unreal-notify

UnrealIRCd 6.1.1.1 released

[Bram M. <sy...@un...>]

Hi everyone,

Just a small note: i just released 6.1.1.1 to fix a small bug in 6.1.1 
that is rather specific and probably only affects 1-2% of users, but still:
If a WEBIRC gateway was on IPv6 and was introducing/spoofing an IPv4 
user then the maxperip handling would be incorrect and would also cause 
a small memory leak. The same is the case for if the WEBIRC gateway was 
on IPv4 and it was introducing/spoofing an IPv6 user. I decided to 
release a 6.1.1.1 immediately so new installations from this point won't 
be affected by this bug. Of the 100 people who downloaded 6.1.1 already 
only 1 complained. The bug is very visible with a 
BUG_DECREASE_IPUSERS_BUCKET IRCOp notice when affected user(s) quit so 
it is hard to miss. My advice: if you already installed 6.1.1 then only 
upgrade from 6.1.1 to 6.1.1.1 if this issue really affects you. 
Otherwise, don't bother.

The original 6.1.1 announcement is below:

I'm happy to announce the release of UnrealIRCd 6.1.1 stable. This 
release comes with various bug fixes and performance improvements, 
especially for channels with thousands of users.

It also has more options to override settings per security group, for 
example if you want to give trusted users or bots more rights or higher 
flood rates than regular users. All these options are now in a single 
Special users <https://www.unrealircd.org/docs/Special_users> article on 
the wiki.

Other notable features are showing better connection errors to SSL/TLS 
users and a new proxy { } block for websocket reverse proxies.

See the full release notes below. As usual on *NIX you can upgrade 
easily with the command: ./unrealircd upgrade

Reminder: UnrealIRCd 5 is no longer supported 
<https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> after July 1, 2023. 
Admins should upgrade to UnrealIRCd 6.


      Enhancements:

Enhancements:

  * Two new features that are conditionally on:
      o SSL/TLS users will now correctly receive the error message if
        they are rejected due to throttling (connect-flood) and some
        other situations.
      o DNS lookups are done before throttling. This allows exempting a
        hostname from both maxperip and connect-flood restrictions.
        A good example for IRCCloud would be:

        |except ban { mask *.irccloud.com; type { maxperip;
        connect-flood; } }|

      o Both features are temporarily disabled whenever a high rate of
        connection attempts
        <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected,
        to save CPU and other resources during such an attack. The
        default rate is 1000 per second, so this would be unusual to
        trigger accidentally.
  * It is now possible to override some set settings
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>
    per-security group by having a set block with a name, like set
    unknown-users { }
      o You could use this to set more limitations for unknown-users:

        |set unknown-users { max-channels-per-user 5; static-quit
        "Quit"; static-part yes; } |

      o Or to set higher values (higher than the normal set block) for
        trusted users:

        |security-group trusted-bots { account { BotOne; BotTwo; } } set
        trusted-bots { max-channels-per-user 25; }|

      o Currently the following settings can be used in a set xxx { }
        block: set::auto-join, set::modes-on-connect,
        set::restrict-usermodes, set::max-channels-per-user,
        set::static-quit, set::static-part.
      o See also Special users
        <https://www.unrealircd.org/docs/Special_users> in the
        documentation for applying settings to a security groups.
  * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block>
    that can be used for spoofing IP addresses when:
      o Reverse proxying websocket connections (eg. via NGINX, a load
        balancer or other reverse proxy)
      o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }|
        block in the future, though the old one will still work for now.
  * New setting set::handshake-boot-delay
    <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay>
    which allows server linking autoconnects to kick in (and incoming
    servers on serversonly ports), before allowing clients in. This
    potentially avoids part of the mess when initially linking on-boot.
    This option is not turned on by default, you have to set it explicitly.
      o This is not a useful feature on hubs, as they don't have clients.
      o It can be useful on client servers, if you |autoconnect| to your
        hub.
      o If you connect services to a server with clients this can be
        useful as well, especially in single-server setups. You would
        have to set a low |retrywait| in your anope conf (or similar
        services package) of like |5s| instead of the default |60s|.
        Then after an IRCd restart, your services link in before your
        clients and your IRC users have SASL available straight from the
        start.
  * JSON-RPC:
      o New call |log.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch
        past 1000 log entries. This functionality is only loaded if you
        include |rpc.modules.default.conf|, so not wasting any memory on
        servers that are not used for JSON-RPC.


      Changes:

  * set::topic-setter
    <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and
    set::ban-setter
    <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now
    by default set to |nick-user-host| instead of |nick|, so you can see
    the full nick!user@host of who set the topic/ban/exempt/invex.
  * You can no longer (accidentally) load an old |modules.default.conf|.
    People must always use the shipped version of this file as the file
    VERY clearly says in the beginning (see also that file for
    instructions on how to deal with customizations). People run into
    lots of (strange) problems, not only missing nice new functionality,
    but also Services not working because the svslogin module is not
    loaded, etc.
    Usually mistakes with an old modules.default.conf are not
    deliberate, like a cp *.conf of an old installation, so this error
    should be helpful for those users (who otherwise tend to bang their
    head for hours).
  * Some small DNS performance improvements:
      o We now 'negatively cache' unresolved hosts for 60 seconds.
      o The maximum number of cached records (positive and negative) was
        raised to 4096.
      o We no longer use "search domains" to avoid silly lookups for
        like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|.
  * Data buffer chunks bumped from 512 bytes to ~4K. This results in
    less write calls (lower CPU usage) and more data per TCP/IP packet.
  * We now cache sending of lines in |sendto_channel| via a new
    "LineCache" system. It saves CPU on (very) large channels.
  * Several other performance improvements such as checking maxperip via
    a hash table and faster invisibility checks for delayjoin.
  * Blacklist hits are now logged globally. This means they show up in
    snomask |B|, are logged, and show up in the webpanel "Logs" view.
  * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were
    syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|.
  * Update shipped libraries: c-ares to 1.19.1


      Fixes:

  * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing
    rpc_call symbol in their libc library.
  * Crash when removing a |listen { }| block for websocket or rpc (or
    changin the port number)
  * When using the webpanel, if an IRC client tried to connect with the
    same IP as the webpanel server, it would often receive the error
    "Too many unknown connections". This only affected non-localhost
    connections.
  * The |require module| block
    <https://www.unrealircd.org/docs/Require_module_block> was only
    checked of one side of the link, thus partially not working.


      Removed:

  * set::maxbanlength
    <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has
    been removed as it was not deemed useful and only confusing to users
    and admins.


