unreal-notify

UnrealIRCd 6.1.2.2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Another dot release: UnrealIRCd 6.1.2.2. I figured it would be best to 
get this out before more people upgrade over the weekend.

The opt-in Central Spamfilter 
<https://www.unrealircd.org/docs/Central_Spamfilter> has its first rules 
deployed now which triggered a bug in tkldb accidentally storing these 
central spamfilters in db, causing duplicates to show up in "STATS 
spamfilter" after a restart. Also, now that there are more users using 
6.1.2.x, we got reports of a crash while booting if you previously used 
spamfilters with non-UTF8 characters in them (this is pretty rare on 
most networks), and a possible crash with SETNAME when using the 
SPAMFILTER 'u' target. This dot release also adds a "REHASH 
-centralspamfilter" command.

If you already upgraded to 6.1.2.1 from two days ago, then the tkldb 
issue and the crash bugs can also be hot-patched on *NIX without needing 
a restart, by running:
./unrealircd hot-patch 6121
That command fixes the crashbugs and tkldb issue but your version will 
stay visible as 6.1.2.1.

For users of older versions (eg 6.1.1), you can upgrade to 6.1.2.x 
whenever you feel like it. Either by downloading the .tar.gz or by running:
./unrealircd upgrade

The original UnrealIRCd 6.1.2 release notes are below:


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2.1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.2.1 stable. This 
release focuses on adding spamfilter features but also contains various 
other new features and some fixes.

This release is a little ahead of schedule because I had the impression 
that the Release Candidate(s) were not being tested much, so then there 
is no point in delaying the stable release anymore.
UPDATE: And indeed, only after 6.1.2 stable release people started using 
it. A crash issue was found when using spamfilter::rule. So, a quick 
release again today to minimize the affected people by that issue. This 
6.1.2.1 fixes that bug.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.2 stable. This 
release focuses on adding spamfilter features but also contains various 
other new features and some fixes.

This release is a little ahead of schedule because I had the impression 
that the Release Candidate(s) were not being tested much, so then there 
is no point in delaying the stable release anymore.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.1.2 is now available for testing. You 
can help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. If enough 
people help with testing, then hopefully we can release 6.1.2 in a month 
or so.

This release mainly focuses on adding spamfilter features but also 
contains fixes and other new features. See the release notes below.

Compared to -rc1, this -rc2 includes a feature which limits reputation 
score bumping for users not in any channels, supports reputation setting 
via the REPUTATION command, fixes a display issue when using 
./unrealircd module upgrade, fixes an issue with unquoted leading 
slashes in the configuration file, add documentation for 
set::blacklist::recheck-time and extban ~flood, and updates example conf 
with new windows commands for mkpasswd/gencloak/spkifp.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

UnrealIRCd 6.1.2-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.1.2 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

This release mainly focuses on adding spamfilter features but also 
contains fixes and other new features. See the release notes below.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL. This is controlled via
    set::blacklist::recheck-time
    <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count hits and hits for except users.
        The idea is that the hits for except users can be a useful
        measurement to detect false positives. These hitcounts are
        exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or increasing the value of one.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/

Wave of spam hits IRC

[Bram M. <sy...@un...>]

This is a bit of an unusual post, as it is not an UnrealIRCd release. 
However, many IRC networks were hit by a wave of spam past few days.

The spam uses this tool https://github.com/acidvegas/efknockr 
<https://github.com/acidvegas/efknockr> and the text ranges from simple 
phrases about SUPERNETS to ASCII art, colors, all kinds of stuff, being 
spammed in both channels and private message.
What sets this spam aside is not so much the content or that it exists, 
but that it affects so many IRC networks.

I have started a forum thread at 
https://forums.unrealircd.org/viewtopic.php?t=9318 with some tips that 
could possibly help and a new module. I myself have mostly been working 
on long-term solutions for spam and have not been involved much in 
combating this particular spam, but the forum thread is an invitation to 
discuss things by everyone. The current tips mentioned there are not a 
100% solution at the moment but it should be a good start.

If there are any major updates, like new tools or great tips, i will 
keep them on the forum and not post to this mailing list again, since 
this unreal-notify mailing list is meant to be low-volume and actually 
only for release announcements.

Best regards,

Bram

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.1.1 released

[Bram M. <sy...@un...>]

Hi everyone,

Just a small note: i just released 6.1.1.1 to fix a small bug in 6.1.1 
that is rather specific and probably only affects 1-2% of users, but still:
If a WEBIRC gateway was on IPv6 and was introducing/spoofing an IPv4 
user then the maxperip handling would be incorrect and would also cause 
a small memory leak. The same is the case for if the WEBIRC gateway was 
on IPv4 and it was introducing/spoofing an IPv6 user. I decided to 
release a 6.1.1.1 immediately so new installations from this point won't 
be affected by this bug. Of the 100 people who downloaded 6.1.1 already 
only 1 complained. The bug is very visible with a 
BUG_DECREASE_IPUSERS_BUCKET IRCOp notice when affected user(s) quit so 
it is hard to miss. My advice: if you already installed 6.1.1 then only 
upgrade from 6.1.1 to 6.1.1.1 if this issue really affects you. 
Otherwise, don't bother.

The original 6.1.1 announcement is below:

I'm happy to announce the release of UnrealIRCd 6.1.1 stable. This 
release comes with various bug fixes and performance improvements, 
especially for channels with thousands of users.

It also has more options to override settings per security group, for 
example if you want to give trusted users or bots more rights or higher 
flood rates than regular users. All these options are now in a single 
Special users <https://www.unrealircd.org/docs/Special_users> article on 
the wiki.

Other notable features are showing better connection errors to SSL/TLS 
users and a new proxy { } block for websocket reverse proxies.

See the full release notes below. As usual on *NIX you can upgrade 
easily with the command: ./unrealircd upgrade

Reminder: UnrealIRCd 5 is no longer supported 
<https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> after July 1, 2023. 
Admins should upgrade to UnrealIRCd 6.


      Enhancements:

Enhancements:

  * Two new features that are conditionally on:
      o SSL/TLS users will now correctly receive the error message if
        they are rejected due to throttling (connect-flood) and some
        other situations.
      o DNS lookups are done before throttling. This allows exempting a
        hostname from both maxperip and connect-flood restrictions.
        A good example for IRCCloud would be:

        |except ban { mask *.irccloud.com; type { maxperip;
        connect-flood; } }|

      o Both features are temporarily disabled whenever a high rate of
        connection attempts
        <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected,
        to save CPU and other resources during such an attack. The
        default rate is 1000 per second, so this would be unusual to
        trigger accidentally.
  * It is now possible to override some set settings
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>
    per-security group by having a set block with a name, like set
    unknown-users { }
      o You could use this to set more limitations for unknown-users:

        |set unknown-users { max-channels-per-user 5; static-quit
        "Quit"; static-part yes; } |

      o Or to set higher values (higher than the normal set block) for
        trusted users:

        |security-group trusted-bots { account { BotOne; BotTwo; } } set
        trusted-bots { max-channels-per-user 25; }|

      o Currently the following settings can be used in a set xxx { }
        block: set::auto-join, set::modes-on-connect,
        set::restrict-usermodes, set::max-channels-per-user,
        set::static-quit, set::static-part.
      o See also Special users
        <https://www.unrealircd.org/docs/Special_users> in the
        documentation for applying settings to a security groups.
  * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block>
    that can be used for spoofing IP addresses when:
      o Reverse proxying websocket connections (eg. via NGINX, a load
        balancer or other reverse proxy)
      o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }|
        block in the future, though the old one will still work for now.
  * New setting set::handshake-boot-delay
    <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay>
    which allows server linking autoconnects to kick in (and incoming
    servers on serversonly ports), before allowing clients in. This
    potentially avoids part of the mess when initially linking on-boot.
    This option is not turned on by default, you have to set it explicitly.
      o This is not a useful feature on hubs, as they don't have clients.
      o It can be useful on client servers, if you |autoconnect| to your
        hub.
      o If you connect services to a server with clients this can be
        useful as well, especially in single-server setups. You would
        have to set a low |retrywait| in your anope conf (or similar
        services package) of like |5s| instead of the default |60s|.
        Then after an IRCd restart, your services link in before your
        clients and your IRC users have SASL available straight from the
        start.
  * JSON-RPC:
      o New call |log.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch
        past 1000 log entries. This functionality is only loaded if you
        include |rpc.modules.default.conf|, so not wasting any memory on
        servers that are not used for JSON-RPC.


      Changes:

  * set::topic-setter
    <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and
    set::ban-setter
    <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now
    by default set to |nick-user-host| instead of |nick|, so you can see
    the full nick!user@host of who set the topic/ban/exempt/invex.
  * You can no longer (accidentally) load an old |modules.default.conf|.
    People must always use the shipped version of this file as the file
    VERY clearly says in the beginning (see also that file for
    instructions on how to deal with customizations). People run into
    lots of (strange) problems, not only missing nice new functionality,
    but also Services not working because the svslogin module is not
    loaded, etc.
    Usually mistakes with an old modules.default.conf are not
    deliberate, like a cp *.conf of an old installation, so this error
    should be helpful for those users (who otherwise tend to bang their
    head for hours).
  * Some small DNS performance improvements:
      o We now 'negatively cache' unresolved hosts for 60 seconds.
      o The maximum number of cached records (positive and negative) was
        raised to 4096.
      o We no longer use "search domains" to avoid silly lookups for
        like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|.
  * Data buffer chunks bumped from 512 bytes to ~4K. This results in
    less write calls (lower CPU usage) and more data per TCP/IP packet.
  * We now cache sending of lines in |sendto_channel| via a new
    "LineCache" system. It saves CPU on (very) large channels.
  * Several other performance improvements such as checking maxperip via
    a hash table and faster invisibility checks for delayjoin.
  * Blacklist hits are now logged globally. This means they show up in
    snomask |B|, are logged, and show up in the webpanel "Logs" view.
  * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were
    syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|.
  * Update shipped libraries: c-ares to 1.19.1


      Fixes:

  * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing
    rpc_call symbol in their libc library.
  * Crash when removing a |listen { }| block for websocket or rpc (or
    changin the port number)
  * When using the webpanel, if an IRC client tried to connect with the
    same IP as the webpanel server, it would often receive the error
    "Too many unknown connections". This only affected non-localhost
    connections.
  * The |require module| block
    <https://www.unrealircd.org/docs/Require_module_block> was only
    checked of one side of the link, thus partially not working.


      Removed:

  * set::maxbanlength
    <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has
    been removed as it was not deemed useful and only confusing to users
    and admins.


      Developers and protocol:

  * Server to server lines can now be 16384 bytes in size when |PROTOCTL
    BIGLINES| is set. This will allow us to do things more efficiently
    and possibly raise some other limits in the future. This 16k is the
    size of the complete line, including sender, message tags, content
    and \r\n. Also, in server-to-server traffic we now allow 30
    parameters (MAXPARA*2).
    The original input size limits for non-servers remain the same: the
    complete line can be 4k+512, with the non-mtag portion limit set at
    512 bytes (including \r\n), and MAXPARA is still 15 as well.
  * In command handlers, individual |parv[]| elements can be 510 bytes
    max, even if they add up like parv[1] and parv[2] both being 510
    bytes each. If you need more than that, then you need to set the
    flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter
    can be near ~16k. This is so, because a lot of the code does not
    expect parameters bigger than 512 bytes (but can still handle the
    total of parameters being greater than 512). The new flag allows
    gradually opting in commands to allow bigger parameters, after such
    code has been checked and modified to handle it.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.1 released

[Bram M. <sy...@un...>]

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.1 stable. This 
release comes with various bug fixes and performance improvements, 
especially for channels with thousands of users.

