unreal-notify

UnrealIRCd 6.1.10 released

[Bram M. <sy...@un...>]

UnrealIRCd 6.1.10 is now available. This is mostly a maintenance release 
with a few small new features. See the release notes below.

As always, you can download UnrealIRCd from unrealircd.org 
<https://www.unrealircd.org/> and on *NIX you can upgrade with 
./unrealircd upgrade. Do you like UnrealIRCd? Consider making a donation 
<https://www.unrealircd.org/index/donations> or order something from the 
shop <https://shop.unrealircd.org>.

NOTE for people who installed 6.1.10-rc1: there are no changes between 
6.1.10-rc1 and 6.1.10 except for the version number.


      Enhancements:

  * In the spamfilter { }
    <https://www.unrealircd.org/docs/Spamfilter_block> block two new
    options:
      o |input-conversion|: This can be set to |none| to make the
        spamfilter run against the original text. This in contrast to
        how default spamfilter behaves where the text is matched against
        text that has color and control codes removed. Can be useful if
        you need to match against such a special character.
      o |show-message-content-on-hit|: this works like
        set::show-message-content-on-hit
        <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>.
        but on an individual spamfilter basis.
  * If |unrealircd.conf| doesn't exist then we now offer to copy the
    example configuration (showing a list of languages to pick from).
  * Ship with an offline copy of the wiki documentation
    (|doc/unrealircd_wiki.zim|). This is really only meant for cases
    where the wiki is unavailable, eg you don't have an internet
    connection, some major outage, etc. See ZIM
    <https://en.wikipedia.org/wiki/ZIM_(file_format)> and Kiwix
    <https://en.wikipedia.org/wiki/Kiwix> for more information.


      Changes:

  * Update the example configuration:
      o Mark specific sections with "CHANGE THIS" for people who are in
        a hurry and really only want to do the bare minimum to get the
        IRCd booted.
      o More things are commented out by default, like example link
        blocks and ulines.
      o In addition to the the default ircd.log text file log block,
        also add a JSON log block
        <https://www.unrealircd.org/docs/JSON_logging#Enabling_in_disk_logging>.
        JSON logging includes a lot of information about every event so
        is great for auditing purposes and machine readable.
  * Error on some more duplicate config items, eg allow::password.
  * In target-flood log messages we now show the message type (eg PRIVMSG).
  * Make the |./Config| question about remote includes
    <https://www.unrealircd.org/docs/Remote_includes> a bit more clear.
    The |https://| protocol is always supported and this question is
    only about supporting /other/ protocols and using the cURL library.


      Fixes:

  * Fix compile problems on (upcoming) GCC 15 as it assumes C23 by
    default. This for future Fedora 42 and possibly Ubuntu 25.04, both
    scheduled around April 2025.
  * Fix crash on |SPAMREPORT <ip>| (IRCOp-only command) if the
    central-blocklist module is loaded.
  * Fix make_channel() not checking minimal validity of channel names.
    Only an issue for (bad) trusted remote server traffic.

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.10-rc1 available for testing

[Bram M. <sy...@un...>]

Hi everyone,

The release candidate for 6.1.10 is now available. The actual 6.1.10 
stable release will be in the week of March 7, 2025. You can help us by 
testing this release and reporting any bugs you find at 
https://bugs.unrealircd.org/

If you are on *NIX, you can upgrade to this release candidate with: 
./unrealircd upgrade --rc

This is mostly a maintenance release with a few small new features. See 
the release notes below.


      Enhancements:

  * In the spamfilter { }
    <https://www.unrealircd.org/docs/Spamfilter_block> block two new
    options:
      o |input-conversion|: This can be set to |none| to make the
        spamfilter run against the original text. This in contrast to
        how default spamfilter behaves where the text is matched against
        text that has color and control codes removed. Can be useful if
        you need to match against such a special character.
      o |show-message-content-on-hit|: this works like
        set::show-message-content-on-hit
        <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>.
        but on an individual spamfilter basis.
  * If |unrealircd.conf| doesn't exist then we now offer to copy the
    example configuration (showing a list of languages to pick from).
  * Ship with an offline copy of the wiki documentation
    (|doc/unrealircd_wiki.zim|). This is really only meant for cases
    where the wiki is unavailable, eg you don't have an internet
    connection, some major outage, etc. See ZIM
    <https://en.wikipedia.org/wiki/ZIM_(file_format)> and Kiwix
    <https://en.wikipedia.org/wiki/Kiwix> for more information.


      Changes:

  * Update the example configuration:
      o Mark specific sections with "CHANGE THIS" for people who are in
        a hurry and really only want to do the bare minimum to get the
        IRCd booted.
      o More things are commented out by default, like example link
        blocks and ulines.
      o In addition to the the default ircd.log text file log block,
        also add a JSON log block
        <https://www.unrealircd.org/docs/JSON_logging#Enabling_in_disk_logging>.
        JSON logging includes a lot of information about every event so
        is great for auditing purposes and machine readable.
  * Error on some more duplicate config items, eg allow::password.
  * In target-flood log messages we now show the message type (eg PRIVMSG).
  * Make the |./Config| question about remote includes
    <https://www.unrealircd.org/docs/Remote_includes> a bit more clear.
    The |https://| protocol is always supported and this question is
    only about supporting /other/ protocols and using the cURL library.


      Fixes:

  * Fix compile problems on (upcoming) GCC 15 as it assumes C23 by
    default. This for future Fedora 42 and possibly Ubuntu 25.04, both
    scheduled around April 2025.
  * Fix crash on |SPAMREPORT <ip>| (IRCOp-only command) if the
    central-blocklist module is loaded.
  * Fix make_channel() not checking minimal validity of channel names.
    Only an issue for (bad) trusted remote server traffic.

You can download UnrealIRCd from https://www.unrealircd.org/

Looking back on UnrealIRCd in 2024

[Bram M. <sy...@un...>]

It's the end of the year, so why not take an opportunity to look back on 
it. This year UnrealIRCd celebrated its 25th year birthday 
<https://forums.unrealircd.org/viewtopic.php?t=9363>, which is an 
amazing achievement that goes all the way back to the days of Stskeeps 
and codemastr.

*Nine UnrealIRCd releases this year*
2024 brought us five regular UnrealIRCd releases and four dot releases 
to quickly fix some bugs. Feature-wise we got ASN 
<https://www.unrealircd.org/docs/ASN> support, several new properties in 
security groups <https://www.unrealircd.org/docs/Security-group_block> 
and a lot of new functions in crules 
<https://www.unrealircd.org/docs/Crule>, more flexible ban user { } 
<https://www.unrealircd.org/docs/Ban_user_block> and require 
authentication { } 
<https://www.unrealircd.org/docs/Require_authentication_block> blocks 
because they now take a mask item 
<https://www.unrealircd.org/docs/Mask_item> for matching, a new extban 
<https://www.unrealircd.org/docs/Extended_bans#Group_4:_special> 
~inherit to make people banned in one channel also banned in another, 
auto-vhost support was new, set::restrict-commands 
<https://www.unrealircd.org/docs/Restrict_commands> with a new option 
channel-create for managing who may create new channels, and so on.

*Security was increased*
Almost exactly a year ago (29-dec-2023) we changed the default SSL/TLS 
settings <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols> to 
only allow TLSv1.2 and TLSv1.3 protocols and requiring ciphers that 
provide Forward Secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>. 
Later in 2024 we dropped support for AES in old CBC mode in the default 
settings, only allowing AES in GCM mode. Thanks to all this, Qualys SSL 
Labs gives a solid A rating 
<https://www.ssllabs.com/ssltest/analyze.html?d=irc.unrealircd.org&s=40.86.218.96>(*). 
On *NIX we have the handy "./unrealircd upgrade" command and we already 
do PGP/GPG verification of the release in there. This year we added 
support to also do PGP/GPG verification for hot and cold patching (those 
are used for quickly fixing issues, usually without a restart, thanks to 
modules).

*Sponsors and keeping the project sustainable*
Also new in 2024 is the sponsorship program 
<https://forums.unrealircd.org/viewtopic.php?t=9353>. We are happy 
people stepped in to cover the hosting costs. In particular we would 
like to thank IRCCloud for becoming a Platinum Sponsor, Réseau IRC 
Zeolia and Deutscher-Chat as Bronze Sponsors, and Dex, Jellis and Rafael 
Grether as Iron sponsors. Single donations are also still appreciated 
and so are the sponsors that contribute but wish to remain anonymous. 
Thanks to all this, and a little income from the shop 
<https://shop.unrealircd.org>, we cover almost 75% of the monthly 
running costs, which is great!

*The community*
Finally, I would like to thank the community: everyone who helps other 
people on irc.unrealircd.org and the forums. Everyone who contributes as 
a coder, translator or to the documentation/wiki. And naturally, all the 
admins/IRCOps who continue to use UnrealIRCd and invest time into 
growing their own IRC community, often each with their own niche, 
tinkering and tweaking their setup. On IRCStats 
<https://www.ircstats.org/servers> we can see UnrealIRCd is still going 
strong in terms of servers deployed. That's all thanks to the people who 
run UnrealIRCd, and the people who chat there.

(*) SSL Labs does not allow specifying a port like 6697, however 
irc.unrealircd.org also listens on port 443. We do that for easy 
websocket testing and hence it can be analyzed.

UnrealIRCd 6.1.9.1 released

[Bram M. <sy...@un...>]

Sorry, there was a bug in the TLS ciphers in 6.1.9. This caused TLSv1.2 
not to work with RSA certs. Glad we catched it within a day, fixed in 
UnrealIRCd 6.1.9.1.
For the 40-50 people who already downloaded 6.1.9, see 
https://forums.unrealircd.org/viewtopic.php?t=9399 
<https://forums.unrealircd.org/viewtopic.php?t=9399> on how to fix 
without restart.
For all others: use UnrealIRCd 6.1.9.1 for new installs.

The original 6.1.9 announcement is below:

UnrealIRCd 6.1.9(.1) is now available. This release fixes a number of 
bugs, such as IPv6 hosts not resolving in UnrealIRCd 6.1.8/6.1.8.1 and 
100% CPU usage in some circumstances. It also changes the SSL/TLS 
defaults to make things a little safer/better. Unless major issues are 
found this should be the last release of 2024. Next stable release is 
expected in January/February 2025.