      Developers and protocol:

  * Server to server lines can now be 16384 bytes in size when |PROTOCTL
    BIGLINES| is set. This will allow us to do things more efficiently
    and possibly raise some other limits in the future. This 16k is the
    size of the complete line, including sender, message tags, content
    and \r\n. Also, in server-to-server traffic we now allow 30
    parameters (MAXPARA*2).
    The original input size limits for non-servers remain the same: the
    complete line can be 4k+512, with the non-mtag portion limit set at
    512 bytes (including \r\n), and MAXPARA is still 15 as well.
  * In command handlers, individual |parv[]| elements can be 510 bytes
    max, even if they add up like parv[1] and parv[2] both being 510
    bytes each. If you need more than that, then you need to set the
    flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter
    can be near ~16k. This is so, because a lot of the code does not
    expect parameters bigger than 512 bytes (but can still handle the
    total of parameters being greater than 512). The new flag allows
    gradually opting in commands to allow bigger parameters, after such
    code has been checked and modified to handle it.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.1 released

[Bram M. <sy...@un...>]

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.1 stable. This 
release comes with various bug fixes and performance improvements, 
especially for channels with thousands of users.

It also has more options to override settings per security group, for 
example if you want to give trusted users or bots more rights or higher 
flood rates than regular users. All these options are now in a single 
Special users <https://www.unrealircd.org/docs/Special_users> article on 
the wiki.

Other notable features are showing better connection errors to SSL/TLS 
users and a new proxy { } block for websocket reverse proxies.

See the full release notes below. As usual on *NIX you can upgrade 
easily with the command: ./unrealircd upgrade

Reminder: UnrealIRCd 5 is no longer supported 
<https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> after July 1, 2023. 
Admins should upgrade to UnrealIRCd 6.


      Enhancements:

Enhancements:

  * Two new features that are conditionally on:
      o SSL/TLS users will now correctly receive the error message if
        they are rejected due to throttling (connect-flood) and some
        other situations.
      o DNS lookups are done before throttling. This allows exempting a
        hostname from both maxperip and connect-flood restrictions.
        A good example for IRCCloud would be:

        |except ban { mask *.irccloud.com; type { maxperip;
        connect-flood; } }|

      o Both features are temporarily disabled whenever a high rate of
        connection attempts
        <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected,
        to save CPU and other resources during such an attack. The
        default rate is 1000 per second, so this would be unusual to
        trigger accidentally.
  * It is now possible to override some set settings
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>
    per-security group by having a set block with a name, like set
    unknown-users { }
      o You could use this to set more limitations for unknown-users:

        |set unknown-users { max-channels-per-user 5; static-quit
        "Quit"; static-part yes; } |

      o Or to set higher values (higher than the normal set block) for
        trusted users:

        |security-group trusted-bots { account { BotOne; BotTwo; } } set
        trusted-bots { max-channels-per-user 25; }|

      o Currently the following settings can be used in a set xxx { }
        block: set::auto-join, set::modes-on-connect,
        set::restrict-usermodes, set::max-channels-per-user,
        set::static-quit, set::static-part.
      o See also Special users
        <https://www.unrealircd.org/docs/Special_users> in the
        documentation for applying settings to a security groups.
  * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block>
    that can be used for spoofing IP addresses when:
      o Reverse proxying websocket connections (eg. via NGINX, a load
        balancer or other reverse proxy)
      o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }|
        block in the future, though the old one will still work for now.
  * New setting set::handshake-boot-delay
    <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay>
    which allows server linking autoconnects to kick in (and incoming
    servers on serversonly ports), before allowing clients in. This
    potentially avoids part of the mess when initially linking on-boot.
    This option is not turned on by default, you have to set it explicitly.
      o This is not a useful feature on hubs, as they don't have clients.
      o It can be useful on client servers, if you |autoconnect| to your
        hub.
      o If you connect services to a server with clients this can be
        useful as well, especially in single-server setups. You would
        have to set a low |retrywait| in your anope conf (or similar
        services package) of like |5s| instead of the default |60s|.
        Then after an IRCd restart, your services link in before your
        clients and your IRC users have SASL available straight from the
        start.
  * JSON-RPC:
      o New call |log.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch
        past 1000 log entries. This functionality is only loaded if you
        include |rpc.modules.default.conf|, so not wasting any memory on
        servers that are not used for JSON-RPC.


      Changes:

  * set::topic-setter
    <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and
    set::ban-setter
    <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now
    by default set to |nick-user-host| instead of |nick|, so you can see
    the full nick!user@host of who set the topic/ban/exempt/invex.
  * You can no longer (accidentally) load an old |modules.default.conf|.
    People must always use the shipped version of this file as the file
    VERY clearly says in the beginning (see also that file for
    instructions on how to deal with customizations). People run into
    lots of (strange) problems, not only missing nice new functionality,
    but also Services not working because the svslogin module is not
    loaded, etc.
    Usually mistakes with an old modules.default.conf are not
    deliberate, like a cp *.conf of an old installation, so this error
    should be helpful for those users (who otherwise tend to bang their
    head for hours).
  * Some small DNS performance improvements:
      o We now 'negatively cache' unresolved hosts for 60 seconds.
      o The maximum number of cached records (positive and negative) was
        raised to 4096.
      o We no longer use "search domains" to avoid silly lookups for
        like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|.
  * Data buffer chunks bumped from 512 bytes to ~4K. This results in
    less write calls (lower CPU usage) and more data per TCP/IP packet.
  * We now cache sending of lines in |sendto_channel| via a new
    "LineCache" system. It saves CPU on (very) large channels.
  * Several other performance improvements such as checking maxperip via
    a hash table and faster invisibility checks for delayjoin.
  * Blacklist hits are now logged globally. This means they show up in
    snomask |B|, are logged, and show up in the webpanel "Logs" view.
  * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were
    syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|.
  * Update shipped libraries: c-ares to 1.19.1


      Fixes:

  * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing
    rpc_call symbol in their libc library.
  * Crash when removing a |listen { }| block for websocket or rpc (or
    changin the port number)
  * When using the webpanel, if an IRC client tried to connect with the
    same IP as the webpanel server, it would often receive the error
    "Too many unknown connections". This only affected non-localhost
    connections.
  * The |require module| block
    <https://www.unrealircd.org/docs/Require_module_block> was only
    checked of one side of the link, thus partially not working.


      Removed:

  * set::maxbanlength
    <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has
    been removed as it was not deemed useful and only confusing to users
    and admins.


      Developers and protocol:

  * Server to server lines can now be 16384 bytes in size when |PROTOCTL
    BIGLINES| is set. This will allow us to do things more efficiently
    and possibly raise some other limits in the future. This 16k is the
    size of the complete line, including sender, message tags, content
    and \r\n. Also, in server-to-server traffic we now allow 30
    parameters (MAXPARA*2).
    The original input size limits for non-servers remain the same: the
    complete line can be 4k+512, with the non-mtag portion limit set at
    512 bytes (including \r\n), and MAXPARA is still 15 as well.
  * In command handlers, individual |parv[]| elements can be 510 bytes
    max, even if they add up like parv[1] and parv[2] both being 510
    bytes each. If you need more than that, then you need to set the
    flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter
    can be near ~16k. This is so, because a lot of the code does not
    expect parameters bigger than 512 bytes (but can still handle the
    total of parameters being greater than 512). The new flag allows
    gradually opting in commands to allow bigger parameters, after such
    code has been checked and modified to handle it.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.1-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.1.1 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

Also some new documentation that is worth mentioning: sometimes you want 
to give trusted users/bots more rights than others but you don't want to 
make them IRCOp, the new Special users 
<https://www.unrealircd.org/docs/Special_users> article explains how.


