UnrealIRCd 4.0.19-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second Release Candidate for UnrealIRCd 4.0.19 is now available for
download. You can help us by testing this release and reporting bugs to
https://bugs.unrealircd.org/
A stable release is scheduled end of September.

Compared with -rc1 this -rc2 version has halfop delayjoin fixes, ircop
+z override, a channel truncation issue fixed, support for slashes in
vhost and allow::options::sasl is removed. These are only minor changes
compared to all the other release highlights.

*Changes between version 4.0.18 and 4.0.19-rc2
*Improvements

  * New option to disable a module: blacklist-module
    <https://www.unrealircd.org/docs/Blacklist-module_directive>"modulename";
    This will cause any 'loadmodule' lines for that module to be
    ignored. This is especially useful if you only want to disable a few
    modules that are (normally) automatically loaded by
    conf/modules.default.conf.
  * Next three new features have to do with SASL. More information on
    SASL in general can be found here
    <https://www.unrealircd.org/docs/SASL>.
      o A new require sasl
        <https://www.unrealircd.org/docs/Require_sasl_block> { } block
        which allows you to force users on the specified hostmask to use
        SASL. Any unauthenticated users matching the specified hostmask
        are are rejected.
      o New "soft kline" and "soft gline". These will not be applied to
        users that are authenticated to services using SASL. These are
        just GLINE/KLINE's but prefixed with a percent sign:
        Example: /KLINE %*@10.* 0 Only SASL allowed from here
      o New "soft" ban actions for spamfilter, blacklist, antirandom, etc.
        Actions such as "soft-kline" and "soft-kill" will only be
        applied to unauthenticated users. Users who are authenticated to
        services (SASL) are exempt from the corresponding
        spamfilter/blacklist/antirandom/..
        See https://www.unrealircd.org/docs/Actions for the full action
        list.
      o WARNING: If your network also contains UnrealIRCd servers below
        v4.0.19 then it is not recommended to use _global_ soft bans
        (such as soft gline or any spamfilter with soft-xx actions).
        There won't be havoc, but the bans won't be effective on parts
        of the network. Local soft bans such as a soft /kline can still
        be used.
  * The following extban modules are not new but are now enabled by
    default: extbans/textban, extbans/timedban and extbans/msgbypass. In
    case you don't like them, use blacklist-module as mentioned earlier.
    Just as a reminder, they provide the following functionality:
      o TextBan: +b ~T:block:*badword* to block sentences with 'badword'
      o Timed bans: ~t:duration:mask
        These are bans that are automatically removed by the server. The
        duration is in minutes and the mask can be any ban mask.
        Some examples:
          + A 5 minute ban on a host: /+b ~t:5:*!*@host/
          + A 5 minute quiet ban on a host (unable to speak):/+b
            ~t:5:~q:*!*@host/
          + An invite exception for 1440m/24hrs: /+I ~t:1440:*!*@host/
          + A temporary exempt ban for a services account: /+e
            ~t:1440:~a:Account/
          + Allows someone to speak through +m for the next 24hrs: /+e
            ~t:1440:~m:moderated:*!*@host/
          + And any other crazy ideas you can come up with...
      o Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
      o Ban exception ~m:type:mask which allows bypassing of message
        restrictions.
        Valid types are: 'external' (bypass +n), moderated (bypass
        +m/+M), 'filter' (bypass +G), 'color' (bypass +S/+c) and
        'notice' (bypass +T).
        Some examples:
          + Let LAN users bypass +m: /+e ~m:moderated:*!*@192.168.*/
          + Let ops in #otherchan bypass +m in this channel: /+e
            ~m:moderated:~c:@#otherchan/
          + Make GitHub commit bot bypass +n: /+e ~m:external:*!*@ipmask/
          + Allow a services account to use color: /+e ~m:color:~a:ColorBot/
  * AntiRandom
    <https://www.unrealircd.org/docs/Set_block#set::antirandom>: The
    module will now (by default) exempt WEBIRC gateways from antirandom
    checking because they frequently cause false positives.
    This new behavior can be disabled via: set { antirandom {
    except-webirc no; }; }
  * Server linking attempts and errors are now also put in the log file.
  * Delayjoin: Halfops did not see JOIN's when channel mode +D was set.
  * IRCOps with minimal privileges lost their user modes on MODE change.
  * IRCOps could not override channel mode +z (when not using SSL/TLS)
  * Channel names sometimes truncated if using accents or special chars.

Major issues fixed

  * Blacklist: Potential crash issue when concurrently checking DNSBL
    for the WEBIRC gateway and the spoofed host.
  * Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists
    were not always checked properly.

Minor issues fixed

  * Remote includes: ./Config didn't properly detect libcurl on Ubuntu
    18 (and possibly other Linux distributions as well)
  * Timeouts during server linking attempts were not displayed.

*Removed
*

  * allow::options::sasl has been removed. Use the new and more flexible
    require sasl { } block instead.

*Other changes
*

  * Windows users may be prompted to install the Visual C++
    redistributable package for Visual Studio 2017. This is because we
    now build on VS 2017 instead of VS 2012.
  * We now use standard formatted messages for all K-Lines, G-Lines and
    any other bans that will cause the user to be disconnected. For
    technical details see the banned_client() function.
  * The except throttle
    <https://www.unrealircd.org/docs/Except_throttle_block>{ } block now
    also overrides any limitations from
    set::max-unknown-connection-per-ip
    <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>.
    Useful for WEBIRC gateways
    <https://www.unrealircd.org/docs/WebIRC_Support>.
  * Localhost connections are considered secure, so these can be used
    even if you have a plaintext-policy of 'deny' or 'warn'. (This was
    already the case for servers, but now also for users and opers)
  * Allow slashes in vhost/chghost/sethost/.. (but not through DNS)

*For module coders*

  * Windows: Be aware that we now build with Visual Studio 2017. This
    means 3rd party modules should be compiled with VS 2017 (or VS 2015)
    as well.

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ later this year. This will deny /OPER when issued from a
    non-SSL connection. For security, IRC Operators should really use
    SSL/TLS when connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6