Unreal3.2.1 released
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
Unreal3.2.1 released
|
From: Bram M. (Syzop) <sy...@vu...> - 2004-07-03 19:56:24
|
A new 3.2* stable release is out: 3.2.1. This version addresses a flaw that was discovered in the cloaking algorithm (+x) of previous versions that could allow someone to discover the IP addresses of users. It is STRONGLY RECOMMENDED that anyone running a previous version upgrade as soon as possible. Besides this, also some nice new features were added, such as: module support on windows, DCCALLOW, CIDR, and a lot more. NOTE: Please read the release notes carefully, otherwise your ircd won't boot! Unreal3.2.1 Release Notes ========================== ==[ GENERAL INFORMATION ]== - If you are upgrading on *NIX, make sure you run make clean and ./Config before doing make - The official UnrealIRCd documentation is doc/unreal32docs.html online version at: http://www.vulnscan.org/UnrealIrcd/unreal32docs.html FAQ: http://www.vulnscan.org/UnrealIrcd/faq/ Read them before asking for help. - Report bugs at http://bugs.unrealircd.org/ == [ NEW ]== - [!] Cloaking has been modulized. - This means you now MUST load a cloaking module in order to boot. Example: loadmodule "src/modules/cloak.so"; - 2 cloaking modules are provided: 'cloak' and 'oldcloak': - 'cloak' is the new, RECOMMENDED, and much more secure cloaking algorithm that uses md5 internally. It requires 3 keys of 5-100 characters (10-20 is fine) consisting of mixed lowercase (a-z), uppercase (A-Z) and digits (0-9). So for example: set { cloak-keys { "AHsHS6ds2sQGAkish"; "qF5D3orm6Evba26hjf"; "f6oaO2hhd6sIHSfs"; }; - 'oldcloak' is the <=3.2 cloaking algorithm, it is ONLY meant for use during the upgrade process (it will give a warning if you use it), you should switch to the much more secure 'cloak' module AS SOON AS POSSIBLE. As mentioned earlier, the old cloaking algorithm has been cracked so it makes no sense to keep using it. - 3rd party cloak modules are also possible. - [!] Windows now also supports modules - This means you MUST load commands.dll and a cloaking module on windows too, eg: loadmodule "modules/commands.dll"; loadmodule "modules/cloak.dll"; - 3rd party modules are now easy to install too... developers can put .dll files online which you just need to put in your modules\ directory (or, that could even be done by an installer), after that you just add a loadmodule line for it, like: loadmodule "modules/leetmod.dll"; NOTE: Just as on *NIX, you'll have to upgrade your modules every release. - set::spamfilter::virus-help-channel-deny: blocks any normal joins to the virus-help-channel (only people force-joined by spamfilter and opers can join). - set::options::flat-map: Makes all server appear as directly-linked in /links, /map, etc. Thus, link info (which server is linked to which) is hidden from users. - NickIP was added, this means IP's of users are now known by all servers: - IP is now shown in the 'is connecting from' line in /whois (if selfwhois or oper) - "Far connects" (+s +F) together with HCN (Hybrid Connect Notice) can now see IP's as well. This allows you to use for example 1 central BOPM. - New /who options: - /who +i <ip/mask> allows you to search by IP (eg: /who +i 10.*) - /who +I will show IP's of everyone (bit like /who +R) - Added DCCALLOW system (taken from bahamut). With this system you can block certain (or all) DCC SENDs and then allow the user to 'override' this limit for every user he/she trusts via '/DCCALLOW +User'. This is an attempt to stop (or at least limit) the spreading of viruses and other malware. - added deny dcc::soft option, if 'soft' is set to yes in a deny dcc block it means users can override it via DCCALLOW. - set::maxdccallow controls the max. number of items on the DCCALLOW list (default:10) - Added allow dcc { } by which you can make certain exceptions over deny dcc { } - Added extended ban type ~n (nickchange ban). if a user matches this (s)he can not change nicks unless (s)he has voice or higher (ex: +b ~n:*!