      Enhancements:

  * Two new features that are conditionally on:
      o SSL/TLS users will now correctly receive the error message if
        they are rejected due to throttling (connect-flood) and some
        other situations.
      o DNS lookups are done before throttling. This allows exempting a
        hostname from both maxperip and connect-flood restrictions.
        A good example for IRCCloud would be:

        |except ban { mask *.irccloud.com; type { maxperip;
        connect-flood; } } |

      o Both features are temporarily disabled whenever a high rate of
        connection attempts
        <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected,
        to save CPU and other resources during such an attack. The
        default rate is 1000 per second, so this would be unusual to
        trigger accidentally.
  * It is now possible to override some set settings per-security group
    by having a set block with a name, like |set unknown-users { }|
      o You could use this to set more limitations for unknown-users:

        |set unknown-users { max-channels-per-user 5; static-quit
        "Quit"; static-part yes; } |

      o Or to set higher values (higher than the normal set block) for
        trusted users:

        |security-group trusted-bots { account { BotOne; BotTwo; } } set
        trusted-bots { max-channels-per-user 25; } |

      o Currently the following settings can be used in a set xxx { }
        block: set::auto-join, set::modes-on-connect,
        set::restrict-usermodes, set::max-channels-per-user,
        set::static-quit, set::static-part.
  * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block>
    that can be used for spoofing IP addresses when:
      o Reverse proxying websocket connections (eg. via NGINX, a load
        balancer or other reverse proxy)
      o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }|
        block in the future, though the old one will still work for now.
  * New setting set::handshake-boot-delay
    <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay>
    which allows server linking autoconnects to kick in (and incoming
    servers on serversonly ports), before allowing clients in. This
    potentially avoids part of the mess when initially linking on-boot.
    This option is not turned on by default, you have to set it explicitly.
      o This is not a useful feature on hubs, as they don't have clients.
      o It can be useful on client servers, if you |autoconnect| to your
        hub.
      o If you connect services to a server with clients this can be
        useful as well, especially in single-server setups. You would
        have to set a low |retrywait| in your anope conf (or similar
        services package) of like |5s| instead of the default |60s|.
        Then after an IRCd restart, your services link in before your
        clients and your IRC users have SASL available straight from the
        start.
  * JSON-RPC:
      o New call |log.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch
        past 1000 log entries. This functionality is only loaded if you
        include |rpc.modules.default.conf|, so not wasting any memory on
        servers that are not used for JSON-RPC.


      Changes:

  * set::topic-setter
    <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and
    set::ban-setter
    <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now
    by default set to |nick-user-host| instead of |nick|, so you can see
    the full nick!user@host of who set the topic/ban/exempt/invex.
  * You can no longer (accidentally) load an old |modules.default.conf|.
    People must always use the shipped version of this file as the file
    VERY clearly says in the beginning (see also that file for
    instructions on how to deal with customizations). People run into
    lots of (strange) problems, not only missing nice new functionality,
    but also Services not working because the svslogin module is not
    loaded, etc.
    Usually mistakes with an old modules.default.conf are not
    deliberate, like a cp *.conf of an old installation, so this error
    should be helpful for those users (who otherwise tend to bang their
    head for hours).
  * Some small DNS performance improvements:
      o We now 'negatively cache' unresolved hosts for 60 seconds.
      o The maximum number of cached records (positive and negative) was
        raised to 4096.
      o We no longer use "search domains" to avoid silly lookups for
        like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|.
  * Data buffer chunks bumped from 512 bytes to ~4K. This results in
    less write calls (lower CPU usage) and more data per TCP/IP packet.
  * We now cache sending of lines in |sendto_channel| via a new
    "LineCache" system. It saves CPU on (very) large channels.
  * Several other performance improvements such as checking maxperip via
    a hash table and faster invisibility checks for delayjoin.
  * Blacklist hits are now logged globally. This means they show up in
    snomask |B|, are logged, and show up in the webpanel "Logs" view.
  * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were
    syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|.
  * Update shipped libraries: c-ares to 1.19.1


      Fixes:

  * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing
    rpc_call symbol in their libc library.
  * Crash when removing a |listen { }| block for websocket or rpc (or
    changin the port number)
  * When using the webpanel, if an IRC client tried to connect with the
    same IP as the webpanel server, it would often receive the error
    "Too many unknown connections". This only affected non-localhost
    connections.
  * The |require module| block
    <https://www.unrealircd.org/docs/Require_module_block> was only
    checked of one side of the link, thus partially not working.


      Removed:

  * set::maxbanlength
    <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has
    been removed as it was not deemed useful and only confusing to users
    and admins.


      Developers and protocol:

  * Server to server lines can now be 16384 bytes in size when |PROTOCTL
    BIGLINES| is set. This will allow us to do things more efficiently
    and possibly raise some other limits in the future. This 16k is the
    size of the complete line, including sender, message tags, content
    and \r\n. Also, in server-to-server traffic we now allow 30
    parameters (MAXPARA*2).
    The original input size limits for non-servers remain the same: the
    complete line can be 4k+512, with the non-mtag portion limit set at
    512 bytes (including \r\n), and MAXPARA is still 15 as well.
  * In command handlers, individual |parv[]| elements can be 510 bytes
    max, even if they add up like parv[1] and parv[2] both being 510
    bytes each. If you need more than that, then you need to set the
    flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter
    can be near ~16k. This is so, because a lot of the code does not
    expect parameters bigger than 512 bytes (but can still handle the
    total of parameters being greater than 512). The new flag allows
    gradually opting in commands to allow bigger parameters, after such
    code has been checked and modified to handle it.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.0 released

[Bram M. <sy...@un...>]

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.0 stable. This is 
the direct successor to 6.0.7, there will be no 6.0.8.

This release contains several channel mode |+f| enhancements and 
introduces a new channel mode |+F| which works with flood profiles like 
|+F normal| and |+F strict|. It is much easier for users than the scary 
looking mode +f.

UnrealIRCd 6.1.0 also contains lots of JSON-RPC improvements, which is 
used by the UnrealIRCd admin panel 
<https://www.unrealircd.org/docs/UnrealIRCd_webpanel>. Live streaming of 
logs has been added and the webpanel now communicates to UnrealIRCd 
which web user issued a command (eg: who issued a kill, who changed a 
channel mode, ..).