As always, you can download UnrealIRCd from unrealircd.org 
<https://www.unrealircd.org/> and on *NIX you can upgrade with 
./unrealircd upgrade. Do you like UnrealIRCd? Consider making a donation 
<https://www.unrealircd.org/index/donations> or order something from the 
shop <https://shop.unrealircd.org>.


      Enhancements:

  * SSL/TLS:
      o Change default TLS ciphers
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols> to
        only allow AES in GCM mode and no longer in CBC mode.
      o When using cURL for remote includes
        <https://www.unrealircd.org/docs/Remote_includes> we now
        explicitly set the minimum required version to TLSv1.2 and set
        our default ciphers and ciphersuites. Note that by default in
        UnrealIRCd 6 the built-in (non-cURL) implementation is used for
        remote includes, which already used these defaults. Also note
        that most distros, like Ubuntu and Debian, already required
        TLSv1.2 or later effectively in cURL.
      o Regarding default ecdh-curves: we now try to set the curves list
        to |x25519:secp521r1:secp384r1:prime256v1| first, and if that
        fails then we try |secp521r1:secp384r1:prime256v1|. The former
        could fail due to SSL library restrictions (old library or when
        in FIPS mode). Previously we were also supposed to do it like
        that, but due to a bug always had X25519 turned off.


      Fixes:

  * IPv6 hosts not resolving in UnrealIRCd 6.1.8 and 6.1.8.1.
  * 100% CPU usage in some (rare) circumstances. The IRCd is still fully
    responsive, but of course high CPU usage is never good.
  * Crash in |STATS S| (IRCOp-only) if having vhosts with autologin (and
    no vhost::login).
  * The Windows version did not allow tweaking of set::tls::ecdh-curves.


      Changes:

  * Update shipped libraries: c-ares to 1.34.3
  * Update Windows libraries: c-ares to 1.34.3, curl to 8.11.0 and
    LibreSSL to 4.0.0.
  * Added |HELPOP EXTSERVERBANS| to explain Extended server bans
    <https://www.unrealircd.org/docs/Extended_server_bans>
  * Added new UnrealIRCd PGP release signing key
    <https://forums.unrealircd.org/viewtopic.php?p=40832>


      Developers and protocol:

  * No changes, other than the SSL/TLS changes mentioned earlier.

UnrealIRCd 6.1.9 released

[Bram M. <sy...@un...>]

UnrealIRCd 6.1.9 is now available. This release fixes a number of bugs, 
such as IPv6 hosts not resolving in UnrealIRCd 6.1.8/6.1.8.1 and 100% 
CPU usage in some circumstances. It also changes the SSL/TLS defaults to 
make things a little safer/better. Unless major issues are found this 
should be the last release of 2024. Next stable release is expected in 
January/February 2025.

As always, you can download UnrealIRCd from unrealircd.org 
<https://www.unrealircd.org/> and on *NIX you can upgrade with 
./unrealircd upgrade. Do you like UnrealIRCd? Consider making a donation 
<https://www.unrealircd.org/index/donations> or order something from the 
shop <https://shop.unrealircd.org>.


      Enhancements:

  * SSL/TLS:
      o Change default TLS ciphers
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols> to
        only allow AES in GCM mode and no longer in CBC mode.
      o When using cURL for remote includes
        <https://www.unrealircd.org/docs/Remote_includes> we now
        explicitly set the minimum required version to TLSv1.2 and set
        our default ciphers and ciphersuites. Note that by default in
        UnrealIRCd 6 the built-in (non-cURL) implementation is used for
        remote includes, which already used these defaults. Also note
        that most distros, like Ubuntu and Debian, already required
        TLSv1.2 or later effectively in cURL.
      o Regarding default ecdh-curves: we now try to set the curves list
        to |x25519:secp521r1:secp384r1:prime256v1| first, and if that
        fails then we try |secp521r1:secp384r1:prime256v1|. The former
        could fail due to SSL library restrictions (old library or when
        in FIPS mode). Previously we were also supposed to do it like
        that, but due to a bug always had X25519 turned off.


      Fixes:

  * IPv6 hosts not resolving in UnrealIRCd 6.1.8 and 6.1.8.1.
  * 100% CPU usage in some (rare) circumstances. The IRCd is still fully
    responsive, but of course high CPU usage is never good.
  * Crash in |STATS S| (IRCOp-only) if having vhosts with autologin (and
    no vhost::login).
  * The Windows version did not allow tweaking of set::tls::ecdh-curves.


      Changes:

  * Update shipped libraries: c-ares to 1.34.3
  * Update Windows libraries: c-ares to 1.34.3, curl to 8.11.0 and
    LibreSSL to 4.0.0.
  * Added |HELPOP EXTSERVERBANS| to explain Extended server bans
    <https://www.unrealircd.org/docs/Extended_server_bans>
  * Added new UnrealIRCd PGP release signing key
    <https://forums.unrealircd.org/viewtopic.php?p=40832>


      Developers and protocol:

  * No changes, other than the SSL/TLS changes mentioned earlier.

UnrealIRCd 6.1.8.1 released

[Bram M. <sy...@un...>]

UnrealIRCd 6.1.8.1 is a dot release, it fixes two bugs in 6.1.8:

  * If you have a vhost block without vhost::login, because you use the
    new auto-vhost functionality, then the IRCd will crash upon
    processing regular VHOST requests.
  * Strings were accidentally being lowercased in vhost::vhost,
    blacklist::reason and some other places.

The 6.1.8.1 release is mostly for new installs. Existing 6.1.8 users can 
fix the two bugs without needing to restart by running:
|./unrealircd hot-patch auto-vhost-618|

For all the other fixes and new functionality, see the 6.1.8 release 
notes below.

As always, you can download UnrealIRCd from unrealircd.org 
<https://www.unrealircd.org/>. Do you like UnrealIRCd? Consider making a 
donation <https://www.unrealircd.org/index/donations> or order something 
from the shop <https://shop.unrealircd.org>.


      Enhancements:

  * New Extended ban
    <https://www.unrealircd.org/docs/Extended_bans#Group_4:_special> to
    inherit channel bans from another channel:
      o If in channel |#test| you add |+b ~inherit:#main| then anyone
        banned in |#main| will be unable to join |#test|.
      o This only applies for on-join ban checking, not for quiet bans,
        nick-changes, text bans, etc.
      o If the other channel (|#main| in this example) also has
        |~inherit| bans then we do not follow these (no nesting).
      o The maximum number of ~inherit bans in a channel is limited to
        only 1 by default, see set::max-inherit-extended-bans
        <https://www.unrealircd.org/docs/Set_block#set::max-inherit-extended-bans>
      o This can also be used in |+I|, which entries are counted
        separately and have their own limit.
  * Vhosts <https://www.unrealircd.org/docs/Vhost_block>: We now support
    vhost::auto-login, which means you can set vhosts on users
    automatically and we support variables in vhost::vhost (this works
    similar to Gottem's autovhost module)
      o An example would be:

        |/* Give users who identify to Services using SASL a nice vhost
        */ vhost { auto-login yes; vhost $account.users.example.net;
        mask { identified yes; } }|

      o On-connect we will go through all vhost blocks that have
        auto-login set to yes. Blocks are processed in the same order as
        they are in the config (top-down). The first match wins.
      o Note that you could already use Services to do this task. This
        is just an extra feature so you can also do it in UnrealIRCd itself.
      o The variables that are supported now use a generic framework
        called Standard variables
        <https://www.unrealircd.org/docs/Standard_variables>
      o At the moment these can be used in vhost::vhost, oper::vhost,
        blacklist::reason and set::oper-vhost
  * New option set::oper-vhost
    <https://www.unrealircd.org/docs/Set_block#set::oper-vhost> which
    sets a default oper::vhost. For example: |set { oper-vhost
    $operclass.admin.example.net; }|
      o If both set::oper-vhost and oper::vhost are present, the
        oper::vhost takes precedence.
  * In the ban ip { } <https://www.unrealircd.org/docs/Ban_IP_block> and
    the ban nick { } <https://www.unrealircd.org/docs/Ban_nick_block>
    blocks you can now have multiple masks.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o New call |log.send|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.send> to send
        a log message / server notice.


      Fixes:

  * In some circumstances users could hang during the handshake when
    their DNS lookup result was cached and using c-ares 1.31.0 or later
    (which was released on June 18 2024 and shipped with UnrealIRCd
    6.1.7 to be used as a fallback for systems which don't have the
    c-ares library installed).
  * Websockets of type 'text' had IRC messages from server to client cut
    off too early when message tags were in use. Type 'binary' was
    unaffected.
  * The require authentication { } block
    <https://www.unrealircd.org/docs/Require_authentication_block> was
    broken in 6.1.7.*.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> call
    |spamfilter.get| could not retrieve information about config-based
    spamfilters.
  * The |decode_authenticate_plain()| was reading OOB. This function is
    not used by UnrealIRCd itself but could affect third party modules.
  * Crash on invalid server-to-server command regarding |REHASH| (This
    only affected trusted linked servers)


      Changes:

  * Security group blocks
    <https://www.unrealircd.org/docs/Security-group_block> are now
    hidden in lists by default. If you want the security group to be
    shown in things like |MODE #channel +b ~security-group:x| (which
    shows a list) then you need to use |public yes;|. The default
    security groups like known-users, webirc-users, etc. are public by
    default.
  * When retrieving cold or hot patches we now do proper GPG/PGP checks.
    Just like we do on |./unrealircd upgrade|
  * Update shipped libraries: c-ares to 1.33.1
  * Move +/- 1000 lines of code from core to modules (regarding
    throttling, maxperip, vhost, exit_client).


      Developers and protocol:

  * The |MD| S2S command now supports |BIGLINES|, allowing synching of
    16K serialized moddata per entry. We don't plan to use this anytime
    soon, this is mostly so all UnrealIRCd servers support this in a
    year or two. However, if you do plan to serialize big moddata
    results in your third party module then be sure all UnrealIRCd
    servers are on 6.1.8 or higher to prevent cut-off.