It also has more options to override settings per security group, for 
example if you want to give trusted users or bots more rights or higher 
flood rates than regular users. All these options are now in a single 
Special users <https://www.unrealircd.org/docs/Special_users> article on 
the wiki.

Other notable features are showing better connection errors to SSL/TLS 
users and a new proxy { } block for websocket reverse proxies.

See the full release notes below. As usual on *NIX you can upgrade 
easily with the command: ./unrealircd upgrade

Reminder: UnrealIRCd 5 is no longer supported 
<https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> after July 1, 2023. 
Admins should upgrade to UnrealIRCd 6.


      Enhancements:

Enhancements:

  * Two new features that are conditionally on:
      o SSL/TLS users will now correctly receive the error message if
        they are rejected due to throttling (connect-flood) and some
        other situations.
      o DNS lookups are done before throttling. This allows exempting a
        hostname from both maxperip and connect-flood restrictions.
        A good example for IRCCloud would be:

        |except ban { mask *.irccloud.com; type { maxperip;
        connect-flood; } }|

      o Both features are temporarily disabled whenever a high rate of
        connection attempts
        <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected,
        to save CPU and other resources during such an attack. The
        default rate is 1000 per second, so this would be unusual to
        trigger accidentally.
  * It is now possible to override some set settings
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>
    per-security group by having a set block with a name, like set
    unknown-users { }
      o You could use this to set more limitations for unknown-users:

        |set unknown-users { max-channels-per-user 5; static-quit
        "Quit"; static-part yes; } |

      o Or to set higher values (higher than the normal set block) for
        trusted users:

        |security-group trusted-bots { account { BotOne; BotTwo; } } set
        trusted-bots { max-channels-per-user 25; }|

      o Currently the following settings can be used in a set xxx { }
        block: set::auto-join, set::modes-on-connect,
        set::restrict-usermodes, set::max-channels-per-user,
        set::static-quit, set::static-part.
      o See also Special users
        <https://www.unrealircd.org/docs/Special_users> in the
        documentation for applying settings to a security groups.
  * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block>
    that can be used for spoofing IP addresses when:
      o Reverse proxying websocket connections (eg. via NGINX, a load
        balancer or other reverse proxy)
      o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }|
        block in the future, though the old one will still work for now.
  * New setting set::handshake-boot-delay
    <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay>
    which allows server linking autoconnects to kick in (and incoming
    servers on serversonly ports), before allowing clients in. This
    potentially avoids part of the mess when initially linking on-boot.
    This option is not turned on by default, you have to set it explicitly.
      o This is not a useful feature on hubs, as they don't have clients.
      o It can be useful on client servers, if you |autoconnect| to your
        hub.
      o If you connect services to a server with clients this can be
        useful as well, especially in single-server setups. You would
        have to set a low |retrywait| in your anope conf (or similar
        services package) of like |5s| instead of the default |60s|.
        Then after an IRCd restart, your services link in before your
        clients and your IRC users have SASL available straight from the
        start.
  * JSON-RPC:
      o New call |log.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch
        past 1000 log entries. This functionality is only loaded if you
        include |rpc.modules.default.conf|, so not wasting any memory on
        servers that are not used for JSON-RPC.


      Changes:

  * set::topic-setter
    <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and
    set::ban-setter
    <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now
    by default set to |nick-user-host| instead of |nick|, so you can see
    the full nick!user@host of who set the topic/ban/exempt/invex.
  * You can no longer (accidentally) load an old |modules.default.conf|.
    People must always use the shipped version of this file as the file
    VERY clearly says in the beginning (see also that file for
    instructions on how to deal with customizations). People run into
    lots of (strange) problems, not only missing nice new functionality,
    but also Services not working because the svslogin module is not
    loaded, etc.
    Usually mistakes with an old modules.default.conf are not
    deliberate, like a cp *.conf of an old installation, so this error
    should be helpful for those users (who otherwise tend to bang their
    head for hours).
  * Some small DNS performance improvements:
      o We now 'negatively cache' unresolved hosts for 60 seconds.
      o The maximum number of cached records (positive and negative) was
        raised to 4096.
      o We no longer use "search domains" to avoid silly lookups for
        like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|.
  * Data buffer chunks bumped from 512 bytes to ~4K. This results in
    less write calls (lower CPU usage) and more data per TCP/IP packet.
  * We now cache sending of lines in |sendto_channel| via a new
    "LineCache" system. It saves CPU on (very) large channels.
  * Several other performance improvements such as checking maxperip via
    a hash table and faster invisibility checks for delayjoin.
  * Blacklist hits are now logged globally. This means they show up in
    snomask |B|, are logged, and show up in the webpanel "Logs" view.
  * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were
    syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|.
  * Update shipped libraries: c-ares to 1.19.1


      Fixes:

  * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing
    rpc_call symbol in their libc library.
  * Crash when removing a |listen { }| block for websocket or rpc (or
    changin the port number)
  * When using the webpanel, if an IRC client tried to connect with the
    same IP as the webpanel server, it would often receive the error
    "Too many unknown connections". This only affected non-localhost
    connections.
  * The |require module| block
    <https://www.unrealircd.org/docs/Require_module_block> was only
    checked of one side of the link, thus partially not working.


      Removed:

  * set::maxbanlength
    <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has
    been removed as it was not deemed useful and only confusing to users
    and admins.


      Developers and protocol:

  * Server to server lines can now be 16384 bytes in size when |PROTOCTL
    BIGLINES| is set. This will allow us to do things more efficiently
    and possibly raise some other limits in the future. This 16k is the
    size of the complete line, including sender, message tags, content
    and \r\n. Also, in server-to-server traffic we now allow 30
    parameters (MAXPARA*2).
    The original input size limits for non-servers remain the same: the
    complete line can be 4k+512, with the non-mtag portion limit set at
    512 bytes (including \r\n), and MAXPARA is still 15 as well.
  * In command handlers, individual |parv[]| elements can be 510 bytes
    max, even if they add up like parv[1] and parv[2] both being 510
    bytes each. If you need more than that, then you need to set the
    flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter
    can be near ~16k. This is so, because a lot of the code does not
    expect parameters bigger than 512 bytes (but can still handle the
    total of parameters being greater than 512). The new flag allows
    gradually opting in commands to allow bigger parameters, after such
    code has been checked and modified to handle it.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.1-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.1.1 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

Also some new documentation that is worth mentioning: sometimes you want 
to give trusted users/bots more rights than others but you don't want to 
make them IRCOp, the new Special users 
<https://www.unrealircd.org/docs/Special_users> article explains how.


      Enhancements:

  * Two new features that are conditionally on:
      o SSL/TLS users will now correctly receive the error message if
        they are rejected due to throttling (connect-flood) and some
        other situations.
      o DNS lookups are done before throttling. This allows exempting a
        hostname from both maxperip and connect-flood restrictions.
        A good example for IRCCloud would be:

        |except ban { mask *.irccloud.com; type { maxperip;
        connect-flood; } } |

      o Both features are temporarily disabled whenever a high rate of
        connection attempts
        <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected,
        to save CPU and other resources during such an attack. The
        default rate is 1000 per second, so this would be unusual to
        trigger accidentally.
  * It is now possible to override some set settings per-security group
    by having a set block with a name, like |set unknown-users { }|
      o You could use this to set more limitations for unknown-users:

        |set unknown-users { max-channels-per-user 5; static-quit
        "Quit"; static-part yes; } |

      o Or to set higher values (higher than the normal set block) for
        trusted users:

        |security-group trusted-bots { account { BotOne; BotTwo; } } set
        trusted-bots { max-channels-per-user 25; } |

      o Currently the following settings can be used in a set xxx { }
        block: set::auto-join, set::modes-on-connect,
        set::restrict-usermodes, set::max-channels-per-user,
        set::static-quit, set::static-part.
  * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block>
    that can be used for spoofing IP addresses when:
      o Reverse proxying websocket connections (eg. via NGINX, a load
        balancer or other reverse proxy)
      o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }|
        block in the future, though the old one will still work for now.
  * New setting set::handshake-boot-delay
    <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay>
    which allows server linking autoconnects to kick in (and incoming
    servers on serversonly ports), before allowing clients in. This
    potentially avoids part of the mess when initially linking on-boot.
    This option is not turned on by default, you have to set it explicitly.
      o This is not a useful feature on hubs, as they don't have clients.
      o It can be useful on client servers, if you |autoconnect| to your
        hub.
      o If you connect services to a server with clients this can be
        useful as well, especially in single-server setups. You would
        have to set a low |retrywait| in your anope conf (or similar
        services package) of like |5s| instead of the default |60s|.
        Then after an IRCd restart, your services link in before your
        clients and your IRC users have SASL available straight from the
        start.
  * JSON-RPC:
      o New call |log.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch
        past 1000 log entries. This functionality is only loaded if you
        include |rpc.modules.default.conf|, so not wasting any memory on
        servers that are not used for JSON-RPC.


      Changes:

  * set::topic-setter
    <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and
    set::ban-setter
    <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now
    by default set to |nick-user-host| instead of |nick|, so you can see
    the full nick!user@host of who set the topic/ban/exempt/invex.
  * You can no longer (accidentally) load an old |modules.default.conf|.
    People must always use the shipped version of this file as the file
    VERY clearly says in the beginning (see also that file for
    instructions on how to deal with customizations). People run into
    lots of (strange) problems, not only missing nice new functionality,
    but also Services not working because the svslogin module is not
    loaded, etc.
    Usually mistakes with an old modules.default.conf are not
    deliberate, like a cp *.conf of an old installation, so this error
    should be helpful for those users (who otherwise tend to bang their
    head for hours).
  * Some small DNS performance improvements:
      o We now 'negatively cache' unresolved hosts for 60 seconds.
      o The maximum number of cached records (positive and negative) was
        raised to 4096.
      o We no longer use "search domains" to avoid silly lookups for
        like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|.
  * Data buffer chunks bumped from 512 bytes to ~4K. This results in
    less write calls (lower CPU usage) and more data per TCP/IP packet.
  * We now cache sending of lines in |sendto_channel| via a new
    "LineCache" system. It saves CPU on (very) large channels.
  * Several other performance improvements such as checking maxperip via
    a hash table and faster invisibility checks for delayjoin.
  * Blacklist hits are now logged globally. This means they show up in
    snomask |B|, are logged, and show up in the webpanel "Logs" view.
  * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were
    syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|.
  * Update shipped libraries: c-ares to 1.19.1


      Fixes:

  * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing
    rpc_call symbol in their libc library.
  * Crash when removing a |listen { }| block for websocket or rpc (or
    changin the port number)
  * When using the webpanel, if an IRC client tried to connect with the
    same IP as the webpanel server, it would often receive the error
    "Too many unknown connections". This only affected non-localhost
    connections.
  * The |require module| block
    <https://www.unrealircd.org/docs/Require_module_block> was only
    checked of one side of the link, thus partially not working.


      Removed:

  * set::maxbanlength
    <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has
    been removed as it was not deemed useful and only confusing to users
    and admins.