Other improvements are whowasdb (persistent WHOWAS history) and a new 
guide on running a Tor Onion service 
<https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd>. 
The release also fixes a crash bug related to remote includes and fixes 
multiple memory leaks.

See the full release notes below. As usual on *NIX you can upgrade 
easily with the command: ./unrealircd upgrade


      Enhancements:

  * Channel flood protection improvements:
      o New channel mode |+F|
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings>
        (uppercase F). This allows the user to choose a "flood profile",
        which (behind the scenes) translates to something similar to an
        |+f| mode. This so end-users can simply choose an |+F| profile
        without having to learn the complex channel mode |+f|.
          + For example |+F normal| effectively results in
            |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15|
          + Multiple profiles are available and changing them is
            possible, see the documentation
            <https://www.unrealircd.org/docs/Channel_anti-flood_settings>.
          + Any settings in mode |+f| will override the ones of the |+F|
            profile. To see the effective flood settings, use |MODE
            #channel F|.
      o You can optionally set a default profile via
        set::anti-flood::channel::default-profile
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>.
        This profile is used if the channel is |-F|. If the user does
        not want channel flood protection then they have to use an
        explicit |+F off|.
      o When channel mode |+f| or |+F| detect that a flood is caused by
         >75% of "unknown-users"
        <https://www.unrealircd.org/docs/Security-group_block>, the
        server will now set a temporary ban on
        |~security-group:unknown-users|. It will still set |+i| and
        other modes if the flood keeps on going (eg. is caused by
        known-users).
      o Forced nick changes (eg. by NickServ) are no longer counted in
        nick flood for channel mode |+f|/|+F|.
      o When a server splits on the network, we now temporarily disable
        +f/+F join-flood protection for 75 seconds
        (set::anti-flood::channel::split-delay
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>).
        This because a server splitting could mean that server has
        network problems or has died (or restarted), in which case the
        clients would typically reconnect to the remaining other
        servers, triggering an +f/+F join-flood and channels ending up
        being |+i| and such. That is not good because we want +f/+F to
        be as effortless as possible, with as little false positives as
        possible.
          + If your network has 5+ servers and the user load is spread
            evenly among them, then you could disable this feature by
            setting the amount of seconds to |0|. This because in such a
            scenario only 1/5th (20%) of the users would reconnect and
            hopefully don't trigger +f/+F join floods.
      o All these features only work properly if all servers are on
        6.1.0-rc1 or later.
  * New module |whowasdb| (persistent |WHOWAS| history): this saves the
    WHOWAS history on disk periodically and when we terminate, so next
    server boot still has the WHOWAS history. This module is currently
    not loaded by default.
  * New option listen::spoof-ip
    <https://www.unrealircd.org/docs/Listen_block#spoof-ip>, only valid
    when using UNIX domain sockets (so listen::file). This way you can
    override the IP address that users come online with when they use
    the socket (default was and still is |127.0.0.1|).
  * Add a new guide Running Tor Onion service with UnrealIRCd
    <https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd>
    which uses the new listen::spoof-ip and optionally requires a
    services account.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o Logging of JSON-RPC requests (eg. via snomask |+R|) has been
        improved, it now shows:
          + The issuer, such as the user logged in to the admin panel
            (if known)
          + The parameters of the request
      o The JSON-RPC calls |channel.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>,
        |channel.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>,
        |user.list|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and
        |user.get|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now
        support an optional argument |object_detail_level| which
        specifies how detailed the Channel
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel>
        and User
        <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object>
        response object will be. Especially useful if you don't need all
        the details in the list calls.
      o New JSON-RPC methods |log.subscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.subscribe> and
        |log.unsubscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.unsubscribe>
        to allow real-time streaming of JSON log events
        <https://www.unrealircd.org/docs/JSON_logging>.
      o New JSON-RPC method |rpc.set_issuer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to
        indiciate who is actually issuing the requests. The admin panel
        uses this to communicate who is logged in to the panel so this
        info can be used in logging.
      o New JSON-RPC methods |rpc.add_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.add_timer> and
        |rpc.del_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer> so
        you can schedule JSON-RPC calls, like stats.get, to be executed
        every xyz msec.
      o New JSON-RPC method |whowas.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Whowas#whowas.get> to
        fetch WHOWAS history.
      o Low ASCII is no longer filtered out in strings in JSON-RPC, only
        in JSON logging.
  * A new message tag |unrealircd.org/issued-by| which is IRCOp-only
    (and used intra-server) to communicate who actually issued a
    command. See docs <https://www.unrealircd.org/issued-by>.


      Changes:

  * The RPC modules are enabled by default now. This so remote RPC works
    from other IRC servers for calls like |modules.list|. The default
    configuration does NOT enable the webserver nor does it cause
    listening on any socket for RPC, for that you need to follow the
    JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions.
  * The blacklist-module
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
    directive now accepts wildcards, eg |blacklist-module rpc/*;|
  * The setting set::modef-boot-delay has been moved to
    set::anti-flood::channel::boot-delay
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>.
  * We now only exempt |127.0.0.1| and |::1| from banning by default
    (hardcoded in the source). Previously we exempted whole |127.*| but
    that gets in the way if you want to allow Tor with a require
    authentication
    <https://www.unrealircd.org/docs/Require_authentication_block> block
    or soft-ban. Now you can just tell Tor to bind to |127.0.0.2| so its
    not affected by the default exemption.


      Fixes:

  * Crash if there is a parse error in an included file and there are
    other remote included files still being downloaded.
  * Memory leak in WHOWAS
  * Memory leak when connecting to a TLS server fails
  * Workaround a bug in some websocket implementations where the
    WSOP_PONG frame is unmasked (now permitted).


      Developers and protocol:

  * The |cmode.free_param| definition changed. It now has an extra
    argument |int soft| and for return value you will normally |return
    0| here. You can |return 1| if you resist freeing, which is rare and
    only used by |+F| with set::anti-flood::channel::default-profile.
  * New |cmode.flood_type_action| which can be used to indicate a
    channel mode can be used from +f/+F as an action. You need to
    specify for which flood type your mode is, eg
    |cmode.flood_type_action = 'j';| for joinflood.
  * JSON-RPC supports UNIX domain sockets
    <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket>
    for making RPC calls. If this is used, we now split on |\n|
    (newline) so multiple parallel requests can be handled properly.
  * Message tag |unrealircd.org/issued-by|, sent to IRCOps only. See
    docs <https://www.unrealircd.org/issued-by>.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.0-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.1.0 is now available for testing. 
Thanks to everyone for testing the -rc1!

UnrealIRCd 6.1.0-rc2 should be the last release candidate before stable 
6.1.0 release in May, 2023. You can help us by testing and reporting any 
issues at https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

This release contains channel mode +f enhancements and introduces a new 
channel mode +F which should be much easier for users than the scary 
looking +f.