Re: UnrealIRCd 6.1.8 released / 6.1.8.1 release tomorrow

[Bram M. <sy...@un...>]

Sadly, a crash bug in the new vhost auto-login feature in UnrealIRCd 
6.1.8 was found. If you use the vhost auto-login functionality then we 
recommend to remove such a vhost block temporarily until a fix release 
is published on Friday. Regular vhost blocks are all ok. Fortunately 
vhost auto-login is a very new feature that is only out since a week, so 
hopefully it doesn't affect many people. The issue will also be hot 
patchable without restart.

On Fri 11-10-2024 09.13, Bram Matthys wrote:
> UnrealIRCd 4.0.0 released
>
> Hi everyone,
>
> I'm happy to announce the release of UnrealIRCd 6.1.8 stable. This is 
> mostly a bug fix release but also adds a new extban ~inherit and 
> auto-login support for vhosts. See the full release notes below.
>
> As always, you can download UnrealIRCd from unrealircd.org 
> <https://www.unrealircd.org/>. If you want to upgrade on *NIX, then 
> use: *./unrealircd upgrade*
>
> Do you like UnrealIRCd? Consider making a donation 
> <https://www.unrealircd.org/index/donations> or order something from 
> the shop <https://shop.unrealircd.org>.
>
>
>       Enhancements:
>
>   * New Extended ban
>     <https://www.unrealircd.org/docs/Extended_bans#Group_4:_special>
>     to inherit channel bans from another channel:
>       o If in channel |#test| you add |+b ~inherit:#main| then anyone
>         banned in |#main| will be unable to join |#test|.
>       o This only applies for on-join ban checking, not for quiet
>         bans, nick-changes, text bans, etc.
>       o If the other channel (|#main| in this example) also has
>         |~inherit| bans then we do not follow these (no nesting).
>       o The maximum number of ~inherit bans in a channel is limited to
>         only 1 by default, see set::max-inherit-extended-bans
>         <https://www.unrealircd.org/docs/Set_block#set::max-inherit-extended-bans>
>       o This can also be used in |+I|, which entries are counted
>         separately and have their own limit.
>   * Vhosts <https://www.unrealircd.org/docs/Vhost_block>: We now
>     support vhost::auto-login, which means you can set vhosts on users
>     automatically and we support variables in vhost::vhost (this works
>     similar to Gottem's autovhost module)
>       o An example would be:
>         |/* Give users who identify to Services using SASL a nice
>         vhost */ vhost { auto-login yes; vhost
>         $account.users.example.net; mask { identified yes; } }|
>       o On-connect we will go through all vhost blocks that have
>         auto-login set to yes. Blocks are processed in the same order
>         as they are in the config (top-down). The first match wins.
>       o Note that you could already use Services to do this task. This
>         is just an extra feature so you can also do it in UnrealIRCd
>         itself.
>       o The variables that are supported now use a generic framework
>         called Standard variables
>         <https://www.unrealircd.org/docs/Standard_variables>
>       o At the moment these can be used in vhost::vhost, oper::vhost,
>         blacklist::reason and set::oper-vhost
>   * New option set::oper-vhost
>     <https://www.unrealircd.org/docs/Set_block#set::oper-vhost> which
>     sets a default oper::vhost. For example: |set { oper-vhost
>     $operclass.admin.example.net; }|
>       o If both set::oper-vhost and oper::vhost are present, the
>         oper::vhost takes precedence.
>   * In the ban ip { } <https://www.unrealircd.org/docs/Ban_IP_block>
>     and the ban nick { }
>     <https://www.unrealircd.org/docs/Ban_nick_block> blocks you can
>     now have multiple masks.
>   * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
>       o New call |log.send|
>         <https://www.unrealircd.org/docs/JSON-RPC:Log#log.send> to
>         send a log message / server notice.
>
>
>       Fixes:
>
>   * In some circumstances users could hang during the handshake when
>     their DNS lookup result was cached and using c-ares 1.31.0 or
>     later (which was released on June 18 2024 and shipped with
>     UnrealIRCd 6.1.7 to be used as a fallback for systems which don't
>     have the c-ares library installed).
>   * Websockets of type 'text' had IRC messages from server to client
>     cut off too early when message tags were in use. Type 'binary' was
>     unaffected.
>   * The require authentication { } block
>     <https://www.unrealircd.org/docs/Require_authentication_block> was
>     broken in 6.1.7.*.
>   * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> call
>     |spamfilter.get| could not retrieve information about config-based
>     spamfilters.
>   * The |decode_authenticate_plain()| was reading OOB. This function
>     is not used by UnrealIRCd itself but could affect third party modules.
>   * Crash on invalid server-to-server command regarding |REHASH| (This
>     only affected trusted linked servers)
>
>
>       Changes:
>
>   * Security group blocks
>     <https://www.unrealircd.org/docs/Security-group_block> are now
>     hidden in lists by default. If you want the security group to be
>     shown in things like |MODE #channel +b ~security-group:x| (which
>     shows a list) then you need to use |public yes;|. The default
>     security groups like known-users, webirc-users, etc. are public by
>     default.
>   * When retrieving cold or hot patches we now do proper GPG/PGP
>     checks. Just like we do on |./unrealircd upgrade|
>   * Update shipped libraries: c-ares to 1.33.1
>   * Move +/- 1000 lines of code from core to modules (regarding
>     throttling, maxperip, vhost, exit_client).
>
>
>       Developers and protocol:
>
>   * The |MD| S2S command now supports |BIGLINES|, allowing synching of
>     16K serialized moddata per entry. We don't plan to use this
>     anytime soon, this is mostly so all UnrealIRCd servers support
>     this in a year or two. However, if you do plan to serialize big
>     moddata results in your third party module then be sure all
>     UnrealIRCd servers are on 6.1.8 or higher to prevent cut-off.
>
>

UnrealIRCd 6.1.8 released

[Bram M. <sy...@un...>]

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.8 stable. This is 
mostly a bug fix release but also adds a new extban ~inherit and 
auto-login support for vhosts. See the full release notes below.

As always, you can download UnrealIRCd from unrealircd.org 
<https://www.unrealircd.org/>. If you want to upgrade on *NIX, then use: 
*./unrealircd upgrade*

Do you like UnrealIRCd? Consider making a donation 
<https://www.unrealircd.org/index/donations> or order something from the 
shop <https://shop.unrealircd.org>.


      Enhancements:

  * New Extended ban
    <https://www.unrealircd.org/docs/Extended_bans#Group_4:_special> to
    inherit channel bans from another channel:
      o If in channel |#test| you add |+b ~inherit:#main| then anyone
        banned in |#main| will be unable to join |#test|.
      o This only applies for on-join ban checking, not for quiet bans,
        nick-changes, text bans, etc.
      o If the other channel (|#main| in this example) also has
        |~inherit| bans then we do not follow these (no nesting).
      o The maximum number of ~inherit bans in a channel is limited to
        only 1 by default, see set::max-inherit-extended-bans
        <https://www.unrealircd.org/docs/Set_block#set::max-inherit-extended-bans>
      o This can also be used in |+I|, which entries are counted
        separately and have their own limit.
  * Vhosts <https://www.unrealircd.org/docs/Vhost_block>: We now support
    vhost::auto-login, which means you can set vhosts on users
    automatically and we support variables in vhost::vhost (this works
    similar to Gottem's autovhost module)
      o An example would be:

        |/* Give users who identify to Services using SASL a nice vhost
        */ vhost { auto-login yes; vhost $account.users.example.net;
        mask { identified yes; } }|

      o On-connect we will go through all vhost blocks that have
        auto-login set to yes. Blocks are processed in the same order as
        they are in the config (top-down). The first match wins.
      o Note that you could already use Services to do this task. This
        is just an extra feature so you can also do it in UnrealIRCd itself.
      o The variables that are supported now use a generic framework
        called Standard variables
        <https://www.unrealircd.org/docs/Standard_variables>
      o At the moment these can be used in vhost::vhost, oper::vhost,
        blacklist::reason and set::oper-vhost
  * New option set::oper-vhost
    <https://www.unrealircd.org/docs/Set_block#set::oper-vhost> which
    sets a default oper::vhost. For example: |set { oper-vhost
    $operclass.admin.example.net; }|
      o If both set::oper-vhost and oper::vhost are present, the
        oper::vhost takes precedence.
  * In the ban ip { } <https://www.unrealircd.org/docs/Ban_IP_block> and
    the ban nick { } <https://www.unrealircd.org/docs/Ban_nick_block>
    blocks you can now have multiple masks.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o New call |log.send|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.send> to send
        a log message / server notice.


      Fixes:

  * In some circumstances users could hang during the handshake when
    their DNS lookup result was cached and using c-ares 1.31.0 or later
    (which was released on June 18 2024 and shipped with UnrealIRCd
    6.1.7 to be used as a fallback for systems which don't have the
    c-ares library installed).
  * Websockets of type 'text' had IRC messages from server to client cut
    off too early when message tags were in use. Type 'binary' was
    unaffected.
  * The require authentication { } block
    <https://www.unrealircd.org/docs/Require_authentication_block> was
    broken in 6.1.7.*.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> call
    |spamfilter.get| could not retrieve information about config-based
    spamfilters.
  * The |decode_authenticate_plain()| was reading OOB. This function is
    not used by UnrealIRCd itself but could affect third party modules.
  * Crash on invalid server-to-server command regarding |REHASH| (This
    only affected trusted linked servers)


      Changes:

  * Security group blocks
    <https://www.unrealircd.org/docs/Security-group_block> are now
    hidden in lists by default. If you want the security group to be
    shown in things like |MODE #channel +b ~security-group:x| (which
    shows a list) then you need to use |public yes;|. The default
    security groups like known-users, webirc-users, etc. are public by
    default.
  * When retrieving cold or hot patches we now do proper GPG/PGP checks.
    Just like we do on |./unrealircd upgrade|
  * Update shipped libraries: c-ares to 1.33.1
  * Move +/- 1000 lines of code from core to modules (regarding
    throttling, maxperip, vhost, exit_client).