      Developers and protocol:

  * Server to server lines can now be 16384 bytes in size when |PROTOCTL
    BIGLINES| is set. This will allow us to do things more efficiently
    and possibly raise some other limits in the future. This 16k is the
    size of the complete line, including sender, message tags, content
    and \r\n. Also, in server-to-server traffic we now allow 30
    parameters (MAXPARA*2).
    The original input size limits for non-servers remain the same: the
    complete line can be 4k+512, with the non-mtag portion limit set at
    512 bytes (including \r\n), and MAXPARA is still 15 as well.
  * In command handlers, individual |parv[]| elements can be 510 bytes
    max, even if they add up like parv[1] and parv[2] both being 510
    bytes each. If you need more than that, then you need to set the
    flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter
    can be near ~16k. This is so, because a lot of the code does not
    expect parameters bigger than 512 bytes (but can still handle the
    total of parameters being greater than 512). The new flag allows
    gradually opting in commands to allow bigger parameters, after such
    code has been checked and modified to handle it.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.0 released

[Bram M. <sy...@un...>]

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.0 stable. This is 
the direct successor to 6.0.7, there will be no 6.0.8.

This release contains several channel mode |+f| enhancements and 
introduces a new channel mode |+F| which works with flood profiles like 
|+F normal| and |+F strict|. It is much easier for users than the scary 
looking mode +f.

UnrealIRCd 6.1.0 also contains lots of JSON-RPC improvements, which is 
used by the UnrealIRCd admin panel 
<https://www.unrealircd.org/docs/UnrealIRCd_webpanel>. Live streaming of 
logs has been added and the webpanel now communicates to UnrealIRCd 
which web user issued a command (eg: who issued a kill, who changed a 
channel mode, ..).

Other improvements are whowasdb (persistent WHOWAS history) and a new 
guide on running a Tor Onion service 
<https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd>. 
The release also fixes a crash bug related to remote includes and fixes 
multiple memory leaks.

See the full release notes below. As usual on *NIX you can upgrade 
easily with the command: ./unrealircd upgrade


      Enhancements:

  * Channel flood protection improvements:
      o New channel mode |+F|
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings>
        (uppercase F). This allows the user to choose a "flood profile",
        which (behind the scenes) translates to something similar to an
        |+f| mode. This so end-users can simply choose an |+F| profile
        without having to learn the complex channel mode |+f|.
          + For example |+F normal| effectively results in
            |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15|
          + Multiple profiles are available and changing them is
            possible, see the documentation
            <https://www.unrealircd.org/docs/Channel_anti-flood_settings>.
          + Any settings in mode |+f| will override the ones of the |+F|
            profile. To see the effective flood settings, use |MODE
            #channel F|.
      o You can optionally set a default profile via
        set::anti-flood::channel::default-profile
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>.
        This profile is used if the channel is |-F|. If the user does
        not want channel flood protection then they have to use an
        explicit |+F off|.
      o When channel mode |+f| or |+F| detect that a flood is caused by
         >75% of "unknown-users"
        <https://www.unrealircd.org/docs/Security-group_block>, the
        server will now set a temporary ban on
        |~security-group:unknown-users|. It will still set |+i| and
        other modes if the flood keeps on going (eg. is caused by
        known-users).
      o Forced nick changes (eg. by NickServ) are no longer counted in
        nick flood for channel mode |+f|/|+F|.
      o When a server splits on the network, we now temporarily disable
        +f/+F join-flood protection for 75 seconds
        (set::anti-flood::channel::split-delay
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>).
        This because a server splitting could mean that server has
        network problems or has died (or restarted), in which case the
        clients would typically reconnect to the remaining other
        servers, triggering an +f/+F join-flood and channels ending up
        being |+i| and such. That is not good because we want +f/+F to
        be as effortless as possible, with as little false positives as
        possible.
          + If your network has 5+ servers and the user load is spread
            evenly among them, then you could disable this feature by
            setting the amount of seconds to |0|. This because in such a
            scenario only 1/5th (20%) of the users would reconnect and
            hopefully don't trigger +f/+F join floods.
      o All these features only work properly if all servers are on
        6.1.0-rc1 or later.
  * New module |whowasdb| (persistent |WHOWAS| history): this saves the
    WHOWAS history on disk periodically and when we terminate, so next
    server boot still has the WHOWAS history. This module is currently
    not loaded by default.
  * New option listen::spoof-ip
    <https://www.unrealircd.org/docs/Listen_block#spoof-ip>, only valid
    when using UNIX domain sockets (so listen::file). This way you can
    override the IP address that users come online with when they use
    the socket (default was and still is |127.0.0.1|).
  * Add a new guide Running Tor Onion service with UnrealIRCd
    <https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd>
    which uses the new listen::spoof-ip and optionally requires a
    services account.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o Logging of JSON-RPC requests (eg. via snomask |+R|) has been
        improved, it now shows:
          + The issuer, such as the user logged in to the admin panel
            (if known)
          + The parameters of the request
      o The JSON-RPC calls |channel.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>,
        |channel.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>,
        |user.list|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and
        |user.get|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now
        support an optional argument |object_detail_level| which
        specifies how detailed the Channel
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel>
        and User
        <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object>
        response object will be. Especially useful if you don't need all
        the details in the list calls.
      o New JSON-RPC methods |log.subscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.subscribe> and
        |log.unsubscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.unsubscribe>
        to allow real-time streaming of JSON log events
        <https://www.unrealircd.org/docs/JSON_logging>.
      o New JSON-RPC method |rpc.set_issuer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to
        indiciate who is actually issuing the requests. The admin panel
        uses this to communicate who is logged in to the panel so this
        info can be used in logging.
      o New JSON-RPC methods |rpc.add_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.add_timer> and
        |rpc.del_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer> so
        you can schedule JSON-RPC calls, like stats.get, to be executed
        every xyz msec.
      o New JSON-RPC method |whowas.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Whowas#whowas.get> to
        fetch WHOWAS history.
      o Low ASCII is no longer filtered out in strings in JSON-RPC, only
        in JSON logging.
  * A new message tag |unrealircd.org/issued-by| which is IRCOp-only
    (and used intra-server) to communicate who actually issued a
    command. See docs <https://www.unrealircd.org/issued-by>.


      Changes:

  * The RPC modules are enabled by default now. This so remote RPC works
    from other IRC servers for calls like |modules.list|. The default
    configuration does NOT enable the webserver nor does it cause
    listening on any socket for RPC, for that you need to follow the
    JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions.
  * The blacklist-module
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
    directive now accepts wildcards, eg |blacklist-module rpc/*;|
  * The setting set::modef-boot-delay has been moved to
    set::anti-flood::channel::boot-delay
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>.
  * We now only exempt |127.0.0.1| and |::1| from banning by default
    (hardcoded in the source). Previously we exempted whole |127.*| but
    that gets in the way if you want to allow Tor with a require
    authentication
    <https://www.unrealircd.org/docs/Require_authentication_block> block
    or soft-ban. Now you can just tell Tor to bind to |127.0.0.2| so its
    not affected by the default exemption.


      Fixes:

  * Crash if there is a parse error in an included file and there are
    other remote included files still being downloaded.
  * Memory leak in WHOWAS
  * Memory leak when connecting to a TLS server fails
  * Workaround a bug in some websocket implementations where the
    WSOP_PONG frame is unmasked (now permitted).


      Developers and protocol:

  * The |cmode.free_param| definition changed. It now has an extra
    argument |int soft| and for return value you will normally |return
    0| here. You can |return 1| if you resist freeing, which is rare and
    only used by |+F| with set::anti-flood::channel::default-profile.
  * New |cmode.flood_type_action| which can be used to indicate a
    channel mode can be used from +f/+F as an action. You need to
    specify for which flood type your mode is, eg
    |cmode.flood_type_action = 'j';| for joinflood.
  * JSON-RPC supports UNIX domain sockets
    <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket>
    for making RPC calls. If this is used, we now split on |\n|
    (newline) so multiple parallel requests can be handled properly.
  * Message tag |unrealircd.org/issued-by|, sent to IRCOps only. See
    docs <https://www.unrealircd.org/issued-by>.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.0-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.1.0 is now available for testing. 
Thanks to everyone for testing the -rc1!

UnrealIRCd 6.1.0-rc2 should be the last release candidate before stable 
6.1.0 release in May, 2023. You can help us by testing and reporting any 
issues at https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

This release contains channel mode +f enhancements and introduces a new 
channel mode +F which should be much easier for users than the scary 
looking +f.

Compared to 6.1.0-rc1, this 6.1.0-rc2 contains: some minor +F fixes if 
setting a default profile, optional persistent whowas history 
(whowasdb), lots of JSON-RPC improvements and new API methods, HELPOP 
updates, fixes for streaming logs over websockets, fixes a memory leak 
and there is a ban exemption change and a new Tor guide.


      Enhancements:

  * Channel flood protection improvements:
      o New channel mode |+F|
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings>
        (uppercase F). This allows the user to choose a "flood profile",
        which (behind the scenes) translates to something similar to an
        |+f| mode. This so end-users can simply choose an |+F| profile
        without having to learn the complex channel mode |+f|.
          + For example |+F normal| effectively results in
            |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15|
          + Multiple profiles are available and changing them is
            possible, see the documentation
            <https://www.unrealircd.org/docs/Channel_anti-flood_settings>.
          + Any settings in mode |+f| will override the ones of the |+F|
            profile. To see the effective flood settings, use |MODE
            #channel F|.
      o You can optionally set a default profile via
        set::anti-flood::channel::default-profile
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>.
        This profile is used if the channel is |-F|. If the user does
        not want channel flood protection then they have to use an
        explicit |+F off|.
      o When channel mode |+f| or |+F| detect that a flood is caused by
         >75% of "unknown-users"
        <https://www.unrealircd.org/docs/Security-group_block>, the
        server will now set a temporary ban on
        |~security-group:unknown-users|. It will still set |+i| and
        other modes if the flood keeps on going (eg. is caused by
        known-users).
      o Forced nick changes (eg. by NickServ) are no longer counted in
        nick flood for channel mode |+f|/|+F|.
      o When a server splits on the network, we now temporarily disable
        +f/+F join-flood protection for 75 seconds
        (set::anti-flood::channel::split-delay
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>).
        This because a server splitting could mean that server has
        network problems or has died (or restarted), in which case the
        clients would typically reconnect to the remaining other
        servers, triggering an +f/+F join-flood and channels ending up
        being |+i| and such. That is not good because we want +f/+F to
        be as efortless as possible, with as little false positives as
        possible.
          + If your network has 5+ servers and the user load is spread
            evenly among them, then you could disable this feature by
            setting the amount of seconds to |0|. This because in such a
            scenario only 1/5th (20%) of the users would reconnect and
            hopefully don't trigger +f/+F join floods.
      o All these features only work properly if all servers are on
        6.1.0-rc1 or later.
  * New module |whowasdb| (persistent |WHOWAS| history): this saves the
    WHOWAS history on disk periodically and when we terminate, so next
    server boot still has the WHOWAS history. This module is currently
    not loaded by default.
  * New option listen::spoof-ip
    <https://www.unrealircd.org/docs/Listen_block#spoof-ip>, only valid
    when using UNIX domain sockets (so listen::file). This way you can
    override the IP address that users come online with when they use
    the socket (default was and still is |127.0.0.1|).
  * Add a new guide Running Tor Onion service with UnrealIRCd
    <https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd>
    which uses the new listen::spoof-ip and optionally requires a
    services account.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o Logging of JSON-RPC requests (eg. via snomask |+R|) has been
        improved, it now shows:
          + The issuer, such as the user logged in to the admin panel
            (if known)
          + The parameters of the request
      o The JSON-RPC calls |channel.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>,
        |channel.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>,
        |user.list|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and
        |user.get|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now
        support an optional argument |object_detail_level| which
        specifies how detailed the Channel
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel>
        and User
        <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object>
        response object will be. Especially useful if you don't need all
        the details in the list calls.
      o New JSON-RPC methods |log.subscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.subscribe> and
        |log.unsubscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.unsubscribe>
        to allow real-time streaming of JSON log events
        <https://www.unrealircd.org/docs/JSON_logging>.
      o New JSON-RPC method |rpc.set_issuer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to
        indiciate who is actually issuing the requests. The admin panel
        uses this to communicate who is logged in to the panel so this
        info can be used in logging.
      o New JSON-RPC methods |rpc.add_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.add_timer> and
        |rpc.del_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer> so
        you can schedule JSON-RPC calls, like stats.get, to be executed
        every xyz msec.
      o New JSON-RPC method |whowas.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Whowas#whowas.get> to
        fetch WHOWAS history.
      o Low ASCII is no longer filtered out in strings in JSON-RPC, only
        in JSON logging.
  * A new message tag |unrealircd.org/issued-by| which is IRCOp-only
    (and used intra-server) to communicate who actually issued a
    command. See docs <https://www.unrealircd.org/issued-by>.