*@*.aol.com). - Added set::restrict-extendedbans by which you can disallow normal users to use any extended bans ("*") or disallow only certain ones (eg: "qc"). You could also use this if you are on a mixed-version-network and are (very) concerned about desynchs, then you could restrict 'n' till all servers are upgraded. - Added CIDR support (eg: 192.168.0.0/16). Now implemented for: ban ip, ban user, allow, except ban/tkl/throttle, and TKL (*lines). - '/dns c' will clear the DNS cache - Added new logtype 'spamfilter' to log spamfilter matches. - Added 'can_addline' operflag, this is now required in order to use /addline. - Spanish and Hungarian translations of unreal32docs were added. - Readded support for the T (topic time) and C (creation time) flags for /list. - Added support for the ELIST 005 token (ELIST=MNUCT) ==[ MAJOR BUGS FIXED ]== - win32: crash bugs in TRE on /rehash are probably fixed. - qlines (banned nicks) could cause crashes - (quickly) rehashing + autoconnect link blocks could cause a crash - The previous cloaking algorithm had some serious flaws by which the cloak keys could be discovered. Thus, enabling an attacker to 'uncloak' any hosts (especially unresolved IP's but probably also normal hosts with some more effort). ==[ MINOR BUGS FIXED ]== - GUEST support wasn't working - empty set::ssl::options would cause a crash - compiles fine with SSL support on OpenBSD 3.5 now. - Local opers can now join +O (operonly) channels - Permanent modules: custom allow/except/ban/deny types were lost after /rehash - Fixed an SVSNICK bug that could lead to duplicate users in very rare circumstances ==[ CHANGED ]== - spamfilter.conf updates - usage of CHG* commands are now no longer logged from U:lines - services admins are now shown as 'Services Administrator' in /whois again. - Changed the way MSG/NOTICE <prefix>#chan works: - It now goes to <prefix> and higher, so '/notice +#chan hi!' goes to +vhoaq - You need at least voice in order to be able to msg/notice +#chan, %#chan or @#chan - You need at least ops in order to be able to msg/notice &#chan or ~#chan - Any multi-prefix targets will be converted automatically (eg: ~&@#chan to @#chan) - SVSJOIN now also supports channel keys - Docs, help.conf and other text updates - Added zlib+SSL+curl version check on boot to protect against crashes - Win32: socket errors are now more clear (less 'Unknown error <code>' now). - Win32: now using dynamically linked libc to get rid of some crashbugs. The dll, msvcr70d.dll, will be downloaded automatically if needed. - Made the 'negative TS' warning a bit more annoying since a lot of people don't understand how critical correct time for IRC is. - Several servernotices were turned into numerics ==[ CHANGELOG ]== - Replaced tre.dll/tre.lib, previous versions caused a crash (eg: if you included spamfilter.conf). - Fixed a problem when compiling with GUEST enabled. Reported by dvzion (#0001758) - Fixed a documentation typo reported by Konc - Fixed a little problem in ./unreal to move ircd.pid.bak to ircd.pid of starting failed. Fixed by fez (#0001739) - Made it so chg* command usage is not logged from U:lines. Reported by diskman1 (#0001718) - Changed int_to_base64() warning so it has less false positives (#0001797). - Fixed a bug where if set::ssl::options was empty, a crash could occur. Reported by spider312 (#0001799) - Include openssl/md5.h and openssl/ripemd.h if compiled w/SSL, this seems how it should be done and also makes unreal w/SSL able to compile on OpenBSD (3.5). - Added module support for Windows! To module coders: -Building your module on Windows is almost exactly the same as on *nix nmake -f makefile.win32 custommodule MODULEFILE=thefile -Also, as I'm sure most module developers will begin distributing .dll files for their modules, it is important to note that just like the modules on *nix, the dlls will need to be recompiled each time a new version of Unreal is released. This is simply due to the potential for binary incompatibility which at this point can not be avoided. -Most modules already do this, but it is now a requirement for Windows support. At the very minimum, the Mod_Test function must have the DLLFUNC specifier in order to work Unreal will automatically add DLLFUNC to the other functions, but it does not hurt if you use it for all of them. NOTE: It is expected that there will probably be a few bugs to work out with this, so please consider testing it! And module coders, please report