      Developers and protocol:

  * The |MD| S2S command now supports |BIGLINES|, allowing synching of
    16K serialized moddata per entry. We don't plan to use this anytime
    soon, this is mostly so all UnrealIRCd servers support this in a
    year or two. However, if you do plan to serialize big moddata
    results in your third party module then be sure all UnrealIRCd
    servers are on 6.1.8 or higher to prevent cut-off.

UnrealIRCd 6.1.8-rc1 available for testing

[Bram M. <sy...@un...>]

Hi everyone,

The release candidate for 6.1.8 is now available. The actual 6.1.8 
stable release will be around mid-October. Testing is appreciated. If 
you find anything, please report the issue at 
https://bugs.unrealircd.org<https://bugs.unrealircd.org>.

This release fixes a number of bugs and also adds a new extban ~inherit 
and auto-login for vhosts. See the release notes below.


      Enhancements:

  * New Extended ban
    <https://www.unrealircd.org/docs/Extended_bans#Group_4:_special> to
    inherit channel bans from another channel:
      o If in channel |#test| you add |+b ~inherit:#main| then anyone
        banned in |#main| will be unable to join |#test|.
      o This only applies for on-join ban checking, not for quiet bans,
        nick-changes, text bans, etc.
      o If the other channel (|#main| in this example) also has
        |~inherit| bans then we do not follow these (no nesting).
      o The maximum number of ~inherit bans in a channel is limited to
        only 1 by default, see set::max-inherit-extended-bans
        <https://www.unrealircd.org/docs/Set_block#set::max-inherit-extended-bans>
      o This can also be used in |+I|, which entries are counted
        separately and have their own limit.
  * Vhosts <https://www.unrealircd.org/docs/Vhost_block>: We now support
    vhost::auto-login, which means you can set vhosts on users
    automatically and we support variables in vhost::vhost (this works
    similar to Gottem's autovhost module)
      o An example would be:

        |/* Give users who identify to Services using SASL a nice vhost
        */ vhost { auto-login yes; vhost $account.users.example.net;
        mask { identified yes; } }|

      o On-connect we will go through all vhost blocks that have
        auto-login set to yes. Blocks are processed in the same order as
        they are in the config (top-down). The first match wins.
      o Note that you could already use Services to do this task. This
        is just an extra feature so you can also do it in UnrealIRCd itself.
      o The variables that are supported now use a generic framework
        called Standard variables
        <https://www.unrealircd.org/docs/Standard_variables>
      o At the moment these can be used in vhost::vhost, oper::vhost,
        blacklist::reason and set::oper-vhost
  * New option set::oper-vhost
    <https://www.unrealircd.org/docs/Set_block#set::oper-vhost> which
    sets a default oper::vhost. For example: |set { oper-vhost
    $operclass.admin.example.net; }|
      o If both set::oper-vhost and oper::vhost are present, the
        oper::vhost takes precedence.
  * In the ban ip { } <https://www.unrealircd.org/docs/Ban_IP_block> and
    the ban nick { } <https://www.unrealircd.org/docs/Ban_nick_block>
    blocks you can now have multiple masks.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o New call |log.send|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.send> to send
        a log message / server notice.


      Fixes:

<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#fixes>

  * In some circumstances users could hang during the handshake when
    their DNS lookup result was cached and using c-ares 1.31.0 or later
    (which was released on June 18 2024 and shipped with UnrealIRCd
    6.1.7 to be used as a fallback for systems which don't have the
    c-ares library installed).
  * Websockets of type 'text' had IRC messages from server to client cut
    off too early when message tags were in use. Type 'binary' was
    unaffected.
  * The require authentication { } block
    <https://www.unrealircd.org/docs/Require_authentication_block> was
    broken in 6.1.7.*.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> call
    |spamfilter.get| could not retrieve information about config-based
    spamfilters.
  * The |decode_authenticate_plain()| was reading OOB. This function is
    not used by UnrealIRCd itself but could affect third party modules.
  * Crash on invalid server-to-server command regarding |REHASH| (This
    only affected trusted linked servers)


      Changes:

<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#changes>

  * Security group blocks
    <https://www.unrealircd.org/docs/Security-group_block> are now
    hidden in lists by default. If you want the security group to be
    shown in things like |MODE #channel +b ~security-group:x| (which
    shows a list) then you need to use |public yes;|. The default
    security groups like known-users, webirc-users, etc. are public by
    default.
  * When retrieving cold or hot patches we now do proper GPG/PGP checks.
    Just like we do on |./unrealircd upgrade|
  * Update shipped libraries: c-ares to 1.33.1
  * Move +/- 1000 lines of code from core to modules (regarding
    throttling, maxperip, vhost, exit_client).


      Developers and protocol:

<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#developers-and-protocol>

  * The |MD| S2S command now supports |BIGLINES|, allowing synching of
    16K serialized moddata per entry. We don't plan to use this anytime
    soon, this is mostly so all UnrealIRCd servers support this in a
    year or two. However, if you do plan to serialize big moddata
    results in your third party module then be sure all UnrealIRCd
    servers are on 6.1.8 or higher to prevent cut-off.

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.7.1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Today I have released UnrealIRCd 6.1.7.1. This fixes a completely 
harmless log message to IRCOps popping up sometimes ("[BUG] trying to 
modify fd -2"). This issue did not affect everyone, it happens with 
certain DNSBL hits and only if you are using c-ares library version 
1.31.0 or later (which happens if you don't have c-ares installed as a 
system library and it falls back to the UnrealIRCd shipped one).

UnrealIRCd 6.1.7.1 fixes the case that caused that log message, and it 
also adds ASN support in WHOWAS.

If you are not seeing the log messages or are not bothered by them then 
there is no reason to upgrade.

The original 6.1.7 announcement is below

It has been only a month since previous release, but I'm happy to 
announce UnrealIRCd 6.1.7. The main purpose of this release is adding 
new features, such as ASN support, more flexible ban user { } and ban 
authentication { } blocks and more. See the release notes below for all 
details.


      Enhancements:

  * In the ban user { } <https://www.unrealircd.org/docs/Ban_user_block>
    and require authentication { }
    <https://www.unrealircd.org/docs/Require_authentication_block>
    blocks the |mask| is now a Mask item
    <https://www.unrealircd.org/docs/Mask_item>. This means you can use
    all the power of mask items and security groups and multiple
    matching criteria.
  * The GeoIP module now contains information about Autonomous System
    Numbers <https://www.unrealircd.org/docs/ASN>:
      o The asn is shown in the user connecting notice as |[asn: ###]|,
        is shown in |WHOIS| (for IRCOps) and it is expanded in JSON data
        such as JSON Logging
        <https://www.unrealircd.org/docs/JSON_logging> and JSON-RPC
        <https://www.unrealircd.org/docs/JSON-RPC> calls like |user.list|.
      o Can be used in Extended server ban
        <https://www.unrealircd.org/docs/Extended_server_bans>: |GLINE
        ~asn:64496 0 This ISP is banned|.
      o Can be used in security groups and mask items
        <https://www.unrealircd.org/docs/Mask_item> so you can do like:

        |require authentication { mask { asn { 64496; 64497; 64498; } }
        reason "Too much abuse from this ISP. You are required to log in
        with an account using SASL."; }|

      o In Crule <https://www.unrealircd.org/docs/Crule> functions as
        |match_asn(64496)|
      o Also available in regular extbans/invex, but normally users
        don't know the IP or ASN of other users, unless you use no
        cloaking or change set::whois-details::asn
        <https://www.unrealircd.org/docs/Set_block#set::whois-details>.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>: Similar to oper
    and operclass, in an rpc-user
    <https://www.unrealircd.org/docs/Rpc-user_block> you now have to
    specify an rpc-user::rpc-class. The rpc-class is defined in an
    rpc-class block <https://www.unrealircd.org/docs/Rpc-class_block>
    and configures what JSON methods can be called.
    There are two default json-rpc classes:
      o |full|: access to all JSON-RPC Methods
      o |read-only|: access to things like /server_ban.list/ but not to
        /server_ban.add/
  * set::spamfilter::except
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::except>
    is now a Mask item <https://www.unrealircd.org/docs/Mask_item>
    instead of only a list of exempted targets. A warning is created to
    existing users along with a suggestion of how to use the new syntax.
    Technically, this is not really new functionality as all this was
    already possible via the Except ban block
    <https://www.unrealircd.org/docs/Except_ban_block> with type
    spamfilter, but it is more visible/logical to have this also.
  * New option set::hide-killed-by
    <https://www.unrealircd.org/docs/Set_block#set::hide-killed-by>: We
    normally show the nickname of the oper who did the /KILL in the quit
    message. When set to |yes| the quit message becomes shortened to
    "Killed (Reason)". This can prevent oper harassment.
  * set::restrict-commands
    <https://www.unrealircd.org/docs/Restrict_commands>: new option
    |channel-create| for managing who may create new channels.
  * New option set::tls::certificate-expiry-notification
    <https://www.unrealircd.org/docs/Set_block#set::tls::certificate-expiry-notification>:
    since UnrealIRCd 5.0.8 we warn if a SSL/TLS certificate is (nearly)
    expired. This new option allows turning it off, it is (still) on by
    default.
  * Add the ability to capture the same data as Central Spamreport
    <https://www.unrealircd.org/docs/Central_spamreport> by providing an
    spamreport::url option.


      Changes:

  * IRCOps with the operclass |locop| can now only |REHASH| the local
    server and not remote servers.
  * Comment out some more in example.conf by default
  * Update shipped libraries: c-ares to 1.31.0, PCRE2 to 10.44, Sodium
    to 1.0.20


      Fixes:

  * Crash when removing the |websocket| option on a websocket listener.
  * Silence some compiler warnings regarding deprecation of c-ares API
    in src/dns.c.
  * Memory leaks of around 1-2KB per rehash


      Developers and protocol:

  * We use numeric 569 (RPL_WHOISASN) for displaying ASN info to IRCOps:
    |:irc.example.net 569 x whoiseduser 64496 :is connecting from
    AS64496 [Example Corp]|

As always, you can download UnrealIRCd from https://www.unrealircd.org/. 
On *NIX you can upgrade with: ./unrealircd upgrade

UnrealIRCd 6.1.7 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

It has been only a month since previous release, but I'm happy to 
announce UnrealIRCd 6.1.7. The main purpose of this release is adding 
new features, such as ASN support, more flexible ban user { } and ban 
authentication { } blocks and more. See the release notes below for all 
details.