      Changes:

  * The RPC modules are enabled by default now. This so remote RPC works
    from other IRC servers for calls like |modules.list|. The default
    configuration does NOT enable the webserver nor does it cause
    listening on any socket for RPC, for that you need to follow the
    JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions.
  * The blacklist-module
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
    directive now accepts wildcards, eg |blacklist-module rpc/*;|
  * The setting set::modef-boot-delay has been moved to
    set::anti-flood::channel::boot-delay
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>.
  * We now only exempt |127.0.0.1| and |::1| from banning by default
    (hardcoded in the source). Previously we exempted whole |127.*| but
    that gets in the way if you want to allow Tor with a require
    authentication
    <https://www.unrealircd.org/docs/Require_authentication_block> block
    or soft-ban. Now you can just tell Tor to bind to |127.0.0.2| so its
    not affected by the default exemption.


      Fixes:

  * Memory leak in WHOWAS
  * Workaround a bug in some websocket implementations where the
    WSOP_PONG frame is unmasked (now permitted).


      Developers and protocol:

  * The |cmode.free_param| definition changed. It now has an extra
    argument |int soft| and for return value you will normally |return
    0| here. You can |return 1| if you resist freeing, which is rare and
    only used by |+F| with set::anti-flood::channel::default-profile.
  * New |cmode.flood_type_action| which can be used to indicate a
    channel mode can be used from +f/+F as an action. You need to
    specify for which flood type your mode is, eg
    |cmode.flood_type_action = 'j';| for joinflood.
  * JSON-RPC supports UNIX domain sockets
    <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket>
    for making RPC calls. If this is used, we now split on |\n|
    (newline) so multiple parallel requests can be handled properly.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.0-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The first release candidate for 6.1.0 is now available for testing. This 
release contains channel mode +f enhancements and introduces a new 
channel mode +F which should be much easier for users than the scary 
looking +f.

You can help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. The stable 
6.1.0 release is scheduled for May, 2023.


      Enhancements:

  * Channel flood protection improvements:
      o New channel mode |+F|
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings>
        (uppercase F). This allows the user to choose a "flood profile",
        which (behind the scenes) translates to something similar to an
        |+f| mode. This so end-users can simply choose an |+F| profile
        without having to learn the complex channel mode |+f|.
          + For example |+F normal| effectively results in
            |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15|
          + Multiple profiles are available and changing them is
            possible, see the documentation
            <https://www.unrealircd.org/docs/Channel_anti-flood_settings>.
          + Any settings in mode |+f| will override the ones of the |+F|
            profile. To see the effective flood settings, use |MODE
            #channel F|.
      o You can optionally set a default profile via
        set::anti-flood::channel::default-profile
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>.
        This profile is used if the channel is |-F|. If the user does
        not want channel flood protection then they have to use an
        explicit |+F off|.
      o When channel mode |+f| or |+F| detect that a flood is caused by
         >75% of "unknown-users"
        <https://www.unrealircd.org/docs/Security-group_block>, the
        server will now set a temporary ban on
        |~security-group:unknown-users|. It will still set |+i| and
        other modes if the flood keeps on going (eg. is caused by
        known-users).
      o Forced nick changes (eg. by NickServ) are no longer counted in
        nick flood for channel mode |+f|/|+F|.
      o When a server splits on the network, we now temporarily disable
        +f/+F join-flood protection for 75 seconds
        (set::anti-flood::channel::split-delay
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>).
        This because a server splitting could mean that server has
        network problems or has died (or restarted), in which case the
        clients would typically reconnect to the remaining other
        servers, triggering an +f/+F join-flood and channels ending up
        being |+i| and such. That is not good because we want +f/+F to
        be as efortless as possible, with as little false positives as
        possible.
          + If your network has 5+ servers and the user load is spread
            evenly among them, then you could disable this feature by
            setting the amount of seconds to |0|. This because in such a
            scenario only 1/5th (20%) of the users would reconnect and
            hopefully don't trigger +f/+F join floods.
      o All these features only work properly if all servers are on
        6.1.0-rc1 or later.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o Logging of JSON-RPC requests (eg. via snomask |+R|) has been
        improved, it now shows:
          + The issuer, such as the user logged in to the admin panel
            (if known)
          + The parameters of the request
      o The JSON-RPC calls |channel.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>,
        |channel.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>,
        |user.list|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and
        |user.get|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now
        support an optional argument |object_detail_level| which
        specifies how detailed the Channel
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel>
        and User
        <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object>
        response object will be. Especially useful if you don't need all
        the details in the list calls.
      o New JSON-RPC method |rpc.set_issuer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to
        indiciate who is actually issuing the requests. The admin panel
        uses this to communicate who is logged in to the panel so this
        info can be used in logging.
  * A new message tag |unrealircd.org/issued-by| which is IRCOp-only
    (and used intra-server) to communicate who actually issued a
    command. See docs <https://www.unrealircd.org/issued-by>.


      Changes:

  * The RPC modules are enabled by default now. This so remote RPC works
    from other IRC servers for calls like |modules.list|. The default
    configuration does NOT enable the webserver nor does it cause
    listening on any socket for RPC, for that you need to follow the
    JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions.
  * The blacklist-module
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
    directive now accepts wildcards, eg |blacklist-module rpc/*;|
  * The setting set::modef-boot-delay has been moved to
    set::anti-flood::channel::boot-delay
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>.


      Developers and protocol:

  * The |cmode.free_param| definition changed. It now has an extra
    argument |int soft| and for return value you will normally |return
    0| here. You can |return 1| if you resist freeing, which is rare and
    only used by |+F| with set::anti-flood::channel::default-profile.
  * New |cmode.flood_type_action| which can be used to indicate a
    channel mode can be used from +f/+F as an action. You need to
    specify for which flood type your mode is, eg
    |cmode.flood_type_action = 'j';| for joinflood.
  * JSON-RPC supports UNIX domain sockets
    <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket>
    for making RPC calls. If this is used, we now split on |\n|
    (newline) so multiple parallel requests can be handled properly.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Reminder: UnrealIRCd 5 is near its EOL-date

[Bram M. <sy...@un...>]

Hi everyone,

This is a friendly reminder that UnrealIRCd 5 will be End Of Life after 
_July 1, 2023_. After that date, it will be completely unmaintained and 
won't even get security fixes anymore.

*The end of UnreaIRCd 5*
UnrealIRCd 5.0.0 was released on Dec 13, 2019, so this will conclude the 
end of 3,5 years of UnrealIRCd 5. The first announcement about the EOL 
date was in October 2021. For full details and the timeline, see 
https://www.unrealircd.org/docs/UnrealIRCd_5_EOL. We are also listed at 
this great website for keeping track of EOL dates: 
https://endoflife.date/unrealircd

*Are you still using UnrealIRCd 5?*
We recommend anyone running UnrealIRCd 5 (or older) to upgrade to 
UnrealIRCd 6.0.7.
UnrealIRCd 6 has proven to be stable and has lots of useful features. 
Two weeks ago UnrealIRCd 6.0.7 was released and it has been downloaded 
300 times already.
If you have no idea what's new, then check out 
https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_6
If you are upgrading from UnrealIRCd 5 to UnrealIRCd 6, then you will 
find the following article helpful: 
https://www.unrealircd.org/docs/Upgrading_from_5.x

Best regards,

Bram Matthys (Syzop)

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.7 released

[Bram M. <sy...@un...>]

UnrealIRCd 6.0.7 makes WHOWAS show more information to IRCOps and adds 
an experimental spamfilter feature. It also contains other enhancements 
and quite a number of bug fixes. One notable change is that on linking 
of anope or atheme, every server will now check if they have ulines { } 
for that services server, since it's a common mistake to forget this, 
leading to desyncs or other weird problems.

As a reminder, since previous release the UnrealIRCd Administration 
Webpanel <https://github.com/unrealircd/unrealircd-webpanel/> is very 
much usable. It allows admins to view the users/channels/servers lists, 
view detailed information on users and channels, manage server bans and 
spamfilters, all from a web browser.

You can download UnrealIRCd from unrealircd.org 
<https://unrealircd.org/>, and on *NIX you can easily upgrade with 
|./unrealircd upgrade|


      Enhancements:

  * Spamfilter <https://www.unrealircd.org/docs/Spamfilter> can now be
    made UTF8-aware:
      o This is experimental, to enable: |set { spamfilter { utf8 yes; } }|
      o Case insensitive matches will then work better. For example, for
        extended Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o As a consequence of this we require PCRE2 10.36 or newer. If
        your system PCRE2 is older, then the UnrealIRCd-shipped-library
        version will be compiled and |./Config| may take a little longer
        than usual.
  * |WHOWAS| now shows IP address and account information to IRCOps
  * Allow services to send a couple of protocol messages in the
    unregistered / SASL stage. These are: |CHGHOST|, |CHGIDENT| and
    |SREPLY|
      o This allows services to set the vhost on a user during SASL, so
        the user receives the vhost straight from the start, before all
        the auto-joining/re-rejoining of channels.
      o Future anope/atheme/etc services will presumably support this.
  * WebSocket <https://www.unrealircd.org/docs/WebSocket_support> status
    is now synced over the network and an extra default security group
    <https://www.unrealircd.org/docs/Security-group_block>
    |websocket-users| has been added. Similarly there is now
    security-group::websocket and security-group::exclude-websocket
    item. Same for mask items
    <https://www.unrealircd.org/docs/Mask_item> such as in
    set::restrict-commands::command::except
    <https://www.unrealircd.org/docs/Restrict_commands>.
  * Support for IRCv3 Standard Replies
    <https://ircv3.net/specs/extensions/standard-replies>. Right now
    nothing fancy yet, other than us sending
    |ACCOUNT_REQUIRED_TO_CONNECT| from the authprompt module when a user
    is soft-banned <https://www.unrealircd.org/docs/Soft_ban>.
  * Add support for sending IRCv3 Standard Replies intra-server, eg from
    services (|SREPLY| server-to-server command)
  * Support |NO_COLOR| environment variable, as per no-color.org
    <https://no-color.org>.


