0.16.1* fixes a couple of issues that affected only a few
users. If your UnrealIRCd 4.0.16 is working fine then I'm not
recommending an upgrade at this point. Just use it for new installations.

Also available is an early first release candidate for next release,
UnrealIRCd *4.0.17-rc1*. The most visible changes are experimental utf8
support in set::allowed-nickchars and two new (optional) modules
"msgbypass" and "timed bans" (remove ban after X minutes). The stable
release for 4.0.17 is scheduled end of December. You can help us by
testing and reporting any issues/bugs at https://bugs.unrealircd.org/.

The changes in both versions are outlined below:

*Changes between version 4.0.16 and 4.0.16.1*
An interim release with a couple of backported fixes:

  * Fix hang in (outgoing) server linking
  * Fix crash when linking anope over SSL from non-localhost
  * '/SPAMFILTER del <id>' did not remove the spamfilter on other servers
  * set::restrict-extendedbans was not always applied (when stacked)
  * Update automated build scripts

*Changes between version 4.0.16(.1) and 4.0.17-rc1
*Improvements

  * Added experimental UTF8 support in set::allowed-nickchars. See
    https://www.unrealircd.org/docs/Nick_Character_Sets
    /Example: set { allowed-nickchars { latin-utf8; }; };     /
    Important remarks:
      o All your servers must be on UnrealIRCd 4.0.17-rc1
      o Most(?) services do not support this, so users using UTF8
        nicknames won't be able to register at NickServ.
      o In set::allowed-nickchars you must either choose an utf8
        language or a non-utf8 character set. You cannot combine the two.
      o You also cannot combine multiple scripts/alphabets, such as:
        latin, greek, cyrillic and hebrew. You must choose one.
      o If you are already using set::allowed-nickchars on your network
        (eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'):
          + Your clients may still assume non-UTF8
          + If users registered nicks with accents or other special
            characters at NickServ then they may not be able to access
            their old account after the migration to UTF8.
      o There is no CASEMAPPING or "visually identical character"-checking.
          + Just like in the old (non-utf8) charsys this means there is
            no lower/uppercase checking for allowed-nickchars nicks. So
            a nick with "O with accent" can be online at the same time
            as "o with accent". They are treated as two different users.
          + The identical character looking issue is particular
            noticeable in Cyrillic script where for example cyrillic "A"
            looks identical to latin "A" and thus can be used to
            impersonate a user.
          + Improved CASEMAPPING and "visually similar
            character"-checking is part of ongoing research at the IRCv3
            working group.
  * Two optional modules. These are not loaded by default. To use them,
    include modules.optional.conf, or add these loadmodule lines:
    loadmodule "extbans/msgbypass";
    loadmodule "extbans/timedban";
      o New ban exception ~m:type:mask which allows bypassing of message
        restrictions.
        Valid types are: 'external' (bypass +n), moderated (bypass
        +m/+M), 'filter' (bypass +G), 'color' (bypass +S/+c) and
        'notice' (bypass +T).
        Some examples:
          + Let LAN users bypass +m: /+e ~m:moderated:*!*@192.168.*/
          + Let ops in #otherchan bypass +m in this channel: /+e
            ~m:moderated:~c:@#otherchan/
          + Make GitHub commit bot bypass +n: /+e ~m:external:*!*@ipmask/
          + Allow a services account to use color: /+e ~m:color:~a:ColorBot/
      o Timed bans: ~t:duration:mask
        These are bans that are automatically removed by the server. The
        duration is in minutes and the mask can be any ban mask.
        Some examples:
          + A 5 minute ban on a host: /+b ~t:5:*!*@host/
          + A 5 minute quiet ban on a host (unable to speak):/+b
            ~t:5:~q:*!*@host/
          + An invite exception for 1440m/24hrs: /+I ~t:1440:*!*@host/
          + A temporary exempt ban for a services account: /+e
            ~t:1440:~a:Account/
          + Allows someone to speak through +m for the next 24hrs: /+e
            ~t:1440:~m:moderated:*!*@host/
          + And any other crazy ideas you can come up with...
  * Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
    This is only available if the previously mentioned extbans/timedban
    module is loaded.
  * Ability to customize the reject connection messages:
    set {
        reject-message {
             password-mismatch "Password mismatch";
             too-many-connections "Too many connections from your IP";
             server-full "This server is full.";
             unauthorized "You are not authorized to connect to this
    server";
         };
     };

Major issues fixed

  * Fix hang in (outgoing) server linking
  * Fix crash when linking anope over SSL from non-localhost
  * '/SPAMFILTER del <id>' did not remove the spamfilter on other servers

Minor issues fixed

  * set::restrict-extendedbans was not always applied (when stacked)

*Other changes
*

  * UnrealIRCd will no longer give user mode +z to users on WEBIRC
    gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some
    assurance that the client<->webirc gateway connection is also secure
    (eg: https).
    This is the regular WEBIRC format:
    WEBIRC password gateway hostname ip
    This indicates a secure client connection (NEW):
    WEBIRC password gateway hostname ip :secure
    Naturally, WEBIRC gateways MUST NOT send the "secure" option if the
    client is using http or some other insecure protocol.

*For module coders*

  * New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION
    <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION>

*For services coders:*

  * Don't forget to send an EOS (End Of Synch) at the end of the
    handshake, if you are not doing so already. It's important:
    :your.services.server EOS

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6