Compared to 6.1.0-rc1, this 6.1.0-rc2 contains: some minor +F fixes if 
setting a default profile, optional persistent whowas history 
(whowasdb), lots of JSON-RPC improvements and new API methods, HELPOP 
updates, fixes for streaming logs over websockets, fixes a memory leak 
and there is a ban exemption change and a new Tor guide.


      Enhancements:

  * Channel flood protection improvements:
      o New channel mode |+F|
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings>
        (uppercase F). This allows the user to choose a "flood profile",
        which (behind the scenes) translates to something similar to an
        |+f| mode. This so end-users can simply choose an |+F| profile
        without having to learn the complex channel mode |+f|.
          + For example |+F normal| effectively results in
            |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15|
          + Multiple profiles are available and changing them is
            possible, see the documentation
            <https://www.unrealircd.org/docs/Channel_anti-flood_settings>.
          + Any settings in mode |+f| will override the ones of the |+F|
            profile. To see the effective flood settings, use |MODE
            #channel F|.
      o You can optionally set a default profile via
        set::anti-flood::channel::default-profile
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>.
        This profile is used if the channel is |-F|. If the user does
        not want channel flood protection then they have to use an
        explicit |+F off|.
      o When channel mode |+f| or |+F| detect that a flood is caused by
         >75% of "unknown-users"
        <https://www.unrealircd.org/docs/Security-group_block>, the
        server will now set a temporary ban on
        |~security-group:unknown-users|. It will still set |+i| and
        other modes if the flood keeps on going (eg. is caused by
        known-users).
      o Forced nick changes (eg. by NickServ) are no longer counted in
        nick flood for channel mode |+f|/|+F|.
      o When a server splits on the network, we now temporarily disable
        +f/+F join-flood protection for 75 seconds
        (set::anti-flood::channel::split-delay
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>).
        This because a server splitting could mean that server has
        network problems or has died (or restarted), in which case the
        clients would typically reconnect to the remaining other
        servers, triggering an +f/+F join-flood and channels ending up
        being |+i| and such. That is not good because we want +f/+F to
        be as efortless as possible, with as little false positives as
        possible.
          + If your network has 5+ servers and the user load is spread
            evenly among them, then you could disable this feature by
            setting the amount of seconds to |0|. This because in such a
            scenario only 1/5th (20%) of the users would reconnect and
            hopefully don't trigger +f/+F join floods.
      o All these features only work properly if all servers are on
        6.1.0-rc1 or later.
  * New module |whowasdb| (persistent |WHOWAS| history): this saves the
    WHOWAS history on disk periodically and when we terminate, so next
    server boot still has the WHOWAS history. This module is currently
    not loaded by default.
  * New option listen::spoof-ip
    <https://www.unrealircd.org/docs/Listen_block#spoof-ip>, only valid
    when using UNIX domain sockets (so listen::file). This way you can
    override the IP address that users come online with when they use
    the socket (default was and still is |127.0.0.1|).
  * Add a new guide Running Tor Onion service with UnrealIRCd
    <https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd>
    which uses the new listen::spoof-ip and optionally requires a
    services account.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o Logging of JSON-RPC requests (eg. via snomask |+R|) has been
        improved, it now shows:
          + The issuer, such as the user logged in to the admin panel
            (if known)
          + The parameters of the request
      o The JSON-RPC calls |channel.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>,
        |channel.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>,
        |user.list|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and
        |user.get|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now
        support an optional argument |object_detail_level| which
        specifies how detailed the Channel
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel>
        and User
        <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object>
        response object will be. Especially useful if you don't need all
        the details in the list calls.
      o New JSON-RPC methods |log.subscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.subscribe> and
        |log.unsubscribe|
        <https://www.unrealircd.org/docs/JSON-RPC:Log#log.unsubscribe>
        to allow real-time streaming of JSON log events
        <https://www.unrealircd.org/docs/JSON_logging>.
      o New JSON-RPC method |rpc.set_issuer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to
        indiciate who is actually issuing the requests. The admin panel
        uses this to communicate who is logged in to the panel so this
        info can be used in logging.
      o New JSON-RPC methods |rpc.add_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.add_timer> and
        |rpc.del_timer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer> so
        you can schedule JSON-RPC calls, like stats.get, to be executed
        every xyz msec.
      o New JSON-RPC method |whowas.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Whowas#whowas.get> to
        fetch WHOWAS history.
      o Low ASCII is no longer filtered out in strings in JSON-RPC, only
        in JSON logging.
  * A new message tag |unrealircd.org/issued-by| which is IRCOp-only
    (and used intra-server) to communicate who actually issued a
    command. See docs <https://www.unrealircd.org/issued-by>.


      Changes:

  * The RPC modules are enabled by default now. This so remote RPC works
    from other IRC servers for calls like |modules.list|. The default
    configuration does NOT enable the webserver nor does it cause
    listening on any socket for RPC, for that you need to follow the
    JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions.
  * The blacklist-module
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
    directive now accepts wildcards, eg |blacklist-module rpc/*;|
  * The setting set::modef-boot-delay has been moved to
    set::anti-flood::channel::boot-delay
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>.
  * We now only exempt |127.0.0.1| and |::1| from banning by default
    (hardcoded in the source). Previously we exempted whole |127.*| but
    that gets in the way if you want to allow Tor with a require
    authentication
    <https://www.unrealircd.org/docs/Require_authentication_block> block
    or soft-ban. Now you can just tell Tor to bind to |127.0.0.2| so its
    not affected by the default exemption.


      Fixes:

  * Memory leak in WHOWAS
  * Workaround a bug in some websocket implementations where the
    WSOP_PONG frame is unmasked (now permitted).


      Developers and protocol:

  * The |cmode.free_param| definition changed. It now has an extra
    argument |int soft| and for return value you will normally |return
    0| here. You can |return 1| if you resist freeing, which is rare and
    only used by |+F| with set::anti-flood::channel::default-profile.
  * New |cmode.flood_type_action| which can be used to indicate a
    channel mode can be used from +f/+F as an action. You need to
    specify for which flood type your mode is, eg
    |cmode.flood_type_action = 'j';| for joinflood.
  * JSON-RPC supports UNIX domain sockets
    <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket>
    for making RPC calls. If this is used, we now split on |\n|
    (newline) so multiple parallel requests can be handled properly.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.1.0-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The first release candidate for 6.1.0 is now available for testing. This 
release contains channel mode +f enhancements and introduces a new 
channel mode +F which should be much easier for users than the scary 
looking +f.

You can help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. The stable 
6.1.0 release is scheduled for May, 2023.