      Changes:

  * We now verify that all servers have ulines { }
    <https://www.unrealircd.org/docs/Ulines_block> for Anope and Atheme
    servers and reject the link if this is not the case.
  * The |FLOOD_BLOCKED| log message now shows the target of the flood
    for |target-flood-user| and |target-flood-channel|.
  * When an IRCOp sets |+H| to hide ircop status, only the swhois items
    that were added through oper will be hidden (and not the ones added
    by eg. vhost). Previously all were hidden.
  * Update shipped libraries: c-ares to 1.19.0, Jansson to 2.14, PCRE2
    to 10.42, and on Windows LibreSSL to 3.6.2 and cURL to 8.0.1.


      Fixes:

  * Crash if a third party module is loaded which allows very large
    message tags (e.g. has no length check)
  * Crash if an IRCOp uses |unrealircd.org/json-log|
    <https://www.unrealircd.org/docs/JSON_logging#Enabling_on_IRC> on
    IRC and during |REHASH| some module sends log output during MOD_INIT
    (eg. with some 3rd party modules)
  * Crash when parsing deny link block
    <https://www.unrealircd.org/docs/Deny_link_block>
  * The Module manager <https://www.unrealircd.org/docs/Module_manager>
    now works on FreeBSD and similar.
  * In |LUSERS| the "unknown connection(s)" count was wrong. This was
    just a harmless counting error with no other effects.
  * Silence warnings on Clang 15+ (eg. Ubuntu 23.04)
  * Don't download |GeoIP.dat| if you have |blacklist-module
    geoip_classic;|
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
  * Channel mode |+S| stripping too much on incorrect color codes.
  * Make |@if module-loaded()|
    <https://www.unrealircd.org/docs/Defines_and_conditional_config>
    work correctly for modules that are about to be unloaded during REHASH.
  * Some missing notices if remotely REHASHing a server, and one
    duplicate line.
  * Check invalid host setting in oper::vhost, just like we already have
    in vhost::vhost.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.6 released

[Bram M. <sy...@un...>]

I'm happy to announce UnrealIRCd 6.0.6. The main objective of this 
release is to enhance the new JSON-RPC functionality. In 6.0.5 we made a 
start and in 6.0.6 it is expanded a lot, plus some important bugs were 
fixed in it. Thanks everyone who has been testing the functionality!

The new UnrealIRCd Administration Webpanel 
<https://github.com/unrealircd/unrealircd-webpanel/> (which uses 
JSON-RPC) is very much usable now. It allows admins to view the 
users/channels/servers lists, view detailed information on users and 
channels, manage server bans and spamfilters, all from the browser. Both 
the JSON-RPC API and the webpanel are work in progress. They will 
improve and expand with more features over time.

If you are already using UnrealIRCd 6.0.5 and you are NOT interested in 
JSON-RPC or the webpanel then there is NO reason to upgrade to 6.0.6.

As usual, you can download UnrealIRCd from unrealircd.org 
<https://unrealircd.org/>, and on *NIX you can easily upgrade with 
|./unrealircd upgrade|


      Enhancements:

  * The JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd has been expanded a lot. From 12 API methods to 42:
    |stats.get|, |rpc.info|, |user.part|, |user.join|, |user.quit|,
    |user.kill|, |user.set_oper|, |user.set_snomask|, |user.set_mode|,
    |user.set_vhost|, |user.set_realname|, |user.set_username|,
    |user.set_nick|, |user.get|, |user.list|, |server.module_list|,
    |server.disconnect|, |server.connect|, |server.rehash|,
    |server.get|, |server.list|, |channel.kick|, |channel.set_topic|,
    |channel.set_mode|, |channel.get|, |channel.list|, |server_ban.add|,
    |server_ban.del|, |server_ban.get|, |server_ban.list|,
    |server_ban_exception.add|, |server_ban_exception.del|,
    |server_ban_exception.get|, |server_ban_exception.list|,
    |name_ban.add|, |name_ban.del|, |name_ban.get|, |name_ban.list|,
    |spamfilter.add|, |spamfilter.del|, |spamfilter.get|,
    |spamfilter.list|.
      o Server admins can read the JSON-RPC
        <https://www.unrealircd.org/docs/JSON-RPC> documentation on how
        to get started. For developers, see the Technical documentation
        <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation>
        for all info on the different RPC calls and the protocol.
      o Some functionality requires all servers to be on 6.0.6 or later.
      o Some functionality requires all servers to include
        |rpc.modules.default.conf| instead of only the single server
        that the webpanel interfaces with through JSON-RPC. When all
        servers have that file included then the API call
        |server.module_list| can work for remote servers, and the API
        call |server.rehash| for remote servers can return the actual
        rehash result and a full log of the rehash process. It is not
        used for any other API call at the moment, but in the future
        more API calls may need this functionality because it allows us
        to do things that are otherwise impossible or very hard.
      o Known issue: logging of RPC actions needs to be improved. For
        some API calls, like adding of server bans and spamfilters, this
        already works, but in other API calls it is not clearly logged
        yet "who did what".


      Changes:

  * Previously some server protocol commands could only be used by
    services, commands such as |SVSJOIN| and |SVSPART|. We now allow
    SVS* command to be used by any servers, so the JSON-RPC API can use
    them. There's a new option set::limit-svscmds
    <https://www.unrealircd.org/docs/Set_block#set::limit-svscmds> so
    one can revert back to the original situation, if needed.
  * All JSON-RPC calls that don't change anything, such as |user.list|
    are now logged in the |rpc.debug| facility. Any call that changes
    anything like |user.join| or |spamfilter.add| is logged via
    |rpc.info|. This because JSON-RPC calls can be quite noisy and
    logging the read-only calls is generally not so interesting.


      Fixes:

  * When using JSON-RPC with UnrealIRCd 6.0.5 it would often crash
  * Fix parsing services version (anope) in |EAUTH|.


      Developers and protocol:

  * A new |RRPC| server to server command to handle RPC-over-IRC. This
    way the JSON-RPC user, like the admin panel, can interface with a
    remote server. If you are writing an RPC handler, then the remote
    RPC request does not look much different than a local one, so you
    can just process it as usual. See the code for |server.rehash| or
    |server.module_list| for an example (src/modules/rpc/server.c).

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.5 released

[Bram M. <sy...@un...>]

I'm happy to announce UnrealIRCd 6.0.5 (stable).

This release adds experimental JSON-RPC support, a new TLINE command, 
the |./unrealircd restart| command has been improved to check for config 
errors, logging to files has been improved and there are several other 
enhancements.

There are also two important changes: 1) servers that use websockets now 
also need to load the "webserver" module (so you may need to edit your 
config file). 2) we now require TLSv1.2 or higher and a modern cipher 
for IRC clients. This should be no problem for clients using any 
reasonably new SSL/TLS library (from 2014 or later).

I would also like to take this opportunity to say that we are looking 
for webdevs to create an UnrealIRCd admin panel 
<https://forums.unrealircd.org/viewtopic.php?t=9257>. The previous 
attempt at this failed so we are looking for new people.

See the full release notes below for all changes in more detail.

As usual, you can download UnrealIRCd from unrealircd.org 
<https://unrealircd.org/>, and on *NIX you can easily upgrade with 
|./unrealircd upgrade|


      Enhancements:

  * Internally the websocket module has been split up into 3 modules:
    |websocket_common|, |webserver| and |websocket|. The
    |websocket_common| one is loaded by default via
    modules.default.conf, the other two are not.
    *Important:* if you use websockets then you need to load two modules
    now (instead of only one):

    |loadmodule "websocket"; loadmodule "webserver"; |

  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd. This is work in progress.
  * New |TLINE| command to test *LINEs. This can be especially useful
    for checking how many people match an extended server ban
    <https://www.unrealircd.org/docs/Extended_server_bans> such as
    |TLINE ~C:NL|
  * The |./unrealircd start| command will now refuse to start if
    UnrealIRCd is already running.
  * The |./unrealircd restart| command will validate the configuration
    file (it will call |./unrealircd configtest|). If there is a
    configuration error then the restart will not go through and the
    current UnrealIRCd process is kept running.
  * When an IRCOp is outside the channel and does |MODE #channel| they
    will now get to see the mode parameters too. This depends on the
    |channel:see:mode:remote| operclass permission
    <https://www.unrealircd.org/docs/Operclass_permissions> which all
    IRCOps have by default if you use the default operclasses.
  * Logging to a file <https://www.unrealircd.org/docs/Log_block> now
    creates a directory structure if needed.
      o You could already use:

        |log { source { !debug; all; } destination { file
        "ircd.%Y-%m-%d.log"; } } |

      o But now you can also use:

        |log { source { !debug; all; } destination { file
        "%Y-%m-%d/ircd.log"; } } |

        This is especially useful if you output to multiple log files
        and then want them grouped by date in a directory.
  * Add additional variables in blacklist::reason
    <https://www.unrealircd.org/docs/Blacklist_block>:
      o |$blacklist|: name of the blacklist block
      o |$dnsname|: the blacklist::dns::name
      o |$dnsreply|: the DNS reply code
  * Resolved technical issue so opers can |REHASH| from Websocket
    connections <https://www.unrealircd.org/docs/WebSocket_support>.
  * In the TLD block <https://www.unrealircd.org/docs/Tld_block> the use
    of |tld::motd| and |tld::rules| is now optional.
  * Log which oper actually initiated a server link request (|CONNECT|)


      Changes:

  * SSL/TLS: By default we now require TLSv1.2 or later and a modern
    cipher with forward secrecy. Otherwise the connection is refused.
      o Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect
        notice with a warning when they use an outdated TLS protocol or
        cipher that does not meet these requirements.
      o This move also reflects the phase out of versions below TLSv1.2
        which happened in browsers in 2020/2021.
      o In practice on the client-side this requires at least:
          + OpenSSL 1.0.1 (released in 2012)
          + GnuTLS 3.2.6 (2013)
          + Android 4.4.2 (2013)
          + Or presumably any other SSL/TLS library that is not 9+ years old
      o If you want to revert back to the previous less secure settings,
        then look under ''Previous less secure setting'' in TLS Ciphers
        and protocols
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols>.
  * The code for handling |set::anti-flood::everyone::connect-flood|
    <https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood>
    is now in its own module |connect-flood|. This module is loaded by
    default, no changes needed in your configuration file.
  * Similarly, |set:max-unknown-connections-per-ip|
    <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>
    is now handled by the new module |max-unknown-connections-per-ip|.
    This module is loaded by default as well, no changes needed in your
    configuration file.
  * Upgrade shipped PCRE2 to 10.41, curl-ca-bundle to 2022-10-11, on
    Windows LibreSSL to 3.6.1 and cURL to 7.86.0.
  * After people do a major upgrade on their Linux distro, UnrealIRCd
    may no longer start due to an |error while loading shared
    libraries|. We now print a more helpful message and link to the new
    FAQ entry <https://www.unrealircd.org/docs/FAQ#shared-library-error>
    about it.
  * When timing out on the authprompt
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    module, the error (quit message) is now the original (ban) reason
    for the prompt, instead of the generic |Registration timeout|.


      Fixes:

  * Crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Warning message about moddata creationtime when linking.
  * Snomask |+j| <https://www.unrealircd.org/docs/Snomasks> was not
    showing remote joins, even though it did show remote parts and kicks.
  * Leak of 1 file descriptor per /REHASH (the control socket).
  * Ban letters showing up twice in 005 EXTBAN=
  * Setting set::authentication-prompt::enabled
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    to |no| was ignored. The default is still |yes|.