      Enhancements:

<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#enhancements>

  * In the ban user { } <https://www.unrealircd.org/docs/Ban_user_block>
    and require authentication { }
    <https://www.unrealircd.org/docs/Require_authentication_block>
    blocks the |mask| is now a Mask item
    <https://www.unrealircd.org/docs/Mask_item>. This means you can use
    all the power of mask items and security groups and multiple
    matching criteria.
  * The GeoIP module now contains information about Autonomous System
    Numbers <https://www.unrealircd.org/docs/ASN>:
      o The asn is shown in the user connecting notice as |[asn: ###]|,
        is shown in |WHOIS| (for IRCOps) and it is expanded in JSON data
        such as JSON Logging
        <https://www.unrealircd.org/docs/JSON_logging> and JSON-RPC
        <https://www.unrealircd.org/docs/JSON-RPC> calls like |user.list|.
      o Can be used in Extended server ban
        <https://www.unrealircd.org/docs/Extended_server_bans>: |GLINE
        ~asn:64496 0 This ISP is banned|.
      o Can be used in security groups and mask items
        <https://www.unrealircd.org/docs/Mask_item> so you can do like:

        |require authentication { mask { asn { 64496; 64497; 64498; } }
        reason "Too much abuse from this ISP. You are required to log in
        with an account using SASL."; }|

      o In Crule <https://www.unrealircd.org/docs/Crule> functions as
        |match_asn(64496)|
      o Also available in regular extbans/invex, but normally users
        don't know the IP or ASN of other users, unless you use no
        cloaking or change set::whois-details::asn
        <https://www.unrealircd.org/docs/Set_block#set::whois-details>.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>: Similar to oper
    and operclass, in an rpc-user
    <https://www.unrealircd.org/docs/Rpc-user_block> you now have to
    specify an rpc-user::rpc-class. The rpc-class is defined in an
    rpc-class block <https://www.unrealircd.org/docs/Rpc-class_block>
    and configures what JSON methods can be called.
    There are two default json-rpc classes:
      o |full|: access to all JSON-RPC Methods
      o |read-only|: access to things like /server_ban.list/ but not to
        /server_ban.add/
  * set::spamfilter::except
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::except>
    is now a Mask item <https://www.unrealircd.org/docs/Mask_item>
    instead of only a list of exempted targets. A warning is created to
    existing users along with a suggestion of how to use the new syntax.
    Technically, this is not really new functionality as all this was
    already possible via the Except ban block
    <https://www.unrealircd.org/docs/Except_ban_block> with type
    spamfilter, but it is more visible/logical to have this also.
  * New option set::hide-killed-by
    <https://www.unrealircd.org/docs/Set_block#set::hide-killed-by>: We
    normally show the nickname of the oper who did the /KILL in the quit
    message. When set to |yes| the quit message becomes shortened to
    "Killed (Reason)". This can prevent oper harassment.
  * set::restrict-commands
    <https://www.unrealircd.org/docs/Restrict_commands>: new option
    |channel-create| for managing who may create new channels.
  * New option set::tls::certificate-expiry-notification
    <https://www.unrealircd.org/docs/Set_block#set::tls::certificate-expiry-notification>:
    since UnrealIRCd 5.0.8 we warn if a SSL/TLS certificate is (nearly)
    expired. This new option allows turning it off, it is (still) on by
    default.
  * Add the ability to capture the same data as Central Spamreport
    <https://www.unrealircd.org/docs/Central_spamreport> by providing an
    spamreport::url option.


      Changes:

<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#changes>

  * IRCOps with the operclass |locop| can now only |REHASH| the local
    server and not remote servers.
  * Comment out some more in example.conf by default
  * Update shipped libraries: c-ares to 1.31.0, PCRE2 to 10.44, Sodium
    to 1.0.20


      Fixes:

<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#fixes>

  * Crash when removing the |websocket| option on a websocket listener.
  * Silence some compiler warnings regarding deprecation of c-ares API
    in src/dns.c.
  * Memory leaks of around 1-2KB per rehash


      Developers and protocol:

<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#developers-and-protocol>

  * We use numeric 569 (RPL_WHOISASN) for displaying ASN info to IRCOps:
    |:irc.example.net 569 x whoiseduser 64496 :is connecting from
    AS64496 [Example Corp]|

As always, you can download UnrealIRCd from https://www.unrealircd.org/. 
On *NIX you can upgrade with: ./unrealircd upgrade

UnrealIRCd 6.1.6 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Today I'm happy to announce the release of UnrealIRCd 6.1.6 stable. This 
is mostly a bug fix release but also comes with some enhancements. More 
information in the release notes below.


      Enhancements:

<https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#enhancements>

  * Crule <https://www.unrealircd.org/docs/Crule> functions can now do
    everything that security group blocks
    <https://www.unrealircd.org/docs/Security-group_block> can do.
    In practice, this means the following functions were added in this
    release:
      o |is_tls()| returns true if the client is using SSL/TLS
      o |in_security_group('known-users')| returns true if the user is
        in the specified security group
        <https://www.unrealircd.org/docs/Security-group_block>.
      o |match_mask('*@*.example.org')| or |match_mask('*.example.org')|
        returns true if client matches mask.
      o |match_ip('192.168.*')| or with CIDR like
        |match_ip('192.168.0.0/16')| returns true if IP address of
        client matches.
      o |is_identified()| which returns true if the client is identified
        to a services account.
      o |is_webirc()| which returns true if the client is connected
        using WEBIRC.
      o |is_websocket()| which returns true if the client is connected
        using WebSockets.
      o |match_realname('*xyz*')| which returns true if the real name
        (gecos) contains xyz.
      o |match_account('xyz')| which returns true if the services
        account name is xyz.
      o |match_country('NL')| which returns true if GeoIP
        <https://www.unrealircd.org/docs/GeoIP> determined the country
        to be NL.
      o |match_certfp('abc')| which returns true if the Certificate
        fingerprint
        <https://www.unrealircd.org/docs/Certificate_fingerprint> is abc.


      Changes:

<https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#changes>

  * For many years |REHASH -all| is the same as |REHASH| so we now
    reject the former.
  * The Crule <https://www.unrealircd.org/docs/Crule> function
    |inchannel('#xyz')| is now called |in_channel('#xyz')| to match the
    naming style of the other functions. The old name will keep working
    for the entire UnrealIRCd 6 series too.


      Fixes:

<https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#fixes>

  * Crash if you first REHASH and have a parse error (failed rehash 1)
    and then REHASH again but have a "late" rehash error, such as a
    remote include failing to load (failed rehash 2).
  * Crash on Windows when using Crule
    <https://www.unrealircd.org/docs/Crule> functions, Central
    Spamreport <https://www.unrealircd.org/docs/Central_spamreport> or
    Central Spamfilter <https://www.unrealircd.org/docs/Central_Spamfilter>.
  * Conditional config
    <https://www.unrealircd.org/docs/Defines_and_conditional_config>:
    using @if with a variable like |@if $VAR == "something"| always
    evaluated to false.
  * A |~forward|
    <https://www.unrealircd.org/docs/Extended_bans#Group_2:_actions> ban
    did not check ban exemptions (+e), always forwarding the user.
  * When booting for the first time (without any cached files) the IRCd
    downloads GeoIP.dat. If that fails, e.g. due to lack of internet
    connectivity, we now show a warning and continue booting instead of
    it being a hard error. Note that we already dealt with this properly
    after the file has been cached (so after first download), see "What
    if your web server is down" in Remote includes
    <https://www.unrealircd.org/docs/Remote_includes#What_if_your_web_server_is_down>.


      Removed:

  * The |tls-and-known-users| security group
    <https://www.unrealircd.org/docs/Security-group_block> was
    confusing, in the sense that this group consisted of tls-users and
    of known-users (in an OR fashion, not AND). Since this group is
    rarely used it has now been removed altogether. If you used it in
    your configuration then you can still manually (re)create the
    security group with:
    |security-group tls-and-known-users { identified yes;
    reputation-score 25; tls yes; }|


      Developers and protocol:

<https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#developers-and-protocol>

  * Modules can now provide SASL locally, see Dev:Authentication module
    <https://www.unrealircd.org/docs/Dev:Authentication_module>.

As always, you can download UnrealIRCd from https://www.unrealircd.org/. 
On *NIX you can upgrade with: ./unrealircd upgrade

UnrealIRCd celebrates its 25th birthday

[Bram M. <sy...@un...>]

Hi everyone,

This month UnrealIRCd celebrates its 25th birthday. IRC changed over all 
those years. There's a clear consolidation, with fewer IRC networks now 
than before, but IRC is still alive and kicking. That's in part due to a 
persistent user base but also very much thanks to all those people who 
keep IRC up to date, people making IRC server software (not just 
UnrealIRCd), people running IRC networks, the IRCv3 working group 
<https://ircv3.net/>, IRC clients that tap in a different market than 
traditional text-mode and desktop IRC clients, clients like IRCCloud 
<https://www.irccloud.com/>, The lounge <https://thelounge.chat> and 
Kiwi IRC <https://kiwiirc.com> to name a few. Everyone is trying to make 
IRC more intuitive, more modern, so new users can appreciate IRC as well.

With regards to UnrealIRCd, I would like to thank our sponsors and 
donators <https://www.unrealircd.org/index/donations> for their support. 
We launched a new sponsorship program 
<https://forums.unrealircd.org/viewtopic.php?t=9353> this year and are 
grateful to our monthly sponsors to help us with our monthly hosting 
costs (we could still use a little help here). Thanks also to all the 
people contributing to the development, the documentation (wiki), all 
the official supporters and other people hanging out in our 
#unreal-support channel. As already mentioned, a big thanks to all the 
IRC networks, often run by volunteers, all the opers there, the 
individual IRC users who have been using and enjoying UnrealIRCd! 
Without your continued support and your feedback we wouldn't be where we 
are today.