      Enhancements:

  * Channel flood protection improvements:
      o New channel mode |+F|
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings>
        (uppercase F). This allows the user to choose a "flood profile",
        which (behind the scenes) translates to something similar to an
        |+f| mode. This so end-users can simply choose an |+F| profile
        without having to learn the complex channel mode |+f|.
          + For example |+F normal| effectively results in
            |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15|
          + Multiple profiles are available and changing them is
            possible, see the documentation
            <https://www.unrealircd.org/docs/Channel_anti-flood_settings>.
          + Any settings in mode |+f| will override the ones of the |+F|
            profile. To see the effective flood settings, use |MODE
            #channel F|.
      o You can optionally set a default profile via
        set::anti-flood::channel::default-profile
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>.
        This profile is used if the channel is |-F|. If the user does
        not want channel flood protection then they have to use an
        explicit |+F off|.
      o When channel mode |+f| or |+F| detect that a flood is caused by
         >75% of "unknown-users"
        <https://www.unrealircd.org/docs/Security-group_block>, the
        server will now set a temporary ban on
        |~security-group:unknown-users|. It will still set |+i| and
        other modes if the flood keeps on going (eg. is caused by
        known-users).
      o Forced nick changes (eg. by NickServ) are no longer counted in
        nick flood for channel mode |+f|/|+F|.
      o When a server splits on the network, we now temporarily disable
        +f/+F join-flood protection for 75 seconds
        (set::anti-flood::channel::split-delay
        <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>).
        This because a server splitting could mean that server has
        network problems or has died (or restarted), in which case the
        clients would typically reconnect to the remaining other
        servers, triggering an +f/+F join-flood and channels ending up
        being |+i| and such. That is not good because we want +f/+F to
        be as efortless as possible, with as little false positives as
        possible.
          + If your network has 5+ servers and the user load is spread
            evenly among them, then you could disable this feature by
            setting the amount of seconds to |0|. This because in such a
            scenario only 1/5th (20%) of the users would reconnect and
            hopefully don't trigger +f/+F join floods.
      o All these features only work properly if all servers are on
        6.1.0-rc1 or later.
  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>:
      o Logging of JSON-RPC requests (eg. via snomask |+R|) has been
        improved, it now shows:
          + The issuer, such as the user logged in to the admin panel
            (if known)
          + The parameters of the request
      o The JSON-RPC calls |channel.list|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>,
        |channel.get|
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>,
        |user.list|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and
        |user.get|
        <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now
        support an optional argument |object_detail_level| which
        specifies how detailed the Channel
        <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel>
        and User
        <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object>
        response object will be. Especially useful if you don't need all
        the details in the list calls.
      o New JSON-RPC method |rpc.set_issuer|
        <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to
        indiciate who is actually issuing the requests. The admin panel
        uses this to communicate who is logged in to the panel so this
        info can be used in logging.
  * A new message tag |unrealircd.org/issued-by| which is IRCOp-only
    (and used intra-server) to communicate who actually issued a
    command. See docs <https://www.unrealircd.org/issued-by>.


      Changes:

  * The RPC modules are enabled by default now. This so remote RPC works
    from other IRC servers for calls like |modules.list|. The default
    configuration does NOT enable the webserver nor does it cause
    listening on any socket for RPC, for that you need to follow the
    JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions.
  * The blacklist-module
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
    directive now accepts wildcards, eg |blacklist-module rpc/*;|
  * The setting set::modef-boot-delay has been moved to
    set::anti-flood::channel::boot-delay
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>.


      Developers and protocol:

  * The |cmode.free_param| definition changed. It now has an extra
    argument |int soft| and for return value you will normally |return
    0| here. You can |return 1| if you resist freeing, which is rare and
    only used by |+F| with set::anti-flood::channel::default-profile.
  * New |cmode.flood_type_action| which can be used to indicate a
    channel mode can be used from +f/+F as an action. You need to
    specify for which flood type your mode is, eg
    |cmode.flood_type_action = 'j';| for joinflood.
  * JSON-RPC supports UNIX domain sockets
    <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket>
    for making RPC calls. If this is used, we now split on |\n|
    (newline) so multiple parallel requests can be handled properly.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Reminder: UnrealIRCd 5 is near its EOL-date

[Bram M. <sy...@un...>]

Hi everyone,

This is a friendly reminder that UnrealIRCd 5 will be End Of Life after 
_July 1, 2023_. After that date, it will be completely unmaintained and 
won't even get security fixes anymore.

*The end of UnreaIRCd 5*
UnrealIRCd 5.0.0 was released on Dec 13, 2019, so this will conclude the 
end of 3,5 years of UnrealIRCd 5. The first announcement about the EOL 
date was in October 2021. For full details and the timeline, see 
https://www.unrealircd.org/docs/UnrealIRCd_5_EOL. We are also listed at 
this great website for keeping track of EOL dates: 
https://endoflife.date/unrealircd

*Are you still using UnrealIRCd 5?*
We recommend anyone running UnrealIRCd 5 (or older) to upgrade to 
UnrealIRCd 6.0.7.
UnrealIRCd 6 has proven to be stable and has lots of useful features. 
Two weeks ago UnrealIRCd 6.0.7 was released and it has been downloaded 
300 times already.
If you have no idea what's new, then check out 
https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_6
If you are upgrading from UnrealIRCd 5 to UnrealIRCd 6, then you will 
find the following article helpful: 
https://www.unrealircd.org/docs/Upgrading_from_5.x

Best regards,

Bram Matthys (Syzop)

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.7 released

[Bram M. <sy...@un...>]

UnrealIRCd 6.0.7 makes WHOWAS show more information to IRCOps and adds 
an experimental spamfilter feature. It also contains other enhancements 
and quite a number of bug fixes. One notable change is that on linking 
of anope or atheme, every server will now check if they have ulines { } 
for that services server, since it's a common mistake to forget this, 
leading to desyncs or other weird problems.

As a reminder, since previous release the UnrealIRCd Administration 
Webpanel <https://github.com/unrealircd/unrealircd-webpanel/> is very 
much usable. It allows admins to view the users/channels/servers lists, 
view detailed information on users and channels, manage server bans and 
spamfilters, all from a web browser.

You can download UnrealIRCd from unrealircd.org 
<https://unrealircd.org/>, and on *NIX you can easily upgrade with 
|./unrealircd upgrade|


      Enhancements:

  * Spamfilter <https://www.unrealircd.org/docs/Spamfilter> can now be
    made UTF8-aware:
      o This is experimental, to enable: |set { spamfilter { utf8 yes; } }|
      o Case insensitive matches will then work better. For example, for
        extended Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o As a consequence of this we require PCRE2 10.36 or newer. If
        your system PCRE2 is older, then the UnrealIRCd-shipped-library
        version will be compiled and |./Config| may take a little longer
        than usual.
  * |WHOWAS| now shows IP address and account information to IRCOps
  * Allow services to send a couple of protocol messages in the
    unregistered / SASL stage. These are: |CHGHOST|, |CHGIDENT| and
    |SREPLY|
      o This allows services to set the vhost on a user during SASL, so
        the user receives the vhost straight from the start, before all
        the auto-joining/re-rejoining of channels.
      o Future anope/atheme/etc services will presumably support this.
  * WebSocket <https://www.unrealircd.org/docs/WebSocket_support> status
    is now synced over the network and an extra default security group
    <https://www.unrealircd.org/docs/Security-group_block>
    |websocket-users| has been added. Similarly there is now
    security-group::websocket and security-group::exclude-websocket
    item. Same for mask items
    <https://www.unrealircd.org/docs/Mask_item> such as in
    set::restrict-commands::command::except
    <https://www.unrealircd.org/docs/Restrict_commands>.
  * Support for IRCv3 Standard Replies
    <https://ircv3.net/specs/extensions/standard-replies>. Right now
    nothing fancy yet, other than us sending
    |ACCOUNT_REQUIRED_TO_CONNECT| from the authprompt module when a user
    is soft-banned <https://www.unrealircd.org/docs/Soft_ban>.
  * Add support for sending IRCv3 Standard Replies intra-server, eg from
    services (|SREPLY| server-to-server command)
  * Support |NO_COLOR| environment variable, as per no-color.org
    <https://no-color.org>.