      Developers and protocol:

  * Add |CALL_CMD_FUNC(cmd_func_name)| for calling commands in the same
    module, see this commit
    <https://github.com/unrealircd/unrealircd/commit/dc55c3ec9f19e5ed284e5a786f646d0e6bb60ef9>.
    Benefit of this is that it will keep working if we ever change
    command paramters.
  * Add |CALL_NEXT_COMMAND_OVERRIDE()| which can be used instead of
    |CallCommandOverride()|, see also this commit
    <https://github.com/unrealircd/unrealircd/commit/4e5598b6cf0986095f757f31a2540b03e4d235dc>.
    This too, will keep working if we ever change command parameters.
  * During loading and rehash we now set |loop.config_status| to one of
    |CONFIG_STATUS_*| so modules (and core) can see at what step we are
    during configuration file and module processing.
  * New RPC API. See the |src/modules/rpc/| directory for examples.
  * New function |get_nvplist(NameValuePrioList *list, const char *name)|

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.5-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.0.5 is now available for testing. If 
you have some time during the holidays and would like to try it out, 
feel free to do so. Please report any bugs you find at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. On *NIX you 
can use the command *./unrealircd upgrade --rc* to upgrade to this RC.

This release adds experimental JSON-RPC support which can be used by a 
web panel or other interface (this is work in progress). There's a new 
TLINE command to test *LINES, useful for e.g. /TLINE ~C:NL. Logging to 
files has been improved and some other enhancements. One notable change 
is that by default we now require TLSv1.2 (or higher) for IRC clients 
and a modern cipher. This should be no problem for clients using any 
reasonably new SSL/TLS library (from 2014 or later). Another notable 
change is that servers with websockets now also need to load the 
"webserver" module. Full release notes with all details are below.

Compared to 6.0.5-rc1 this 6.0.5-rc2 has some nice ./unrealircd script 
enhancements (see below) and various small bugfixes


      Enhancements:

  * Internally the websocket module has been split up into 3 modules:
    |websocket_common|, |webserver| and |websocket|. The
    |websocket_common| one is loaded by default via
    modules.default.conf, the other two are not.
    *Important:* if you use websockets then you need to load two modules
    now (instead of only one):

    |loadmodule "websocket"; loadmodule "webserver"; |

  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd. This is work in progress.
  * New |TLINE| command to test *LINEs. This can be especially useful
    for checking how many people match an extended server ban
    <https://www.unrealircd.org/docs/Extended_server_bans> such as
    |TLINE ~C:NL|
  * The |./unrealircd start| command will now refuse to start if
    UnrealIRCd is already running.
  * The |./unrealircd restart| command will validate the configuration
    file (it will call |./unrealircd configtest|). If there is a
    configuration error then the restart will not go through and the
    current UnrealIRCd process is kept running.
  * When an IRCOp is outside the channel and does |MODE #channel| they
    will now get to see the mode parameters too. This depends on the
    |channel:see:mode:remote| operclass permission
    <https://www.unrealircd.org/docs/Operclass_permissions> which all
    IRCOps have by default if you use the default operclasses.
  * Logging to a file <https://www.unrealircd.org/docs/Log_block> now
    creates a directory structure if needed.
      o You could already use:

        |log { source { !debug; all; } destination { file
        "ircd.%Y-%m-%d.log"; } } |

      o But now you can also use:

        |log { source { !debug; all; } destination { file
        "%Y-%m-%d/ircd.log"; } } |

        This is especially useful if you output to multiple log files
        and then want them grouped by date in a directory.
  * Add additional variables in blacklist::reason
    <https://www.unrealircd.org/docs/Blacklist_block>:
      o |$blacklist|: name of the blacklist block
      o |$dnsname|: the blacklist::dns::name
      o |$dnsreply|: the DNS reply code
  * Resolved technical issue so opers can |REHASH| from Websocket
    connections <https://www.unrealircd.org/docs/WebSocket_support>.
  * In the TLD block <https://www.unrealircd.org/docs/Tld_block> the use
    of |tld::motd| and |tld::rules| is now optional.
  * Log which oper actually initiated a server link request (|CONNECT|)


      Changes:

  * SSL/TLS: By default we now require TLSv1.2 or later and a modern
    cipher with forward secrecy. Otherwise the connection is refused.
      o Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect
        notice with a warning when they use an outdated TLS protocol or
        cipher that does not meet these requirements.
      o This move also reflects the phase out of versions below TLSv1.2
        which happened in browsers in 2020/2021.
      o In practice on the client-side this requires at least:
          + OpenSSL 1.0.1 (released in 2012)
          + GnuTLS 3.2.6 (2013)
          + Android 4.4.2 (2013)
          + Or presumably any other SSL/TLS library that is not 9+ years old
      o If you want to revert back to the previous less secure settings,
        then look under ''Previous less secure setting'' in TLS Ciphers
        and protocols
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols>.
  * The code for handling |set::anti-flood::everyone::connect-flood|
    <https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood>
    is now in its own module |connect-flood|. This module is loaded by
    default, no changes needed in your configuration file.
  * Similarly, |set:max-unknown-connections-per-ip|
    <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>
    is now handled by the new module |max-unknown-connections-per-ip|.
    This module is loaded by default as well, no changes needed in your
    configuration file.
  * Upgrade shipped PCRE2 to 10.41, curl-ca-bundle to 2022-10-11, on
    Windows LibreSSL to 3.6.1 and cURL to 7.86.0.
  * After people do a major upgrade on their Linux distro, UnrealIRCd
    may no longer start due to an |error while loading shared
    libraries|. We now print a more helpful message and link to the new
    FAQ entry <https://www.unrealircd.org/docs/FAQ#shared-library-error>
    about it.
  * When timing out on the authprompt
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    module, the error (quit message) is now |Account required to
    connect| instead of the generic |Registration timeout|.


      Fixes:

  * Crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Warning message about moddata creationtime when linking.
  * Snomask |+j| <https://www.unrealircd.org/docs/Snomasks> was not
    showing remote joins, even though it did show remote parts and kicks.
  * Leak of 1 file descriptor per /REHASH (the control socket).
  * Ban letters showing up twice in 005 EXTBAN=
  * Setting set::authentication-prompt::enabled
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    to |no| was ignored. The default is still |yes|.


      Developers and protocol:

  * Add |CALL_CMD_FUNC(cmd_func_name)| for calling commands in the same
    module, see this commit
    <https://github.com/unrealircd/unrealircd/commit/dc55c3ec9f19e5ed284e5a786f646d0e6bb60ef9>.
    Benefit of this is that it will keep working if we ever change
    command paramters.
  * Add |CALL_NEXT_COMMAND_OVERRIDE()| which can be used instead of
    |CallCommandOverride()|, see also this commit
    <https://github.com/unrealircd/unrealircd/commit/4e5598b6cf0986095f757f31a2540b03e4d235dc>.
    This too, will keep working if we ever change command parameters.
  * During loading and rehash we now set |loop.config_status| to one of
    |CONFIG_STATUS_*| so modules (and core) can see at what step we are
    during configuration file and module processing.
  * New RPC API. See the |src/modules/rpc/| directory for examples.
  * New function |get_nvplist(NameValuePrioList *list, const char *name)|

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.5-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.0.5 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

This release adds experimental JSON-RPC support which can be used by a 
web panel or other interface (this is work in progress). There's a new 
TLINE command to test *LINES, useful for e.g. /TLINE ~C:NL. Logging to 
files has been improved and some other enhancements. One notable change 
is that by default we now require TLSv1.2 (or higher) for IRC clients 
and a modern cipher. This should be no problem for clients using any 
reasonably new SSL/TLS library (from 2014 or later). Another notable 
change is that servers with websockets now also need to load the 
"webserver" module. Full release notes with all details are below.

Also a correction: in the release notes of 6.0.4.2 from 2 weeks ago it 
was claimed that a crash with server linking was fixed. Unfortunately 
the actual fix was not included (my mistake). The fix is included in 
this 6.0.5-rc1 and will be in 6.0.5. Since the crash only affects a 
limited number of people there is not another 6.0.4.x release planned to 
rectify this, especially since 6.0.5 stable will be released in the next 
3-6 weeks.


      Enhancements:

  * Internally the websocket module has been split up into 3 modules:
    |websocket_common|, |webserver| and |websocket|. The
    |websocket_common| one is loaded by default via
    modules.default.conf, the other two are not.
    *Important:* if you use websockets then you need to load two modules
    now (instead of only one):

    |loadmodule "websocket"; loadmodule "webserver"; |

  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd. This is work in progress.
  * New |TLINE| command to test *LINEs. This can be especially useful
    for checking how many people match an extended server ban
    <https://www.unrealircd.org/docs/Extended_server_bans> such as
    |TLINE ~C:NL|
  * Logging to a file <https://www.unrealircd.org/docs/Log_block> now
    creates a directory structure if needed.
      o You could already use:

        |log { source { !debug; all; } destination { file
        "ircd.%Y-%m-%d.log"; } } |

      o But now you can also use:

        |log { source { !debug; all; } destination { file
        "%Y-%m-%d/ircd.log"; } } |

        This is especially useful if you output to multiple log files
        and then want them grouped by date in a directory.
  * When an IRCOp is outside the channel and does |MODE #channel| they
    will now get to see the mode parameters too. This depends on the
    |channel:see:mode:remote| operclass permission
    <https://www.unrealircd.org/docs/Operclass_permissions> which all
    IRCOps have by default if you use the default operclasses.
  * Add additional variables in blacklist::reason
    <https://www.unrealircd.org/docs/Blacklist_block>:
      o |$blacklist|: name of the blacklist block
      o |$dnsname|: the blacklist::dns::name
      o |$dnsreply|: the DNS reply code
  * Resolved technical issue so opers can |REHASH| from Websocket
    connections <https://www.unrealircd.org/docs/WebSocket_support>.
  * In the TLD block <https://www.unrealircd.org/docs/Tld_block> the use
    of |tld::motd| and |tld::rules| is now optional.


      Changes:

  * SSL/TLS: By default we now require TLSv1.2 or later and a modern
    cipher with forward secrecy. Otherwise the connection is refused.
      o Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect
        notice with a warning when they use an outdated TLS protocol or
        cipher that does not meet these requirements.
      o This move also reflects the phase out of TLSv1.2 that happened
        in browsers in 2020/2021.
      o In practice on the client-side this requires at least:
          + OpenSSL 1.0.1 (released in 2012)
          + GnuTLS 3.2.6 (2013)
          + Android 4.4.2 (2013)
          + Or presumably any other SSL/TLS library that is not 9+ years old
      o If you want to revert back to the previous less secure settings,
        then look under ''Previous less secure setting'' in TLS Ciphers
        and protocols
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols>.
  * The code for handling |set::anti-flood::everyone::connect-flood|
    <https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood>
    is now in its own module |connect-flood|. This module is loaded by
    default, no changes needed in your configuration file.
  * Similarly, |set:max-unknown-connections-per-ip|
    <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>
    is now handled by the new module |max-unknown-connections-per-ip|.
    This module is loaded by default as well, no changes needed in your
    configuration file.
  * Shipped PCRE2 library is now 10.41, curl-ca-bundle is now
    2022-10-11, also LibreSSL has been updated in the Windows build


      Fixes:

  * Fix crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Snomask |+j| <https://www.unrealircd.org/docs/Snomasks> was not
    showing remote joins, even though it did show remote parts and kicks.