Let me end with this fantastic XKCD comic from several years ago. It 
highlights what I like most of IRC: it's not one centrally managed and 
dictated protocol, one network, one brand, like the big social media 
today. IRC is flexible and gives you choices: you can run your own 
network with its own community and its own rules, you choose which IRC 
server software to use and configure it to suit your needs. And to top 
it off: all your users can choose which IRC client they use to connect 
to your network, an IRC client set up in the way they like it, with its 
pros and cons and its never ending tinkering.

XKCD comic #1782 "Team Chat"


If you are interested in some UnrealIRCd history, and some word about 
the present, then you can continue reading below.

*1999 - 2013*
UnrealIRCd was founded by Stskeeps in May 1999. I was not involved with 
the first 2 years of the project, but I remember that UnrealIRCd was 
already quite popular when UnrealIRCd 3.1.x came out in 2000. In 2001 I 
joined the development team and together with codemastr and Stskeeps we 
made UnrealIRCd 3.2.x which took 3 years in total and was maintained for 
another 12 years. Feature-wise 3.2 brought a completely new 
configuration file, unlike all other IRC Daemons back then, which made 
us very flexible. Other notable major features were: support for 
modules, anti-flood features like channel mode +f and spam filtering. It 
was UnrealIRCd 3.2.x that made us conquer the market, resulting in a 
market share of over 50% at that time (in terms of IRC servers 
deployed). It were crazy times with many networks installing UnrealIRCd, 
even beta versions. The support channel was completely overwhelmed. Some 
people may even remember our support bot that we had for several years: 
the #unreal-support channel was moderated (+m) and upon joining you had 
to answer a short 5 question quiz with some basic questions in order to 
get voice (+v) and support. UnrealIRCd 3.2.x was awesome for many years 
but in the end development slowed down too much.

*2014 - 2024*
The old UnrealIRCd 3.2.x code base was getting in the way of 
implementing new things. In 2015 came UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4> with the 
help of Heero and nenolod. It had major source code cleanups and server 
protocol changes, a major configuration file overhaul, improved 
documentation and a lot of other new features to make things more 
flexible and an admins life easier. Since then, UnrealIRCd was actively 
maintained again with regular releases. UnrealIRCd 5 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5> came out 
in Dec 2019 with security enhancements, a lot more IRCv3 features, 
channel history and improved websocket support. Followed by UnrealIRCd 6 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_6> in Dec 
2021 with a modern logging system with (optional) JSON support, again 
more flexibility, even more modular, an external JSON-RPC interface 
making a webpanel possible 
<https://www.unrealircd.org/docs/UnrealIRCd_webpanel>, and more.

*The present*
Nowadays we have a very modular IRCd, with pretty much all standardized 
IRCv3 features implemented and great security features. The last 12 
months had a number of spam waves and we quickly developed and responded 
with Central Blocklist 
<https://www.unrealircd.org/docs/Central_Blocklist> and some other 
services, effectively stoping all efknockr spam. It's good to see us, 
along with the wider community, staying up to date with the present 
threats and challenges of today and we have no plans to stop!

Best regards,

Bram Matthys ("Syzop")

UnrealIRCd 6.1.5 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Today I have released UnrealIRCd 6.1.5 stable. This is a regular release 
with various enhancements and bug fixes. More information in the release 
notes below.

I can also announce the official launch of our sponsorship program and 
merchandise shop <https://forums.unrealircd.org/viewtopic.php?t=9353>. 
If you like UnrealIRCd and want to support us then consider becoming a 
sponsor, make a donation or buy yourself something nice from the shop. 
If you can't spare the money or don't want to donate, that is fine too. 
UnrealIRCd will always be free.


      Enhancements:

  * You can now use oper::auto-join
    <https://www.unrealircd.org/docs/Oper_block#auto-join> in an oper
    block to override the generic set::oper-auto-join
    <https://www.unrealircd.org/docs/Set_block#set::oper-auto-join> setting.
  * The |operclass| property is now available in the security-group
    block <https://www.unrealircd.org/docs/Security-group_block> and
    mask items.
    Eg: |security-group netadmin { operclass { netadmin;
    netadmin-with-override; } }|
  * Support for IRCv3 |draft/no-implicit-names|
    <https://ircv3.net/specs/extensions/no-implicit-names>
  * Improved performance by skipping useless |TAGMSG| spamfilter checks
    (e.g. for typing notifications).
  * Improved performance if you have hundreds of non-regex spamfilters.
  * Add more Crule <https://www.unrealircd.org/docs/Crule> functions:
      o |is_away()| returns true if the client is currently away
      o |has_user_mode('x')| returns true if all the user modes are set
        on the client.
      o |has_channel_mode('x')| can be used for spamfilters with a
        destination channel, such as messages: it returns true if all
        specified channel modes are set on the channel.
  * Add |example.pt.conf| - (Brazilian) Portuguese example configuration
    file.


      Changes:

  * The config parser now logs a warning if you have a |/*| within a |/*|


      Fixes:

  * The whowasdb module caused |WHOWAS| entries to vanish (way too soon)
  * If your shell account only allowed very few file descriptors (eg:
    |ulimit -n| returned |150|), then UnrealIRCd would fail to boot.
    This, because due to reserved file descriptors you would have 0
    left, or even a negative number.
  * Crash when running |SPAMFILTER| as an IRCOp when using UTF8 spamfilters.
  * Set blocks for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>
    allow you to set a custom set::modes-on-connect
    <https://www.unrealircd.org/docs/Set_block#set::modes-on-connect>
    for a security group. However this setting happened too early, so
    security groups matching account names or 'identified' (when using
    SASL <https://www.unrealircd.org/docs/SASL>) were not working.
  * |+I ~operclass| was not working properly.
  * Removed confusing "Central blocklist too slow to respond" message
    when using soft bans <https://www.unrealircd.org/docs/Soft_ban> or a
    require authentication block
    <https://www.unrealircd.org/docs/Require_authentication_block>.

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.4 release and hot-patch for crash issue

[Bram M. <sy...@un...>]

Hi everyone,

UnrealIRCd 6.1.0 through 6.1.3 contain a bug which makes it possible for 
a websocket user to crash the IRC server. For the issue to trigger you 
need to have a listen block with websockets enabled.

UnrealIRCd 6.1.4 has been released to fix this issue. However, *NIX 
users can also fix the issue without restart by using a "hot-patch". The 
hot-patch takes less than a minute to install and causes no downtime.

If you just want to apply the hot-patch on *NIX without reading all of 
below, the command to run in your unrealircd directory is:

./unrealircd hot-patch websocket61xcrash

The output should end with "Rehashed succesfully. Patch installed and 
server rehashed correctly. All should be good now!"

This issue was assigned CVE-2023-50784. For the full story with all 
details, see below.

Affected versions & configurations
UnrealIRCd 6.1.0 through 6.1.3 have a buffer overflow issue in the 
websocket handling code. For the issue to trigger you need to have 
websockets enabled, which is popular but not present in the 
default/example configuration.

Websockets are a nice feature to allow web chat directly from a browser 
to the IRC server without any intermediate gateways. If you are unsure 
if you have a listen block with websockets enabled, then search for 
"websocket" (without quotes) in your configuration file(s), such as 
unrealircd.conf. A websocket listen block looks like this in the config 
file:

listen {
     ip *;
     port 8888;
     options { websocket { type text; }; tls; }
}

If you have such a listen block for websockets and are using UnrealIRCd 
6.1.0 through 6.1.3 then you are affected by this bug. If you are using 
an older UnrealIRCd version or you have no listen block for websockets 
then you are not affected.

Besides normal websocket connections, the websocket handling code is 
also reachable by trusted JSON-RPC hosts (such as the UnrealIRCd admin 
panel), but in that case only after authentication by an rpc-user { } 
block. That particular scenario is likely of little interest since 
authenticated rpc-users already have complete power over the ircd, they 
can already gline and kill everyone. It is only mentioned here for 
completeness.

Triggering the bug

Any user who can connect to the websocket port can trigger this bug. The 
bug can be triggered pre-authentication, so before the user is online on 
IRC. This means allow block { } restrictions and similar restrictions 
(including glines) will not protect you.

Now that the patch is out we expect bad actors to read the patch, 
understand how to trigger the crash (which is relatively easy) and 
potentially crash IRC servers in the wild.

Effects of this issue

On all reasonably modern tested Linux distro's this issue is caught by 
"fortified functions", a security feature with which we compile by 
default since 2016, if the compiler supports this. Examples of tested 
safe distro's are Ubuntu 16.04/18.04/20.04/22.04 and Debian 9/10/11. 
When the bug is caught by fortified functions, the buffer overflow is 
prevented but it triggers a crash instead. When testing on FreeBSD and 
Windows, the overflow is not caught but the overflow seems to happen to 
other (harmless) buffers and there is no effect (no crash, nothing).

For 99%+ of the affected servers that have websockets enabled, the 
effect is a crash or no effect. When using very old compilers, or a 
compiler other than gcc/clang, and/or possibly non-Linux, and/or unusual 
architectures, when fortified functions do not catch the issue and in 
the unfortunate event that buffers may have a different layout than 
during our tests we cannot 100% rule out more grave issues. Technically, 
the buffer overflow happens with a "static char" variable which is in 
the isolated data segment of the websocket_common module (.so file), 
making further exploitation beyond a crash unlikely. Again, in none of 
our tests anything beyond a crash was possible.

Recommendations

If you have websockets enabled and are using an affected version, then 
we recommend applying the hot-patch or upgrading to 6.1.4.

The hot-patch will fix the issue without any downtime. To apply the 
hot-patch run the following command:

./unrealircd hot-patch websocket61xcrash

The script should end with the output: "Rehashed succesfully. Patch 
installed and server rehashed correctly. All should be good now!"

It is also safe to run the hot-patch command on unaffected UnrealIRCd 
versions, for example 6.0.7, in which case it will print "This 
UnrealIRCd version does not require that patch".

If you prefer upgrading to 6.1.4 you can download latest UnrealIRCd 
version from www.unrealircd.org <http://www.unrealircd.org>.