      Changes:

  * We now verify that all servers have ulines { }
    <https://www.unrealircd.org/docs/Ulines_block> for Anope and Atheme
    servers and reject the link if this is not the case.
  * The |FLOOD_BLOCKED| log message now shows the target of the flood
    for |target-flood-user| and |target-flood-channel|.
  * When an IRCOp sets |+H| to hide ircop status, only the swhois items
    that were added through oper will be hidden (and not the ones added
    by eg. vhost). Previously all were hidden.
  * Update shipped libraries: c-ares to 1.19.0, Jansson to 2.14, PCRE2
    to 10.42, and on Windows LibreSSL to 3.6.2 and cURL to 8.0.1.


      Fixes:

  * Crash if a third party module is loaded which allows very large
    message tags (e.g. has no length check)
  * Crash if an IRCOp uses |unrealircd.org/json-log|
    <https://www.unrealircd.org/docs/JSON_logging#Enabling_on_IRC> on
    IRC and during |REHASH| some module sends log output during MOD_INIT
    (eg. with some 3rd party modules)
  * Crash when parsing deny link block
    <https://www.unrealircd.org/docs/Deny_link_block>
  * The Module manager <https://www.unrealircd.org/docs/Module_manager>
    now works on FreeBSD and similar.
  * In |LUSERS| the "unknown connection(s)" count was wrong. This was
    just a harmless counting error with no other effects.
  * Silence warnings on Clang 15+ (eg. Ubuntu 23.04)
  * Don't download |GeoIP.dat| if you have |blacklist-module
    geoip_classic;|
    <https://www.unrealircd.org/docs/Blacklist-module_directive>
  * Channel mode |+S| stripping too much on incorrect color codes.
  * Make |@if module-loaded()|
    <https://www.unrealircd.org/docs/Defines_and_conditional_config>
    work correctly for modules that are about to be unloaded during REHASH.
  * Some missing notices if remotely REHASHing a server, and one
    duplicate line.
  * Check invalid host setting in oper::vhost, just like we already have
    in vhost::vhost.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.6 released

[Bram M. <sy...@un...>]

I'm happy to announce UnrealIRCd 6.0.6. The main objective of this 
release is to enhance the new JSON-RPC functionality. In 6.0.5 we made a 
start and in 6.0.6 it is expanded a lot, plus some important bugs were 
fixed in it. Thanks everyone who has been testing the functionality!

The new UnrealIRCd Administration Webpanel 
<https://github.com/unrealircd/unrealircd-webpanel/> (which uses 
JSON-RPC) is very much usable now. It allows admins to view the 
users/channels/servers lists, view detailed information on users and 
channels, manage server bans and spamfilters, all from the browser. Both 
the JSON-RPC API and the webpanel are work in progress. They will 
improve and expand with more features over time.

If you are already using UnrealIRCd 6.0.5 and you are NOT interested in 
JSON-RPC or the webpanel then there is NO reason to upgrade to 6.0.6.

As usual, you can download UnrealIRCd from unrealircd.org 
<https://unrealircd.org/>, and on *NIX you can easily upgrade with 
|./unrealircd upgrade|


      Enhancements:

  * The JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd has been expanded a lot. From 12 API methods to 42:
    |stats.get|, |rpc.info|, |user.part|, |user.join|, |user.quit|,
    |user.kill|, |user.set_oper|, |user.set_snomask|, |user.set_mode|,
    |user.set_vhost|, |user.set_realname|, |user.set_username|,
    |user.set_nick|, |user.get|, |user.list|, |server.module_list|,
    |server.disconnect|, |server.connect|, |server.rehash|,
    |server.get|, |server.list|, |channel.kick|, |channel.set_topic|,
    |channel.set_mode|, |channel.get|, |channel.list|, |server_ban.add|,
    |server_ban.del|, |server_ban.get|, |server_ban.list|,
    |server_ban_exception.add|, |server_ban_exception.del|,
    |server_ban_exception.get|, |server_ban_exception.list|,
    |name_ban.add|, |name_ban.del|, |name_ban.get|, |name_ban.list|,
    |spamfilter.add|, |spamfilter.del|, |spamfilter.get|,
    |spamfilter.list|.
      o Server admins can read the JSON-RPC
        <https://www.unrealircd.org/docs/JSON-RPC> documentation on how
        to get started. For developers, see the Technical documentation
        <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation>
        for all info on the different RPC calls and the protocol.
      o Some functionality requires all servers to be on 6.0.6 or later.
      o Some functionality requires all servers to include
        |rpc.modules.default.conf| instead of only the single server
        that the webpanel interfaces with through JSON-RPC. When all
        servers have that file included then the API call
        |server.module_list| can work for remote servers, and the API
        call |server.rehash| for remote servers can return the actual
        rehash result and a full log of the rehash process. It is not
        used for any other API call at the moment, but in the future
        more API calls may need this functionality because it allows us
        to do things that are otherwise impossible or very hard.
      o Known issue: logging of RPC actions needs to be improved. For
        some API calls, like adding of server bans and spamfilters, this
        already works, but in other API calls it is not clearly logged
        yet "who did what".


      Changes:

  * Previously some server protocol commands could only be used by
    services, commands such as |SVSJOIN| and |SVSPART|. We now allow
    SVS* command to be used by any servers, so the JSON-RPC API can use
    them. There's a new option set::limit-svscmds
    <https://www.unrealircd.org/docs/Set_block#set::limit-svscmds> so
    one can revert back to the original situation, if needed.
  * All JSON-RPC calls that don't change anything, such as |user.list|
    are now logged in the |rpc.debug| facility. Any call that changes
    anything like |user.join| or |spamfilter.add| is logged via
    |rpc.info|. This because JSON-RPC calls can be quite noisy and
    logging the read-only calls is generally not so interesting.


      Fixes:

  * When using JSON-RPC with UnrealIRCd 6.0.5 it would often crash
  * Fix parsing services version (anope) in |EAUTH|.