      Developers and protocol:

  * Add |CALL_CMD_FUNC(cmd_func_name)| for calling commands in the same
    module, see this commit
    <https://github.com/unrealircd/unrealircd/commit/dc55c3ec9f19e5ed284e5a786f646d0e6bb60ef9>.
    Benefit of this is that it will keep working if we ever change
    command paramters.
  * Add |CALL_NEXT_COMMAND_OVERRIDE()| which can be used instead of
    |CallCommandOverride()|, see also this commit
    <https://github.com/unrealircd/unrealircd/commit/4e5598b6cf0986095f757f31a2540b03e4d235dc>.
    This too, will keep working if we ever change command parameters.
  * During loading and rehash we now set |loop.config_status| to one of
    |CONFIG_STATUS_*| so modules (and core) can see at what step we are
    during configuration file and module processing.
  * New RPC API. See the |src/modules/rpc/| directory for examples.
  * New function |get_nvplist(NameValuePrioList *list, const char *name)|

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4.2 released

[Bram M. <sy...@un...>]

Hi everyone,

UnrealIRCd 6.0.5 is not ready yet, it is scheduled for Dec 2022 / Jan 
2023 (with one or more RC's before that).

So, in the meantime we have released a small update today, UnrealIRCd 
6.0.4.2:

  * Fix crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Two IRCv3 specifications were ratified which we already supported as
    drafts:
      o Change CAP draft/extended-monitor to extended-monitor
      o Add message-tag bot next to existing (for now) draft/bot
  * Update Turkish translations

You can download UnrealIRCd from https://www.unrealircd.org/

Note for developers / git users: Like most dot releases of UnrealIRCd, 
this dot-release does not exist in git. It cherry picks a number of 
commits from 6.0.5 in git, bumps the version, and adds the release notes.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4.1 released

[Bram M. <sy...@un...>]

Hi everyone,

Today we released a small update to fix two issues in UnrealIRCd 6.0.x.
We only suggest upgrading if you are impacted by these problems. Most 
users will probably not upgrade and wait for 6.0.5 later this year.

  * Fix sporadic crash when linking a server (after successful
    authentication).
    This feels like a compiler bug. It affected only some people with
    GCC and only in some situations.
    When compiled with clang there was no problem. Hopefully we can work
    around it this way.
  * Make /INVITE bypass (nearly) all channel mode restrictions, as it
    used to be in UnrealIRCd 5.x. Both for invites by channel ops and
    for OperOverride.
    This also fixes a bug where an IRCOp with OperOverride could not
    bypass +l (limit) and other restrictions and would have to resort
    back to using MODE or SAMODE. Only +b and +i could be bypassed via
    INVITE OperOverride.

You can download UnrealIRCd from https://www.unrealircd.org/

Note for developers / git users: Like most dot releases of UnrealIRCd, 
this dot-release does not exist in git. It cherry picks commits 
0e6fc07bd9000ecc463577892cf2195a670de4be and 
0d139c6e7c268e31ca8a4c9fc5cb7bfeb4f56831 from 6.0.5 in git, bumps the 
version, and adds the release notes.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Looking for webdevs to make an UnrealIRCd webpanel

[Bram M. <sy...@un...>]

Hi everyone,

As a one-time exception, not a release announcement, but a request for 
help on a new part we would like to see developed:

We are envisioning an "admin panel" where IRCOps would be able to do a 
number of server tasks, starting with:

  * Status overview / dashboard
  * Spamfilter and *LINE management: that would be a lot easier via the
    web than on IRC

These two things would already be a great start. Naturally more can be 
added, i'm sure there are lots of ideas.

The admin panel would be installed on a (web)server and would connect to 
UnrealIRCd using the new JSON-RPC API 
<https://www.unrealircd.org/docs/JSON-RPC> that is currently being 
developed. It does not have to run on the same machine as UnrealIRCd.

We are looking for webdevs who would like to help out on the HTML/CSS 
and the coding-side. Do you have experience with web development and do 
you have time this summer to work on this? If you do, what would you 
prefer/suggest?

  * Which language/environment to use? PHP? NodeJS? Python?
  * Which coding framework should be used? Eg in case of PHP: Laravel,
    Symphony, ..? In case of JS/python... what?
  * Which CSS/front end framework to use? Eg Bootstrap?

Most of the UnrealIRCd devs are backend coders with less experience on 
webdev/frontend. For us it would be relatively easy to make a 
quick-and-dirty PHP-without-famework non-AJAX "proof of concept" that is 
ugly and hard to extend. That is not what we are after. The idea is to 
have clean code that stays maintainable on the long run. We would like 
to hear who would like to work on this and what choices should be made.
On our side we can help with getting people together, hosting it as an 
official (sub)project and exchanging ideas. On the technical side we can 
provide the right API calls and options in UnrealIRCd.

We have created a new channel *#unreal-webpanel* on irc.unrealircd.org 
(IRC TLS on port 6697) that we can use for the discussion. Or you can 
reply on the forum thread 
<https://forums.unrealircd.org/viewtopic.php?t=9195>.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4 released

[Bram M. <sy...@un...>]

Hi everyone,

I'm happy to announce UnrealIRCd 6.0.4 (stable). This release comes with 
lots of features and enhancements. In particular, security groups and 
mask items now allow you to write cleaner and more flexible 
configuration files. There are also JSON logging enhancements and 
several bug fixes. Thanks a lot to everyone who tested the release 
candidates!


      Enhancements:

  * Show security groups in |WHOIS|
  * The security-group block
    <https://www.unrealircd.org/docs/Security-group_block> has been
    expanded and the same functionality is now available in mask items
    <https://www.unrealircd.org/docs/Mask_item> too:
      o This means the existing options like |identified|, |webirc|,
        |tls| and |reputation-score| can be used in |allow::mask| etc.
      o New options (in both security-group and mask) are:
          + |connect-time|: time a user is connected to IRC
          + |security-group|: to check another security group
          + |account|: services account name
          + |country|: country code, as found by GeoIP
          + |realname|: realname (gecos) of the user
          + |certfp|: certificate fingerprint
      o Every option also has an exclude- variant, eg.
        |exclude-country|. If a user matches any |exclude-| option then
        it is considered not a match.
      o The modules connthrottle
        <https://www.unrealircd.org/docs/Connthrottle>,
        restrict-commands
        <https://www.unrealircd.org/docs/Set_block#set::restrict-commands>
        and antirandom
        <https://www.unrealircd.org/docs/Set_block#set::antirandom> now
        use the new |except| sub-block which is a mask item. The old
        syntax (eg |set::antirandom::except-webirc|) is still accepted
        by UnrealIRCd and converted to the appropriate new setting
        behind the scenes (|set::antirandom::except::webirc|).
      o The modules blacklist
        <https://www.unrealircd.org/docs/Blacklist_block> and
        antimixedutf8
        <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8>
        now also support the |except| block (a mask item).
      o Other than that the extended functionality is available in these
        blocks: |allow|, |oper|, |tld|, |vhost|, |deny channel|, |allow
        channel|.
      o Example of direct use in a ::mask item:

        |/* Spanish MOTD for Spanish speaking countries */ tld { mask {
        country { ES; AR; BO; CL; CO; CR; DO; EC; SV; GT; HN; MX; NI;
        PA; PY; PE; PR; UY; VE; } } motd "motd.es.txt"; rules
        "rules.es.txt"; } |

      o Example of defining a security group and using it in a mask item
        later:

        |security-group irccloud { mask { ip1; ip2; ip3; ip4; } } allow
        { mask { security-group irccloud; } class clients; maxperip 128;
        } except ban { mask { security-group irccloud; } type {
        blacklist; connect-flood; handshake-data-flood; } } |

  * Because the mask item is so powerful now, the |password| in the oper
    block <https://www.unrealircd.org/docs/Oper_block> is optional now.
  * We now support oper::auto-login, which means the user will become
    IRCOp automatically if they match the conditions on-connect. This
    can be used in combination with certificate fingerprint
    <https://www.unrealircd.org/docs/Certificate_fingerprint>
    authentication for example:

    |security-group Syzop { certfp "1234etc."; } oper Syzop { auto-login
    yes; mask { security-group Syzop; } operclass
    netadmin-with-override; class opers; } except ban { mask {
    security-group Syzop; } type all; } |

  * For JSON logging <https://www.unrealircd.org/docs/JSON_logging> a
    number of fields were added when a client is expanded:
      o |geoip|: with subitem |country_code| (eg. |NL|)
      o |tls|: with subitems |cipher| and |certfp|
      o Under subitem |users|:
          + |vhost|: if the visible host differs from the realhost then
            this is set (thus for both vhost and cloaked host)
          + |cloakedhost|: this is always set (except for eg. services
            users), even if the user is not cloaked so you can easily
            search on a cloaked host.
          + |idle_since|: last time the user has spoken (local clients only)
          + |channels|: list of channels (array), with a maximum of 384
            chars.
  * The JSON logging now also strips ASCII below 32, so color- and
    control codes.
  * Support IRCv3 |+draft/channel-context|
  * Add |example.es.conf| (Spanish example configuration file)
  * The country of users is now communicated in the message-tag
    <https://www.unrealircd.org/docs/Message_tags>
    |unrealircd.org/geoip| (only to IRCOps).
  * Add support for linking servers via UNIX domain sockets
    (|link::outgoing::file|).


      Fixes:

  * Crash in |except ban| with |~security-group:xyz|
  * Crash if hideserver module was loaded but |LINKS| was not blocked.
  * Crash on Windows when using the "Rehash" GUI option.
  * Infinite loop if one security-group referred to another.
  * Duplicate entries in the |+beI| lists of |+P| channels.
  * Regular users were able to -o a service bot (that has umode +S)
  * Module manager did not stop on compile error
  * |set::modes-on-join|
    <https://www.unrealircd.org/docs/Set_block#set::modes-on-join> did
    not work with |+f| + timed bans properly, eg |[3t#b1]:10|
  * Several log messages were missing some information.
  * Reputation syncing across servers had a small glitch. Fix is mostly
    useful for servers that were not linked to the network for days or
    weeks.


      Changes:

  * Clarified that UnrealIRCd is licensed as "GPLv2 or later"
  * Fix use of variables in |set::reject-message|
    <https://www.unrealircd.org/docs/Set_block#set::reject-message> and
    in |blacklist::reason|
    <https://www.unrealircd.org/docs/Blacklist_block>: previously short
    forms of variables were (unintentionally) expanded as well, such as
    |$serv| for |$server|. This is no longer supported, you need to use
    the correct full variable names.


      Developers and protocol:

  * The |creationtime| is now communicated of users. Until now this
    information was only known locally (the thing that was communicated
    that came close was "last nick change" but that is not the same).
    This is synced via (early) moddata across servers. Module coders can
    use |get_connected_time()|.
  * The |RPL_HOSTHIDDEN| is now sent from |userhost_changed()| so you
    don't explicitly send it yourself anymore.
  * The |SVSO| command is back, so services can make people IRCOp again.
    See |HELPOP SVSO| or the commit
    <https://github.com/unrealircd/unrealircd/commit/50e5d91c798e7d07ca0c68d9fca302a6b6610786>
    for more information.
  * Due to last change the |HOOKTYPE_LOCAL_OPER| parameters were changed.
  * Module coders can enhance the JSON logging
    <https://www.unrealircd.org/docs/JSON_logging> expansion items for
    clients and channels via new hooks like
    |HOOKTYPE_JSON_EXPAND_CLIENT|. This is used by the geoip and tls
    modules.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.0.4 is now available for testing. You 
can help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

Compared to 6.0.4-rc1, this rc2 adds an oper autologin feature (see near 
the end under /Enhancements/), fixes set::restrict-commands not working, 
fixes for security-group for account and CIDR, fix multiline log 
messages being cut, fix Ubuntu 22.04 compile problem and fix +H not 
working on set::modes-on-join. Also update various example.*conf files.