On versions 6.1.0 through 6.1.2.3 the hot-patch will fix the websocket 
crash issue. This is git commit b0e87dca 
<https://github.com/unrealircd/unrealircd/commit/b0e87dcafa75f8bced7a0b11dd335e9b7aa86334>.

On version 6.1.3 the hot-patch will fix the websocket crash issue 
(commit b0e87dca 
<https://github.com/unrealircd/unrealircd/commit/b0e87dcafa75f8bced7a0b11dd335e9b7aa86334>) 
and also fix another issue that does not cause a crash but prevents 
websockets from working properly in Chrome and other browsers (fa84174d 
<https://github.com/unrealircd/unrealircd/commit/fa84174d22251fec428b17c0cd1ba2f6a7cbaf86>). 
These two changes are the same two changes between 6.1.3 and 6.1.4.

Checking for the issue remotely
You would have to check for 3 things and all 3 must be true:

 1. A websocket port must be open
 2. UnrealIRCd version must be 6.1.0 through 6.1.3
 3. If you run "MODULE -all" on IRC (lots of output!) then look for the
    version number in the line for websocket_common. If it shows 6.1.4
    then you are patched, any lower version means unpatched.

It is important to point out that if any of the above is not true, then 
you are not vulnerable. For example when you run an old UnrealIRCd 6.0.x 
and MODULE -all outputs 6.0.0 for websocket_common then you are not 
affected.

If you have command line access, then just run the hot-patch commands 
under RECOMMENDATIONS.

Workaround
While not the preferred method of dealing with this, just mentioning for 
completeness:
If you don't want to patch and don't want to upgrade, a possible 
workaround is disabling any listen blocks for websockets.

Cause of the bug
For programmers and users who are curious how this happened. Websockets 
are a binary protocol so have completely different parsing than IRC. 
These packets can also be much longer than regular IRC protocol lines. 
This requires extreme caution when parsing messages. In the websocket 
parsing code, there are two functions: one does a length check to see if 
the packet is larger than the 1st buffer and then the secondary function 
did a memcpy without further length checks in a 2nd buffer. In 
UnrealIRCd 6.0.7 and earlier the length of the 1st buffer is less or 
equal to the 2nd buffer, which was intended, so any oversized packet is 
already rejected by the 1st function and this means the memcpy in the 
2nd function is safe and there is no issue. However, a change in 6.1.0 - 
completely unrelated to websockets - made the 1st buffer much larger 
without changing the size of the 2nd buffer. The same buffer sizes (same 
defines) should have been used at both places, but we didn't. An 
additional factor of confusion is that we have defines for 
"READBUF_SIZE" and "READBUFSIZE" with different sizes. If the one 
without the underscore would be used, there would have been no issue. In 
the final patch we opted for using a different define, to match the 
exact name in both functions which is how it should have been done, but 
that is besides this point.

The issue was not caught by our internal fuzzer because the fuzzer only 
dealt with a single websocket packet at a time. It did not try a 
multiple packets scenario (frame reassembly). After another bug was 
fixed (which had no security impact), the fuzzer was adjusted to also 
try multiple packets. When running the updated fuzzer, to verify the 
former issue was properly fixed, this new issue was triggered immediately.

CVSS score
Based on the crash scenario, the CVSS v3.1 base score is 7.5, temporal 
score 7.2, total score 7.2. 
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

Timeline
2023-12-13: Issue discovered internally after fixing a related issue in 
a different module, CVE requested
2023-12-14: CVE-2023-50784 assigned, sent out pre-announcement / heads up
2023-12-16: Release of hot-patch and UnrealIRCd 6.1.4

Reference

This post (and any potential updates) is available at 
https://forums.unrealircd.org/viewtopic.php?t=9340

Heads up: important UnrealIRCd hot-fix and release on Saturday (Dec 16, 2023)

[Bram M. <sy...@un...>]

This is a 48+ hours heads up, so UnrealIRCd admins know they should be 
around to patch their server next Saturday:

Internally we discovered a serious issue in UnrealIRCd. In a common 
configuration scenario, a regular user can cause UnrealIRCd to crash, 
which results in all users being disconnected from the server. This 
issue is present in all recent UnrealIRCd releases (the latest 6.1.3, 
but also older ones are affected). At the moment, the risk seems limited 
to a crash only, at least on all tested commonly used Linux variants.

A fixed version, UnrealIRCd 6.1.4, will be released on _*Saturday, 
December 16, 2023, at 16:00 GMT
*_At the same date/time we will also release a "hot patch" so *NIX users 
can fix the issue without restart.

When the fix comes out next Saturday, we suggest admins on *NIX to apply 
the patch immediately (which is possible without downtime and only takes 
a minute) or to upgrade quickly to UnrealIRCd 6.1.4 (e.g. when on 
Windows or if you just feel like upgrading). This is also the reason for 
sending out this pre-announcement with an exact date and time. This way 
people can be "ready" and fix things immediately, minimizing the time 
for bad people potentially crashing IRC servers.

Please understand that until the release at Saturday we cannot provide 
any further information.

UnrealIRCd 6.1.3 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.3 stable. The main 
focus of this release is adding countermeasures against large scale 
spam/drones. We do this by offering a central API which can be used for 
accessing Central Blocklist, Central Spamreport and Central Spamfilter. 
See the release notes below.


      Enhancements:

  * Central anti-spam services:
      o The services from below require a central-api key, which you can
        request here <https://www.unrealircd.org/central-api/>.
      o Central Blocklist
        <https://www.unrealircd.org/docs/Central_Blocklist> is an
        attempt to detect and block spammers. It works similar to DNS
        Blacklists but the central blocklist receives many more details
        about the user that is trying to connect and therefore can make
        a better decision on whether a user is likely a spammer.
      o Central Spamreport
        <https://www.unrealircd.org/docs/Central_spamreport> allows you
        to send spam reports (user details, last sent lines) via the
        |SPAMREPORT| command. This information may then be used to
        improve Central Blocklist
        <https://www.unrealircd.org/docs/Central_Blocklist> and/or
        Central Spamfilter
        <https://www.unrealircd.org/docs/Central_Spamfilter>.
      o The Central Spamfilter
        <https://www.unrealircd.org/docs/Central_Spamfilter>, which
        provides spamfilter { } blocks that are centrally managed, is
        now fetched from a different URL if you have an Central API key
        set. This way, we can later provide spamfilter { } blocks that
        build on central blocklist scoring functionality, and also so we
        don't have to reveal all the central spamfilter blocks to the world.
  * New option |auto| for set::hide-ban-reason
    <https://www.unrealircd.org/docs/Set_block#set::hide-ban-reason>,
    which is now the default. This will hide the *LINE reason to other
    users if the *LINE reason contains the IP of the user, for example
    when it contains a DroneBL URL which has |lookup?ip=XXX|. This to
    protect the privacy of the user. Other possible settings are |no|
    (never hide, the previous default) and |yes| to always hide the
    *LINE reason. In all cases the user affected by the server ban can
    still see the reason and IRCOps too.
  * Make Deny channel
    <https://www.unrealircd.org/docs/Deny_channel_block> support escaped
    sequences like |channel "#xyz\*";| so you can match a literal |*| or
    |?| via |\*| and |\?|.
  * New option listen::options::websocket::allow-origin
    <https://www.unrealircd.org/docs/Listen_block#options_block_(optional)>:
    this allows to restrict websocket connections to a list of websites
    (the sites hosting the HTML/JS page that makes the websocket
    connection). It doesn't /securely/ restrict it though, non-browsers
    will bypass this restriction, but it can still be useful to restrict
    regular webchat users.
  * The Proxy block <https://www.unrealircd.org/docs/Proxy_block>
    already had support for reverse proxying with the |Forwarded|
    header. Now it also properly supports |X-Forwarded-For|. If you
    previously used a proxy block with type |web|, then you now need to
    choose one of the new types explicitly. Note that using a reverse
    proxy for IRC traffic is rare (see the proxy block docs for
    details), but we offer the option.


      Changes:

  * Reserve more file descriptors for internal use. For example, when
    there are 10,000 fd's are available we now reserve 250, and when
    2048 are available we reserve 32. This so we have more fd's
    available to handle things like log files, do HTTPS callbacks to
    blacklists, etc.
  * Get rid of compiler check for modules vs core, this is mostly an
    issue when you are upgrading a system (eg. Linux distro) and it
    would previously make REHASHing impossible after such an upgrade.
    Though, if you are doing a major distro upgrade you can still be
    bitten by things like library removals such as major openssl upgrades.
  * Make |$client.details| in logs follow the ident rules for users in
    the handshake too, so use the |~| prefix if ident lookups are
    enabled and identd fails etc.
  * More validation for operclass names (a-zA-Z0-9_-)
  * Hits for central-blocklist are now broadcasted globally instead of
    staying on the same server.


      Fixes:

  * When using a trusted reverse proxy with the Proxy block
    <https://www.unrealircd.org/docs/Proxy_block>, under some
    circumstances it was possible for end-users to spoof IP's.
  * Crash issue when a module is reloaded (not unloaded) and that module
    no longer provides a particular moddata object, e.g. because it was
    renamed or no longer needed. This is rare, but did happen for one
    third party module recently.
  * The crash reporter was no longer able to submit reports.
  * Module manager <https://www.unrealircd.org/docs/Module_manager> fixes
  * For people running git versions, who did not use 'make clean', 3rd
    party modules were not always automatically recompiled, causing
    potential problems such as crashes.
  * Fix memory leak when unloading a module for good and that module
    provided ModData objects for "unknown users" (users still in the
    handshake).
  * Don't ask to generate TLS certificate if one already exists (issue
    introduced in 6.1.2).


      Developers and protocol:

  * New hooks: |HOOKTYPE_WATCH_ADD|, |HOOKTYPE_WATCH_DEL|,
    |HOOKTYPE_MONITOR_NOTIFICATION|.
  * The hook |HOOKTYPE_IS_HANDSHAKE_FINISHED| is now properly called at
    all places.
  * A new URL API <https://www.unrealircd.org/docs/Dev:URL_API> to
    easily fetch URLs from modules.

