UnrealIRCd 4.0.18 released

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 4.0.18 (stable) is now available for download.

This is a recommended upgrade because it fixes some memory leaks /
security issues present in 4.0.17 and earlier versions. There's no need
to rush the upgrade (there is no imminent threat), but it is advised to
upgrade somewhere in the next few weeks. Naturally there are also
enhancements and other bug fixes since 4.0.17, see below.

*Changes between version 4.0.17 and 4.0.18
*Improvements

  * Support for checking IPv6 addresses in DNS blacklists.
  * The blacklist module now checks WEBIRC users as well.
  * For SSL/TLS we now set the default ECDH(E) curves to be
    X25519:secp521r1:secp384r1:prime256v1 if using a recent version of
    OpenSSL/LibreSSL. This can be overridden via set::ssl::ecdh-curve.
  * You can now require SASL <https://www.unrealircd.org/docs/SASL>
    authentication for all clients via the allow block (for example, on
    a dedicated server that permits proxies/tor):
    allow {
        ip *;
        class clients;
        maxperip 2;
        options { require-sasl; };
    };

Major issues fixed

  * A number of (potential) security issues were fixed:
      o Memory leaks: this could allow an attacker to slowly consume all
        available memory and ultimately cause UnrealIRCd to crash.
      o Out of bounds read: in practice this does not seem to be
        exploitable due to the many restrictions that are imposed.
  * Compile issues on macOS
  * Bug in blacklist module which could have caused false negatives,
    allowing bad guys in which should have been denied.
  * The new optional feature 'set::cloak-method ip' caused identical cloaks

Minor issues fixed

  * When using '/REHASH -ssl' or './unrealircd reloadtls' it did not
    reload the SSL certificate/key if you were using ssl-options in
    listen, sni or link blocks. In short: it only reloaded the ones from
    set::ssl until now.
  * m_ircops sent a conflicting numeric, confusing some clients.
  * Starting UnrealIRCd through a non-interactive(!) ssh session could
    cause the ssh session to hang.

*Other changes
*

  * The built-in time synchronization feature is now disabled by default.
    TimeSynch was added back in 2006 when lots of operating systems did
    not ship with time synchronization turned on by default. Since
    incorrect time severely breaks IRC networks this was a major
    problem. Nowadays this is completely different with most Linux
    distro's, OS X, Windows, etc. doing time synchronization out of the
    box. Since UnrealIRCd's implementation is less precise and lacks
    authentication it's best left over to the system.
    You can still re-enable timesynch via: set { timesynch { enabled
    yes; }; };
    .. but you should really use NTP or similar for system-wide time
    synchronization instead.
  * For developers there's now the --with-werror compile option which
    will add -Werror.
  * Added a lot more Travis-CI tests: various LibreSSL/OpenSSL versions
    and also test macOS. This to prevent us from releasing broken stuff.
  * Various code cleanups to get rid of lots of needless casts and to
    eliminate compiler warnings.
  * Just as a reminder (this change was already in version 4.0.17):
    UnrealIRCd will no longer give user mode +z to users on WEBIRC
    gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some
    assurance that the client<->webirc gateway connection is also secure
    (eg: https).
    This is the regular WEBIRC format:
    WEBIRC password gateway hostname ip
    This indicates a secure client connection (NEW):
    WEBIRC password gateway hostname ip :secure
    Naturally, WEBIRC gateways MUST NOT send the "secure" option if the
    client is using http or some other insecure protocol.

*For module coders*

  * HOOKTYPE_CHANNEL_SYNCED prototype changed, the 'merge' and
    'removetheirs' is now no longer an 'unsigned short' but an 'int'
    instead.
  * HOOKTYPE_MODE_DEOP prototype changed, the 'modechar' is now no
    longer a 'char' but an 'int' instead.
  * In addition to safestrdup() there's now also safestrldup() which
    allows you to specify a maximum allocated length (so including the
    nul byte). This is used in m_pass.c and m_topic.c.
  * New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION
    <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION>

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ later this year. This will deny /OPER when issued from a
    non-SSL connection. For security, IRC Operators should really use
    SSL/TLS when connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/