UnrealIRCd 5.0.3 released (fixes flood issue)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 5.0.3 is out. It fixes a user-triggerable flood issue with
labeled-response. This can be abused to start a serious flood on
multi-server networks.
We recommend users running 5.0.0/5.0.1/5.0.2 to apply the "hot patch" to
_fix the issue without a restart_ (see below) or to upgrade to 5.0.3.
To apply the hot patch, run the following command on your IRCd shell:
wget https://www.unrealircd.org/patches/labeledresponseflood-patcher &&
sh ./labeledresponseflood-patcher

Below is a short FAQ / Q&A on the hot patch. Further down is the
original UnrealIRCd 5 announcement.

The complete UnrealIRCd 5.0.3 release notes can be found here
<https://github.com/unrealircd/unrealircd/blob/a283a1cf51b5a35bc73f82d93122e2b59aac0dfc/doc/RELEASE-NOTES.md#unrealircd-503-release-notes>.
The 5.0.3 release contains several /other/ fixes and enhancements, such
as a new HISTORY command to retrieve
<https://www.unrealircd.org/docs/Channel_history#Ways_to_retrieve_history>
up to 100 lines of channel history (the limits in +H still apply).

*Q&A on the hot patch*

*How serious is the flood issue? Can it be abused?
*It can be triggered on purpose but it can also be triggered
accidentally. It will start a flood between servers which can consume
high amounts of bandwidth. Other than high bandwidth and possibly high
CPU usage there will be no signs of the flood to IRCOps. If you only
have one UnrealIRCd 5.x server then the issue cannot be triggered.

*Which UnrealIRCd versions are affected?
*UnrealIRCd 5.0.0, 5.0.1 and 5.0.2. The UnrealIRCd 4.x series are not
affected.

*What is hot patching?
*It is possible to fix this issue without having to restart your IRCd.
This is generally welcomed by admins. UnrealIRCd can do this because
most of the code is in modules that can be reloaded on the fly.

*I am on Windows, can I also use the hot patch?*
No, sorry, on Windows you will have to upgrade to UnrealIRCd 5.0.3.

*How do I apply the patch?
*Simply SSH to your IRCd shell and then run:
wget https://www.unrealircd.org/patches/labeledresponseflood-patcher &&
sh ./labeledresponseflood-patcher

*I don't trust the shell script, can I view the exact patch?
*Yes, you can also download the recommended patch as a .tar.gz instead.
It is available from
https://www.unrealircd.org/patches/labeledresponseflood-patcher.tar.gz

*UnrealIRCd 5 is here!*

After more than 6 months of hard work UnrealIRCd 5 is now our new
"stable" branch. In particular I would like to thank Gottem and 'i' for
their source code contributions and PeGaSuS and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/21278d254963cfa6555e27b38228d7a5c3b8ce48/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 is now called "oldstable" and will be maintained until 31
December 2020 (major bugfixes only). After that date UnrealIRCd 4 is no
longer supported <https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first
half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6