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.3-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.1.3 is now available. Help with testing this 
release would be greatly appreciated. Last time the 6.1.2-rc's were 
undertested, which resulted in needing several 6.1.2 fix releases (up to 
6.1.2.3). If you find anything, you can report the bug at 
https://bugs.unrealircd.org<https://bugs.unrealircd.org>.

The main focus of this release is adding countermeasures against large 
scale spam/drones. We do this by offering a central API which can be 
used for accessing Central Blocklist, Central Spamreport and Central 
Spamfilter. See the release notes below.


      Enhancements:

  * Central anti-spam services:
      o The services from below require a central-api key, which you can
        request here <https://www.unrealircd.org/central-api/>.
      o Central Blocklist
        <https://www.unrealircd.org/docs/Central_Blocklist> is an
        attempt to detect and block spammers. It works similar to DNS
        Blacklists but the central blocklist receives many more details
        about the user that is trying to connect and therefore can make
        a better decision on whether a user is likely a spammer.
      o Central Spamreport
        <https://www.unrealircd.org/docs/Central_spamreport> allows you
        to send spam reports (user details, last sent lines) via the
        |SPAMREPORT| command. This information may then be used to
        improve Central Blocklist
        <https://www.unrealircd.org/docs/Central_Blocklist> and/or
        Central Spamfilter
        <https://www.unrealircd.org/docs/Central_Spamfilter>.
      o The Central Spamfilter
        <https://www.unrealircd.org/docs/Central_Spamfilter>, which
        provides spamfilter { } blocks that are centrally managed, is
        now fetched from a different URL if you have an Central API key
        set. This way, we can later provide spamfilter { } blocks that
        build on central blocklist scoring functionality, and also so we
        don't have to reveal all the central spamfilter blocks to the world.
  * New option |auto| for set::hide-ban-reason
    <https://www.unrealircd.org/docs/Set_block#set::hide-ban-reason>,
    which is now the default. This will hide the *LINE reason to other
    users if the *LINE reason contains the IP of the user, for example
    when it contains a DroneBL URL which has |lookup?ip=XXX|. This to
    protect the privacy of the user. Other possible settings are |no|
    (never hide, the previous default) and |yes| to always hide the
    *LINE reason. In all cases the user affected by the server ban can
    still see the reason and IRCOps too.
  * Make Deny channel
    <https://www.unrealircd.org/docs/Deny_channel_block> support escaped
    sequences like |channel "#xyz\*";| so you can match a literal |*| or
    |?| via |\*| and |\?|.
  * New option listen::options::websocket::allow-origin
    <https://www.unrealircd.org/docs/Listen_block#options_block_(optional)>:
    this allows to restrict websocket connections to a list of websites
    (the sites hosting the HTML/JS page that makes the websocket
    connection). It doesn't /securely/ restrict it though, non-browsers
    will bypass this restriction, but it can still be useful to restrict
    regular webchat users.
  * The Proxy block <https://www.unrealircd.org/docs/Proxy_block>
    already had support for reverse proxying with the |Forwarded|
    header. Now it also properly supports |X-Forwarded-For|. If you
    previously used a proxy block with type |web|, then you now need to
    choose one of the new types explicitly. Note that using a reverse
    proxy for IRC traffic is rare (see the proxy block docs for
    details), but we offer the option.


      Changes:

  * Reserve more file descriptors for internal use. For example, when
    there are 10,000 fd's are available we now reserve 250, and when
    2048 are available we reserve 32. This so we have more fd's
    available to handle things like log files, do HTTPS callbacks to
    blacklists, etc.
  * Get rid of compiler check for modules vs core, this is mostly an
    issue when you are upgrading a system (eg. Linux distro) and it
    would previously make REHASHing impossible after such an upgrade.
    Though, if you are doing a major distro upgrade you can still be
    bitten by things like library removals such as major openssl upgrades.
  * Make |$client.details| in logs follow the ident rules for users in
    the handshake too, so use the |~| prefix if ident lookups are
    enabled and identd fails etc.
  * More validation for operclass names (a-zA-Z0-9_-)
  * Hits for central-blocklist are now broadcasted globally instead of
    staying on the same server.


      Fixes:

  * Crash issue when a module is reloaded (not unloaded) and that module
    no longer provides a particular moddata object, e.g. because it was
    renamed or no longer needed. This is rare, but did happen for one
    third party module recently.
  * The crash reporter was no longer able to submit reports.
  * Module manager <https://www.unrealircd.org/docs/Module_manager> fixes
  * For people running git versions, who did not use 'make clean', 3rd
    party modules were not always automatically recompiled, causing
    potential problems such as crashes.
  * Fix memory leak when unloading a module for good and that module
    provided ModData objects for "unknown users" (users still in the
    handshake).
  * Don't ask to generate TLS certificate if one already exists (issue
    introduced in 6.1.2).


      Developers and protocol:

  * New hooks: |HOOKTYPE_WATCH_ADD|, |HOOKTYPE_WATCH_DEL|,
    |HOOKTYPE_MONITOR_NOTIFICATION|.
  * The hook |HOOKTYPE_IS_HANDSHAKE_FINISHED| is now properly called at
    all places.
  * A new URL API <https://www.unrealircd.org/docs/Dev:URL_API> to
    easily fetch URLs from modules.

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2.3 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Another dot release: UnrealIRCd 6.1.2.3. This dot release fixes a 
possible crash if you have parse errors in your conf and REHASH. Also, 
if you use UTF8 regexes in spamfilter { } blocks (which is a new feature 
in 6.1.2) then these were not working when booting the IRCd but they 
would work after a REHASH. The problem with this is that if you were 
happily adding UTF8 spamfilter blocks you could create an unbootable 
IRCd until you removed those spamfilter blocks. This is fixed now. Two 
changes are: fixing ::exclude-security-group which was not working and 
we now give DNSBL lookups some more time.

If you are already on a previous 6.1.2.x then there may be little need 
to upgrade, though there is that potential crash when you typo your 
config file, like a missing ; or }. For new installations, we do 
recommend using 6.1.2.3 and not an older 6.1.2.x.

The original UnrealIRCd 6.1.2 release notes are below:


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2.2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Another dot release: UnrealIRCd 6.1.2.2. I figured it would be best to 
get this out before more people upgrade over the weekend.

The opt-in Central Spamfilter 
<https://www.unrealircd.org/docs/Central_Spamfilter> has its first rules 
deployed now which triggered a bug in tkldb accidentally storing these 
central spamfilters in db, causing duplicates to show up in "STATS 
spamfilter" after a restart. Also, now that there are more users using 
6.1.2.x, we got reports of a crash while booting if you previously used 
spamfilters with non-UTF8 characters in them (this is pretty rare on 
most networks), and a possible crash with SETNAME when using the 
SPAMFILTER 'u' target. This dot release also adds a "REHASH 
-centralspamfilter" command.

If you already upgraded to 6.1.2.1 from two days ago, then the tkldb 
issue and the crash bugs can also be hot-patched on *NIX without needing 
a restart, by running:
./unrealircd hot-patch 6121
That command fixes the crashbugs and tkldb issue but your version will 
stay visible as 6.1.2.1.

For users of older versions (eg 6.1.1), you can upgrade to 6.1.2.x 
whenever you feel like it. Either by downloading the .tar.gz or by running:
./unrealircd upgrade

The original UnrealIRCd 6.1.2 release notes are below:


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2.1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.2.1 stable. This 
release focuses on adding spamfilter features but also contains various 
other new features and some fixes.

This release is a little ahead of schedule because I had the impression 
that the Release Candidate(s) were not being tested much, so then there 
is no point in delaying the stable release anymore.
UPDATE: And indeed, only after 6.1.2 stable release people started using 
it. A crash issue was found when using spamfilter::rule. So, a quick 
release again today to minimize the affected people by that issue. This 
6.1.2.1 fixes that bug.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.2 stable. This 
release focuses on adding spamfilter features but also contains various 
other new features and some fixes.

This release is a little ahead of schedule because I had the impression 
that the Release Candidate(s) were not being tested much, so then there 
is no point in delaying the stable release anymore.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.1.2 is now available for testing. You 
can help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. If enough 
people help with testing, then hopefully we can release 6.1.2 in a month 
or so.

This release mainly focuses on adding spamfilter features but also 
contains fixes and other new features. See the release notes below.

Compared to -rc1, this -rc2 includes a feature which limits reputation 
score bumping for users not in any channels, supports reputation setting 
via the REPUTATION command, fixes a display issue when using 
./unrealircd module upgrade, fixes an issue with unquoted leading 
slashes in the configuration file, add documentation for 
set::blacklist::recheck-time and extban ~flood, and updates example conf 
with new windows commands for mkpasswd/gencloak/spkifp.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.1.2 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

This release mainly focuses on adding spamfilter features but also 
contains fixes and other new features. See the release notes below.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL. This is controlled via
    set::blacklist::recheck-time
    <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count hits and hits for except users.
        The idea is that the hits for except users can be a useful
        measurement to detect false positives. These hitcounts are
        exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or increasing the value of one.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

Wave of spam hits IRC

[Bram M. <sy...@un...>]

This is a bit of an unusual post, as it is not an UnrealIRCd release. 
However, many IRC networks were hit by a wave of spam past few days.

The spam uses this tool https://github.com/acidvegas/efknockr 
<https://github.com/acidvegas/efknockr> and the text ranges from simple 
phrases about SUPERNETS to ASCII art, colors, all kinds of stuff, being 
spammed in both channels and private message.
What sets this spam aside is not so much the content or that it exists, 
but that it affects so many IRC networks.

I have started a forum thread at 
https://forums.unrealircd.org/viewtopic.php?t=9318 with some tips that 
could possibly help and a new module. I myself have mostly been working 
on long-term solutions for spam and have not been involved much in 
combating this particular spam, but the forum thread is an invitation to 
discuss things by everyone. The current tips mentioned there are not a 
100% solution at the moment but it should be a good start.

If there are any major updates, like new tools or great tips, i will 
keep them on the forum and not post to this mailing list again, since 
this unreal-notify mailing list is meant to be low-volume and actually 
only for release announcements.

Best regards,

Bram

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6