UnrealIRCd 5.0.3 released (fixes flood issue)
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
UnrealIRCd 5.0.3 released (fixes flood issue)
|
From: Bram M. <sy...@un...> - 2020-02-08 08:18:09
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, UnrealIRCd 5.0.3 is out. It fixes a user-triggerable flood issue with labeled-response. This can be abused to start a serious flood on multi-server networks. We recommend users running 5.0.0/5.0.1/5.0.2 to apply the "hot patch" to _fix the issue without a restart_ (see below) or to upgrade to 5.0.3. To apply the hot patch, run the following command on your IRCd shell: wget https://www.unrealircd.org/patches/labeledresponseflood-patcher && sh ./labeledresponseflood-patcher Below is a short FAQ / Q&A on the hot patch. Further down is the original UnrealIRCd 5 announcement. The complete UnrealIRCd 5.0.3 release notes can be found here <https://github.com/unrealircd/unrealircd/blob/a283a1cf51b5a35bc73f82d93122e2b59aac0dfc/doc/RELEASE-NOTES.md#unrealircd-503-release-notes>. The 5.0.3 release contains several /other/ fixes and enhancements, such as a new HISTORY command to retrieve <https://www.unrealircd.org/docs/Channel_history#Ways_to_retrieve_history> up to 100 lines of channel history (the limits in +H still apply). *Q&A on the hot patch* *How serious is the flood issue? Can it be abused? *It can be triggered on purpose but it can also be triggered accidentally. It will start a flood between servers which can consume high amounts of bandwidth. Other than high bandwidth and possibly high CPU usage there will be no signs of the flood to IRCOps. If you only have one UnrealIRCd 5.x server then the issue cannot be triggered. *Which UnrealIRCd versions are affected? *UnrealIRCd 5.0.0, 5.0.1 and 5.0.2. The UnrealIRCd 4.x series are not affected. *What is hot patching? *It is possible to fix this issue without having to restart your IRCd. This is generally welcomed by admins. UnrealIRCd can do this because most of the code is in modules that can be reloaded on the fly. *I am on Windows, can I also use the hot patch?* No, sorry, on Windows you will have to upgrade to UnrealIRCd 5.0.3. *How do I apply the patch? *Simply SSH to your IRCd shell and then run: wget https://www.unrealircd.org/patches/labeledresponseflood-patcher && sh ./labeledresponseflood-patcher *I don't trust the shell script, can I view the exact patch? *Yes, you can also download the recommended patch as a .tar.gz instead. It is available from https://www.unrealircd.org/patches/labeledresponseflood-patcher.tar.gz *UnrealIRCd 5 is here!* After more than 6 months of hard work UnrealIRCd 5 is now our new "stable" branch. In particular I would like to thank Gottem and 'i' for their source code contributions and PeGaSuS and westor for testing releases. When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of source code added/removed during 3 years of development. This time it was 120,000 lines in only 8 months, a major effort! A short summary of release highlights is available here <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full release notes are available here <https://github.com/unrealircd/unrealircd/blob/21278d254963cfa6555e27b38228d7a5c3b8ce48/doc/RELEASE-NOTES.md#unrealircd-5>. If you have some spare time, we recommended reading the full release notes (the new and changed sections, anyway) so you don't miss out on anything. If you are upgrading from 4.x to 5.x then it would be wise to read Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>. In any case, be sure to upgrade your services package first! (if you use any). UnrealIRCd 5 is known to work with the following services: * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the "unreal4" protocol module * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or higher) - with the "unreal4" protocol module As always, you can download UnrealIRCd from https://www.unrealircd.org/ *UnrealIRCd 4 is still supported* UnrealIRCd 4 is now called "oldstable" and will be maintained until 31 December 2020 (major bugfixes only). After that date UnrealIRCd 4 is no longer supported <https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>. Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first half of 2020. -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