any problems you experience! - Modulized cloaking: - Currently there are 2 cloaking modules: 'cloak' and 'oldcloak'. - You MUST load at least 1 of them (like: loadmodule "src/modules/cloak.so";). - 'oldcloak' is just the <=3.2 cloaking algorithm. - 'cloak' is the new, recommended, and much more secure cloaking algorithm that uses md5 internally and requires 3 keys of 5-100 characters (10-20 is fine) consisting of mixed lowcase (a-z), upcase (A-Z) and digits (0-9) [eg: "AopAS6WQH2Os6hfosh4SFJHs"]. - Note that 'oldcloak' is only ment for use during the upgrade process (it will give a warning if you use it), you should switch to the much more secure 'cloak' module as soon as all your servers are upgraded. - Module coders can code 3rd party cloak modules that use other algorithms or cloak in a different way (have a look at src/modules/cloak.c). - spamfilter: Added Bloodhound.Exploit.6 sig - Compile fixes for win32 modules with ssl/zip/curl - Changed 'Services operator' in /whois (back) to 'Services administrator', this was requested by many people and seems to be the best after all (#0001634). - Local opers can now also join +O (operonly) channels (#0001694). - Changed the way MSG/NOTICE <prefix>#chan works: - It now goes to <prefix> and higher, so '/notice +#chan hi!' goes to +vhoaq - You need at least voice in order to be able to msg/notice +#chan, %#chan or @#chan - You need at least ops in order to be able to msg/notice &#chan or ~#chan - Any multi-prefix targets will be converted automatically (eg: ~&@#chan to @#chan). - internal: use of the CHANOPPFX macro is now deprecated. All of this was done to make it a bit more 'safe' and userfriendly (#0001812). - Fixed a remote include bug that would cause unnecessary blocking - Fixed a /credits typo - Imported TRE 0.6.7 for win32 - Imported TRE 0.6.7 for *nix and made use of tre_version to report the version of TRE in use at startup - Fixed a Win32 module bug - Added set::spamfilter::virus-help-channel-deny. This allows you to block any normal joins to the virus-help-channel. This way you could prevent users into accidental (or tricked) joining of the virus-help-channel and becomming infected. This feature is disabled by default. Requested by bleepy (#0001811). - German doc updates (week 20). - Added optional parameter to SVSJOIN to deal with channel keys. Reported by DukePyrolator (#0001822). - Added zlib+SSL version check on boot to make sure the runtime version is the same as the 'compiled for' (header) version. If they mismatch, UnrealIRCd could crash, so a big warning is posted if it happends. - Improved the above: made it work on windows and also added a check for curl. - spamfilter.conf: Added yet another sig for a site that causes Backdoor.Delf.lq infection (reported by nexus), also changed LOI trojan and Bloodhound.Exploit.6 action to gline. - Fixed a win32 module bug that broke strcasecmp/stricmp - German doc updates (week 21) - Fixed a permanent modules bug: custom allow/except/ban/deny types were lost after /rehash. Reported by AngryWolf (#0001837). - Fixed a problem with NICK collisions not using NICKv2 (#0001773) reported by thilo - Added NICKIP (#0000605 & #0001376) - Compile warning cleanups - Added release notes (no, we won't release 3.2.1 anytime soon.. just updating ;p). - Added various extra messages to make it a bit more easier for people who are upgrading (win32 commands.dll, cloaking mod). - Made win32 ssl<->non-ssl modules binary compatible. - Added ssl/non-ssl check in Mod_Version on *NIX. - Added set::options::flat-map: This makes all servers look like they are linked directly to the server you are on (/map, /links), thus you cannot see which server is linked to which ("hopcount"). This can make it a bit harder for kiddies to find any 'weak spots' (which server to attack/[D]DoS). Obviously opers will always see the real map. - unreal32docs.html: added flat-map and set::restrict-usermodes "s"; security tips. - Fixed a compile error regarding AF_MAX (#0001839) reported by Rocko - Imported TRE 0.6.8 for *nix - Added NICKIP to doc/technical/protoctl.txt - Imported TRE 0.6.8 for windows - Redid the win32 version to use a dynamically linked libc. This solves memory issues arising from the fact that dlls do not share the