      Enhancements:

  * Show security groups in |WHOIS|
  * The security-group block
    <https://www.unrealircd.org/docs/Security-group_block> has been
    expanded and the same functionality is now available in mask items
    <https://www.unrealircd.org/docs/Mask_item> too:
      o This means the existing options like |identified|, |webirc|,
        |tls| and |reputation-score| can be used in |allow::mask| etc.
      o New options (in both security-group and mask) are:
          + |connect-time|: time a user is connected to IRC
          + |security-group|: to check another security group
          + |account|: services account name
          + |country|: country code, as found by GeoIP
          + |realname|: realname (gecos) of the user
          + |certfp|: certificate fingerprint
      o Every option also has an exclude- variant, eg.
        |exclude-country|. If a user matches any |exclude-| option then
        it is considered not a match.
      o The modules connthrottle
        <https://www.unrealircd.org/docs/Connthrottle>,
        restrict-commands
        <https://www.unrealircd.org/docs/Set_block#set::restrict-commands>
        and antirandom
        <https://www.unrealircd.org/docs/Set_block#set::antirandom> now
        use the new |except| sub-block which is a mask item. The old
        syntax (eg |set::antirandom::except-webirc|) is still accepted
        by UnrealIRCd and converted to the appropriate new setting
        behind the scenes (|set::antirandom::except::webirc|).
      o The modules blacklist
        <https://www.unrealircd.org/docs/Blacklist_block> and
        antimixedutf8
        <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8>
        now also support the |except| block (a mask item).
      o Other than that the extended functionality is available in these
        blocks: |allow|, |oper|, |tld|, |vhost|, |deny channel|, |allow
        channel|.
      o Example of direct use in a ::mask item:

        |/* Spanish MOTD for Spanish speaking countries */ tld { mask {
        country { ES; AR; BO; CL; CO; CR; DO; EC; SV; GT; HN; MX; NI;
        PA; PY; PE; PR; UY; VE; } } motd "motd.es.txt"; rules
        "rules.es.txt"; } |

      o Example of defining a security group and using it in a mask item
        later:

        |security-group irccloud { mask { ip1; ip2; ip3; ip4; } } allow
        { mask { security-group irccloud; } class clients; maxperip 128;
        } except ban { mask { security-group irccloud; } type {
        blacklist; connect-flood; handshake-data-flood; } } |

  * Because the mask item is so powerful now, the |password| in the oper
    block <https://www.unrealircd.org/docs/Oper_block> is optional now.
  * We now support oper::auto-login, which means the user will become
    IRCOp automatically if they match the conditions on-connect. This
    can be used in combination with certificate fingerprint
    <https://www.unrealircd.org/docs/Certificate_fingerprint>
    authentication for example:

    |security-group Syzop { mask { certfp "1234etc."; } } oper Syzop {
    auto-login yes; mask { security-group Syzop; } operclass
    netadmin-with-override; class opers; } except ban { mask {
    security-group Syzop; } type all; } |

  * For JSON logging <https://www.unrealircd.org/docs/JSON_logging> a
    number of fields were added when a client is expanded:
      o |geoip|: with subitem |country_code| (eg. |NL|)
      o |tls|: with subitems |cipher| and |certfp|
      o Under subitem |users|:
          + |vhost|: if the visible host differs from the realhost then
            this is set (thus for both vhost and cloaked host)
          + |cloakedhost|: this is always set (except for eg. services
            users), even if the user is not cloaked so you can easily
            search on a cloaked host.
          + |idle_since|: last time the user has spoken (local clients only)
          + |channels|: list of channels (array), with a maximum of 384
            chars.
  * The JSON logging now also strips ASCII below 32, so color- and
    control codes.
  * Support IRCv3 |+draft/channel-context|
  * Add |example.es.conf| (Spanish example configuration file)
  * The country of users is now communicated in the message-tag
    <https://www.unrealircd.org/docs/Message_tags>
    |unrealircd.org/geoip| (only to IRCOps).
  * Add support for linking servers via UNIX domain sockets
    (|link::outgoing::file|).


      Fixes:

  * Crash in |except ban| with |~security-group:xyz|
  * Crash if hideserver module was loaded but |LINKS| was not blocked.
  * Crash on Windows when using the "Rehash" GUI option.
  * Infinite loop if one security-group referred to another.
  * Duplicate entries in the |+beI| lists of |+P| channels.
  * Module manager did not stop on compile error
  * |set::modes-on-join|
    <https://www.unrealircd.org/docs/Set_block#set::modes-on-join> did
    not work with |+f| + timed bans properly, eg |[3t#b1]:10|
  * Several log messages were missing some information.
  * Reputation syncing across servers had a small glitch. Fix is mostly
    useful for servers that were not linked to the network for days or
    weeks.


      Changes:

  * Clarified that UnrealIRCd is licensed as "GPLv2 or later"


      Developers and protocol:

  * The |creationtime| is now communicated of users. Until now this
    information was only known locally (the thing that was communicated
    that came close was "last nick change" but that is not the same).
    This is synced via (early) moddata across servers. Module coders can
    use |get_connected_time()|.
  * The |RPL_HOSTHIDDEN| is now sent from |userhost_changed()| so you
    don't explicitly send it yourself anymore.
  * The |SVSO| command is back, so services can make people IRCOp again.
    See |HELPOP SVSO| or the commit
    <https://github.com/unrealircd/unrealircd/commit/50e5d91c798e7d07ca0c68d9fca302a6b6610786>
    for more information.
  * Due to last change the |HOOKTYPE_LOCAL_OPER| parameters were changed.
  * Module coders can enhance the JSON logging
    <https://www.unrealircd.org/docs/JSON_logging> expansion items for
    clients and channels via new hooks like
    |HOOKTYPE_JSON_EXPAND_CLIENT|. This is used by the geoip and tls
    modules.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.0.4 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.


      Enhancements:

  * Show security groups in |WHOIS|
  * The security-group block
    <https://www.unrealircd.org/docs/Security-group_block> has been
    expanded and the same functionality is now available in mask items
    <https://www.unrealircd.org/docs/Mask_item> too:
      o This means the existing options like |identified|, |webirc|,
        |tls| and |reputation-score| can be used in |allow::mask| etc.
      o New options (in both security-group and mask) are:
          + |connect-time|: time a user is connected to IRC
          + |security-group|: to check another security group
          + |account|: services account name
          + |country|: country code, as found by GeoIP
          + |realname|: realname (gecos) of the user
          + |certfp|: certificate fingerprint
      o Every option also has an exclude- variant, eg.
        |exclude-country|. If a user matches any |exclude-| option then
        it is considered not a match.
      o The modules connthrottle
        <https://www.unrealircd.org/docs/Connthrottle>,
        restrict-commands
        <https://www.unrealircd.org/docs/Set_block#set::restrict-commands>
        and antirandom
        <https://www.unrealircd.org/docs/Set_block#set::antirandom> now
        use the new |except| sub-block which is a mask item. The old
        syntax (eg |set::antirandom::except-webirc|) is still accepted
        by UnrealIRCd and converted to the appropriate new setting
        behind the scenes (|set::antirandom::except::webirc|).
      o The modules blacklist
        <https://www.unrealircd.org/docs/Blacklist_block> and
        antimixedutf8
        <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8>
        now also support the |except| block (a mask item).
      o Other than that the extended functionality is available in these
        blocks: |allow|, |oper|, |tld|, |vhost|, |deny channel|, |allow
        channel|.
      o Example of direct use in a ::mask item:

        |/* Spanish MOTD for Spanish speaking countries */ tld { mask {
        country { ES; AR; BO; CL; CO; CR; DO; EC; SV; GT; HN; MX; NI;
        PA; PY; PE; PR; UY; VE; } } motd "motd.es.txt"; rules
        "rules.es.txt"; } |

      o Example of defining a security group and using it in a mask item
        later:

        |security-group irccloud { mask { ip1; ip2; ip3; ip4; } } allow
        { mask { security-group irccloud; } class clients; maxperip 128;
        } except ban { mask { security-group irccloud; } type {
        blacklist; connect-flood; handshake-data-flood; } } |

  * For JSON logging <https://www.unrealircd.org/docs/JSON_logging> a
    number of fields were added when a client is expanded:
      o |geoip|: with subitem |country_code| (eg. |NL|)
      o |tls|: with subitems |cipher| and |certfp|
      o Under subitem |users|:
          + |vhost|: if the visible host differs from the realhost then
            this is set (thus for both vhost and cloaked host)
          + |cloakedhost|: this is always set (except for eg. services
            users), even if the user is not cloaked so you can easily
            search on a cloaked host.
          + |idle_since|: last time the user has spoken (local clients only)
          + |channels|: list of channels (array), with a maximum of 384
            chars.
  * The JSON logging now also strips ASCII below 32, so color- and
    control codes.
  * Support IRCv3 |+draft/channel-context|
  * Add |example.es.conf| (Spanish example configuration file)
  * The country of users is now communicated in the message-tag
    <https://www.unrealircd.org/docs/Message_tags>
    |unrealircd.org/geoip| (only to IRCOps).
  * Add support for linking servers via UNIX domain sockets
    (|link::outgoing::file|).


      Fixes:

  * Crash in |except ban| with |~security-group:xyz|
  * Crash if hideserver module was loaded but |LINKS| was not blocked.
  * Crash on Windows when using the "Rehash" GUI option.
  * Infinite loop if one security-group referred to another.
  * Duplicate entries in the |+beI| lists of |+P| channels.
  * Module manager did not stop on compile error
  * |set::modes-on-join|
    <https://www.unrealircd.org/docs/Set_block#set::modes-on-join> did
    not work with |+f| + timed bans properly, eg |[3t#b1]:10|
  * Several log messages were missing some information.
  * Reputation syncing across servers had a small glitch. Fix is mostly
    useful for servers that were not linked to the network for days or
    weeks.


      Changes:

  * Clarified that UnrealIRCd is licensed as "GPLv2 or later"


      Developers and protocol:

  * The |creationtime| is now communicated of users. Until now this
    information was only known locally (the thing that was communicated
    that came close was "last nick change" but that is not the same).
    This is synced via (early) moddata across servers. Module coders can
    use |get_connected_time()|.
  * The |RPL_HOSTHIDDEN| is now sent from |userhost_changed()| so you
    don't explicitly send it yourself anymore.
  * Module coders can enhance the JSON logging
    <https://www.unrealircd.org/docs/JSON_logging> expansion items for
    clients and channels via new hooks like
    |HOOKTYPE_JSON_EXPAND_CLIENT|. This is used by the geoip and tls
    modules.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.3 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

A number of serious issues were discovered in UnrealIRCd 6. We recommend 
everyone who is running UnrealIRCd 6 to upgrade to 6.0.3.
Among the issues fixed is an issue which will likely crash the IRCd 
sooner or later if you /REHASH with any active clients connected. Read 
the UnrealIRCd 6.0.3 release notes 
<https://github.com/unrealircd/unrealircd/blob/cedd23ae9cdd5985ce16e9869cbdb808479c3fc4/doc/RELEASE-NOTES.md#unrealircd-603> 
for more details and the full list of changes.

If you are not using UnrealIRCd 6 yet and want to migrate from 5.x to 
6.x, then check out the general item What's new in UnrealIRCd 6 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_6> and 
Upgrading from 5.x <https://www.unrealircd.org/docs/Upgrading_from_5.x>. 
Note that UnrealIRCd 5.2.x is still supported 
<https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> at this time, but no 
new features are added to it anymore.

As always, you can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6