UnrealIRCd 4.2.1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 4.2.1 (stable) is now available for download. This version
enhances support for authentication
<https://www.unrealircd.org/docs/Authentication>. Also new is a module
to combat mixed UTF8 character spam, a rewrite of the operclass
privileges and more secure password hashing with Argon2.

If you missed the 4.2.0 release, then consider looking at the previous
release announcement
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8843> as well.

NOTE: There will be no further 4.0.x releases. Current stable is 4.2.x.
For more information, see the FAQ item: Questions about the new 4.2.x
series
<https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series>.

*Changes between version 4.2.0 and 4.2.1
*Improvements

  * Support for authentication prompt
    <https://www.unrealircd.org/docs/Authentication>:
    Since 4.2.0 you can require specific users to authenticate
    themselves with their nickname and password via SASL. We now offer a
    new experimental module called 'authprompt' which will help non-SASL
    users by showing a notice and asking them to authenticate to their
    account via /AUTH <user>:<pass>. See the new authentication article
    <https://www.unrealircd.org/docs/Authentication> on the wiki for an
    overview and set::authentication-prompt
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    for specific information on the module.
  * New optional module 'antimixedutf8' to combat mixed UTF8 character
    spam (also called freenode spam) that has been plaguing networks.
    See the set::antimixedutf8 docs
    <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8> for
    more information.
  * Support for Argon2 password hashing, which is more resilient against
    brute force cracking (/mkpasswd argon2 passwd)
  * Indicate 's' in WHO reply flags if the user is secure (SSL/TLS).

Configuration changes

  * The require sasl { } block is now called require authentication { }
  * The operclass privileges have been redone.
    There were too many changes to list them here. If, like 99% of the
    users, you use default operclasses such as "globop" and
    "admin-with-override" then you don't need to do anything.
    However, if you have custom operclass { } blocks then the privileges
    will have to be redone. See here
    <https://www.unrealircd.org/docs/FAQ#New_operclass_permissions> for
    more information on the conversion process.
    See also the new list of permissions
    <https://www.unrealircd.org/docs/Operclass_permissions>, with much
    better naming and grouping.
  * In the configuration file you can now use } instead of };
    Both forms are accepted. There's no need to change if you don't like it.
  * A /* comment in the configuration file is now terminated at the
    first occurrence of */, instead of two /* /* requiring two */ */.
    Most people will be unaffected. But if you are, see the FAQ: nesting
    comments <https://www.unrealircd.org/docs/FAQ#Nesting_comments> for
    more information.

Major issues fixed

  * The blacklist module
    <https://www.unrealircd.org/docs/Blacklist_block> did not act on
    IPv6 users listed in DNSBLs.

*Minor issues fixed
*

  * By default a user shouldn't be allowed to change to a banned nick,
    unless (s)he has +hoaq in the channel. This was broken since 4.0.0.
    This feature can be disabled via set { check-target-nick-bans no; };
  * Rehash error messages sent to opers regarding remote includes now no
    longer include authentication information (replaced with ***:***).

*Deprecated
*

  * The authentication types 'md5', 'sha1' and 'ripemd160' have been
    deprecated because they can be cracked at high speeds. They still
    work, but a warning will be shown on boot and on rehash.
    Please use the new 'argon2' type instead: Type /MKPASSWD argon2
    passwd on IRC, or ./unrealircd mkpasswd argon2 on the command line
    to generate the password hash.

*For module coders*

  * Priorities in command overrides were reversed (was added in 4.2.0)

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the year 2019. This will deny /OPER when issued from a
    non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6