same heap as the exe. As a side effect, however, there is now a dependency on msvcr70d.dll. This DLL does not come with any versions of Windows except 2003. It also comes with any .NET application and the .NET framework. Unreal will automatically download th DLL if it is needed. Reported by Bugz (#0001833) - Fixed some other win32 crashes due to modulizing: WHOWAS, STATS [some], SVSMOTD. All caused by missing "MODVAR"s. Reported by Troco (#0001841). - Fixed SSL problem caused by a fix of 2 days ago. Reported by Fury (#0001842). - And one more. - Made socket errors correctly reported under Win32. Thanks to Microsoft for deciding that having a way to get a socket error string was unnecessary. - Fixed a NICKIP bug regarding passing along IPs (#0001846) reported by Troco - And another one, should be fixed now. - Added snomask +S to the documentation (#0001835) reported by medice. - Made a bunch of TKL parameters case insensitive (#0001766) reported by medice. - Made Unreal create the tmp/ dir at startup, rather than configure (#0001824) suggested by LinDevel - Added /dns c to clear the DNS cache (#0001852) suggested by samson. - Seems I forgot to del_Command() SPAMFILTER and TEMPSHUN. - Made the win32 socket error reporting also handle regular system errors (#0001851) reported by Troco - Added a doc/translations.txt which describes the (current) translation process and requirements a bit. - Fixed a synch bug, reported by Troco (#0001857). - Split up the /who oper and user help messages - Added /who +i (search by IP) and /who +I (show IP), oper only. - Made it so /who +m doesn't default to /who if a user uses modes they aren't allowed to use (#0001858) reported by Bugz - Added a couple donators to /credits - Module coders: if CmdoverrideAdd() is called for an override that is already in place, it now sets MODERR_EXISTS as errorcode and returns NULL (previously it added duplicates). In the past module coders had many issues with PERM mods... you had to use weird tricks, but now you can (and should!) just override on INIT and on HOOKTYPE_REHASH_COMPLETE. - Moved register_user declaration to h.h, updated call in m_pingpong.c (due new 'ip' field). - Usermode +v ('receive dcc send rejection notices') is oper-only now for privacy reasons. - Added dcc allow { }, which allows one to make exceptions over deny dcc { }. - Added deny dcc::soft and allow dcc::soft item, if set to 'yes' it allows someone to explicitly override it per-person via /DCCALLOW (see next). - Added DCCALLOW system, taken directly from bahamut. With this system you can block certain (or all) DCC SENDs and then allow the user to 'override' this limit for every user he/she trusts via '/DCCALLOW +User'. This is an attempt to stop (or at least limit) the spreading of viruses/etc. See '/DCCALLOW HELP' for more info. - Added example dccallow.conf which filters everything except some known 'safe types' (jpg, jpeg, png, gif, etc). Note that the purpose of this file is NOT to get a complete list, rather to limit it to a few 'known safe' entries. - Added set::maxdccallow: max number of entries of the DCCALLOW list (default: 10). - Various (non-critical) fixes for dccallow reported by Rocko (incorrect nick in deny msg, added set::maxdccallow in docs, added bmp/vob/log/ to dccallow.conf). - Made extbans desynchs a bit more friendly: if a bantype is unknown for the server it will just accept it if it's from a remote server, and also ops/etc will be allowed to REMOVE any unknown extbans (but not add new unknown ones). - Added extended ban type ~n (nickchange ban), if a user matches this (s)he can not change nicks (eg: +b ~n:*!*@*.aol.com) unless (s)he has voice or higher. This can be useful as an overall measure for some +m chans (+b ~n:!