UnrealIRCd 5.2.1 released & small security issue
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
UnrealIRCd 5.2.1 released & small security issue
|
From: Bram M. <sy...@un...> - 2021-07-09 06:23:27
|
Hi everyone, *New release: UnrealIRCd 5.2.1* UnrealIRCd 5.2.1 is out! Although it has been only a month since 5.2.0, this release comes with several new features and some major bug fixes. See the release notes <https://github.com/unrealircd/unrealircd/blob/8322a4802670fa951015fde435a42b34d0bbbf27/doc/RELEASE-NOTES.md#unrealircd-521-release-notes> for full details. If you are on 5.0.9 or 5.2.0(.x) then you can easily upgrade by running the command: ./unrealircd upgrade Of course, as always, you can (also) download UnrealIRCd from https://www.unrealircd.org/ *Do I need to upgrade?* For more information on the end of 5.0.x and upgrading to 5.2.x, see FAQ: About the new 5.2.x series <https://www.unrealircd.org/docs/FAQ#About_the_new_5.2.x_series>. Admins who wish to take a conservative approach still _don't need to rush_ to upgrade from 5.0.x to 5.2.1, they can wait for 5.2.2. If you decide not to upgrade right now, then be sure to read on the small security issue below. *Small security issue* UnrealIRCd 5.0.9, 5.2.0(.x) and 5.2.1-rc1 have an incorrect built-in ban exception for "127.*" which intended to exempt localhost ("127.0.0.1"). Unfortunately, the obvious fact was overlooked that this can also match hostnames such as "127.something.example.org", allowing such users to bypass kline, gline and shun. This bug is fixed in 5.2.1, but it can also be fixed without upgrading to 5.2.1. If you are on 5.0.9, 5.2.0.x or 5.2.1-rc1 then simply run the following command and it will fix the issue without the need to restart UnrealIRCd: ./unrealircd hot-patch exemptlocalhost After that you can verify online at IRC as IRCOp with the command "STATS except" that the incorrect ban exception on 127.* is gone and the good one on 127.0.0.0/8 is listed. On a side note, even without this patch, you could always have banned these users via GZLINE and KILL. -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