*@*) or against specific 'good' people that are just nickflooding due to a wrongly configured script. - Added set::restrict-extendedbans by which you can disallow normal users to use any extendedbans ("*") or disallow only certain ones (eg: "qc"). - Made the negative TS message a bit more annoying if time is off more than 10 seconds. - Minor doc tweakers, reported by AngryWolf (#0001871). - Win32: Readded /J compiler flag (was accidentally lost in December). This could cause some weird issues. Reported by Troco (#0001877). - Fixed compile problem with debugmode + ipv6 - Added CIDR support (#0001296) suggested by many people. - Imported the latest CIDR functions from Hybrid 7.0.1 (and fixed numerous bugs) - Implemented CIDR support for ban ip, ban user, allow, except ban/tkl/throttle, and TKL - Note: This needs testing - To be able to use /ADDLINE you now need the (new) 'can_addline' operflag (oper::flags), reason for this is that it's such a powerful/dangerous command. - Fixed find_qline crashes regarding except tkl 'type qline', reported by Gilou (#0001882). - Fixed some CIDR bugs causing things not to match. - Fixed a CIDR bug when compiled without IPv6 support - Fixed an SVSNICK bug that could lead to duplicate users in very rare circumstances (#0001874) reported by Jiuka. - internal: Added GetIP() which we will now use instead of all the Inet_ia2p() stuff because it's slightly faster (already replaced all of them in src/s_kline.c). GetIP(acptr) will return the ip for local users and remote users that support NICKIP, it returns NULL for remote users that are on non-NICKIP servers (or have non-NICKIP servers along their path). - internal: tkl_add_line now returns aTKline * - Added some more hooks: - HOOKTYPE_TKL_ADD [aClient *cptr, aClient *sptr, aTKline *tk] - HOOKTYPE_TKL_DEL [aClient *cptr, aClient *sptr, aTKline *tk] NOTE: 'NULL, NULL, tk' is used for *lines that are removed due to expiring - HOOKTYPE_LOCAL_KILL [aClient *sptr, aClient *target, char *comment] - Added support for the ELIST 005 token with MNUCT options - Made Mod_Version required (this should be no problem since it's done automatically). - Added HOOKTYPE_LOG [int type, char *timebuf, char *logbuf] - Updated the release notes. - Fixed a CIDR bug reported by poisoner (#0001892) - Documented numerics in use by other IRCds - Converted several notices to numerics (#0001599) suggested by olene - Added a donator to /credits - Fixed '/stats P' negative usercount bug (#0001691). - Made IPv6 bans work the way they should again, reported by al5001 (#0001876). - Added new logtype 'spamfilter' to log spamfilter matches - Updated example.conf: added all new flags we added in the example block, removed old confusing comment on SEGV logging, config.h: ripped out lPATH since that define isn't anywhere used and is only confusing. - Made the new numerics use nicknames (#0001896) suggested by Dukat. - Fixed a problem where the tmp directory was created in the current directory rather than the correct path (#0001898) reported by AngryWolf - Updated HOOKTYPE_TKL_ADD/HOOKTYPE_TKL_DEL to cptr, sptr, tk, parc, parv, else it was impossible to tell *who* removed a *line. Again, parc/parv are 0/NULL for expires. - Fixed "quickly-rehashing + autoconnect linkblocks = crash"-bug. This involved fixing multiple reference count bugs, one related to sptr->serv->conf, and another one related to sptr->serv->class. Both caused problems when someone did a /rehash when a server was in the process of connecting (so it might also happen when connfreq was hit and you did a /rehash). Original bug was reported by sh0 (#0001872). - spamfilter.conf: Added sig for a mIRC decode worm, submitted by nexus. - Some release notes updates. - Changed version to 3.2.1-pre1 and updated protocol # to 2304. - Updated wircd.def ** internal 3.2.1-pre1 release ** - Various (>15) small fixes for unreal32docs.html, reported by AngryWolf (#0001906). - Added spanish docs, translated by Trocotronic. - Fixed serious crashbug due to quick-rehashing bugfix! Basically if you did a /REHASH and the clientcount for a class reached 0 (due to quits) it would crash. ** internal 3.2.1-pre2 release ** - Added hungarian docs, translated by AngryWolf. - Fixed a problem with the win32 installer as a result of MSVCR70D.DLL, reported by aquanight - Updated /Credits and added a donator. - Made release notes a bit more scary + some minor english-only doc updates - Changed version to 3.2.1 - Moved the 3.2 changes to Changes.old ** 3.2.1 release ** Downloadable, as usual from http://www.unrealircd.com ebe56fd42fc229681f527932eaa173cc Unreal3.2.1.tar.gz ee241e227c4132df319a47595dc513a9 Unreal3.2.1.exe 9e4d09803ffd83c27fb371c4e80ea286 Unreal3.2.1-SSL.exe Thank you for using Unreal, The UnrealIRCd team. |