      Developers and protocol:

  * A new |RRPC| server to server command to handle RPC-over-IRC. This
    way the JSON-RPC user, like the admin panel, can interface with a
    remote server. If you are writing an RPC handler, then the remote
    RPC request does not look much different than a local one, so you
    can just process it as usual. See the code for |server.rehash| or
    |server.module_list| for an example (src/modules/rpc/server.c).

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.5 released

[Bram M. <sy...@un...>]

I'm happy to announce UnrealIRCd 6.0.5 (stable).

This release adds experimental JSON-RPC support, a new TLINE command, 
the |./unrealircd restart| command has been improved to check for config 
errors, logging to files has been improved and there are several other 
enhancements.

There are also two important changes: 1) servers that use websockets now 
also need to load the "webserver" module (so you may need to edit your 
config file). 2) we now require TLSv1.2 or higher and a modern cipher 
for IRC clients. This should be no problem for clients using any 
reasonably new SSL/TLS library (from 2014 or later).

I would also like to take this opportunity to say that we are looking 
for webdevs to create an UnrealIRCd admin panel 
<https://forums.unrealircd.org/viewtopic.php?t=9257>. The previous 
attempt at this failed so we are looking for new people.

See the full release notes below for all changes in more detail.

As usual, you can download UnrealIRCd from unrealircd.org 
<https://unrealircd.org/>, and on *NIX you can easily upgrade with 
|./unrealircd upgrade|


      Enhancements:

  * Internally the websocket module has been split up into 3 modules:
    |websocket_common|, |webserver| and |websocket|. The
    |websocket_common| one is loaded by default via
    modules.default.conf, the other two are not.
    *Important:* if you use websockets then you need to load two modules
    now (instead of only one):

    |loadmodule "websocket"; loadmodule "webserver"; |

  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd. This is work in progress.
  * New |TLINE| command to test *LINEs. This can be especially useful
    for checking how many people match an extended server ban
    <https://www.unrealircd.org/docs/Extended_server_bans> such as
    |TLINE ~C:NL|
  * The |./unrealircd start| command will now refuse to start if
    UnrealIRCd is already running.
  * The |./unrealircd restart| command will validate the configuration
    file (it will call |./unrealircd configtest|). If there is a
    configuration error then the restart will not go through and the
    current UnrealIRCd process is kept running.
  * When an IRCOp is outside the channel and does |MODE #channel| they
    will now get to see the mode parameters too. This depends on the
    |channel:see:mode:remote| operclass permission
    <https://www.unrealircd.org/docs/Operclass_permissions> which all
    IRCOps have by default if you use the default operclasses.
  * Logging to a file <https://www.unrealircd.org/docs/Log_block> now
    creates a directory structure if needed.
      o You could already use:

        |log { source { !debug; all; } destination { file
        "ircd.%Y-%m-%d.log"; } } |

      o But now you can also use:

        |log { source { !debug; all; } destination { file
        "%Y-%m-%d/ircd.log"; } } |

        This is especially useful if you output to multiple log files
        and then want them grouped by date in a directory.
  * Add additional variables in blacklist::reason
    <https://www.unrealircd.org/docs/Blacklist_block>:
      o |$blacklist|: name of the blacklist block
      o |$dnsname|: the blacklist::dns::name
      o |$dnsreply|: the DNS reply code
  * Resolved technical issue so opers can |REHASH| from Websocket
    connections <https://www.unrealircd.org/docs/WebSocket_support>.
  * In the TLD block <https://www.unrealircd.org/docs/Tld_block> the use
    of |tld::motd| and |tld::rules| is now optional.
  * Log which oper actually initiated a server link request (|CONNECT|)


      Changes:

  * SSL/TLS: By default we now require TLSv1.2 or later and a modern
    cipher with forward secrecy. Otherwise the connection is refused.
      o Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect
        notice with a warning when they use an outdated TLS protocol or
        cipher that does not meet these requirements.
      o This move also reflects the phase out of versions below TLSv1.2
        which happened in browsers in 2020/2021.
      o In practice on the client-side this requires at least:
          + OpenSSL 1.0.1 (released in 2012)
          + GnuTLS 3.2.6 (2013)
          + Android 4.4.2 (2013)
          + Or presumably any other SSL/TLS library that is not 9+ years old
      o If you want to revert back to the previous less secure settings,
        then look under ''Previous less secure setting'' in TLS Ciphers
        and protocols
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols>.
  * The code for handling |set::anti-flood::everyone::connect-flood|
    <https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood>
    is now in its own module |connect-flood|. This module is loaded by
    default, no changes needed in your configuration file.
  * Similarly, |set:max-unknown-connections-per-ip|
    <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>
    is now handled by the new module |max-unknown-connections-per-ip|.
    This module is loaded by default as well, no changes needed in your
    configuration file.
  * Upgrade shipped PCRE2 to 10.41, curl-ca-bundle to 2022-10-11, on
    Windows LibreSSL to 3.6.1 and cURL to 7.86.0.
  * After people do a major upgrade on their Linux distro, UnrealIRCd
    may no longer start due to an |error while loading shared
    libraries|. We now print a more helpful message and link to the new
    FAQ entry <https://www.unrealircd.org/docs/FAQ#shared-library-error>
    about it.
  * When timing out on the authprompt
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    module, the error (quit message) is now the original (ban) reason
    for the prompt, instead of the generic |Registration timeout|.


      Fixes:

  * Crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Warning message about moddata creationtime when linking.
  * Snomask |+j| <https://www.unrealircd.org/docs/Snomasks> was not
    showing remote joins, even though it did show remote parts and kicks.
  * Leak of 1 file descriptor per /REHASH (the control socket).
  * Ban letters showing up twice in 005 EXTBAN=
  * Setting set::authentication-prompt::enabled
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    to |no| was ignored. The default is still |yes|.


      Developers and protocol:

  * Add |CALL_CMD_FUNC(cmd_func_name)| for calling commands in the same
    module, see this commit
    <https://github.com/unrealircd/unrealircd/commit/dc55c3ec9f19e5ed284e5a786f646d0e6bb60ef9>.
    Benefit of this is that it will keep working if we ever change
    command paramters.
  * Add |CALL_NEXT_COMMAND_OVERRIDE()| which can be used instead of
    |CallCommandOverride()|, see also this commit
    <https://github.com/unrealircd/unrealircd/commit/4e5598b6cf0986095f757f31a2540b03e4d235dc>.
    This too, will keep working if we ever change command parameters.
  * During loading and rehash we now set |loop.config_status| to one of
    |CONFIG_STATUS_*| so modules (and core) can see at what step we are
    during configuration file and module processing.
  * New RPC API. See the |src/modules/rpc/| directory for examples.
  * New function |get_nvplist(NameValuePrioList *list, const char *name)|

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.5-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.0.5 is now available for testing. If 
you have some time during the holidays and would like to try it out, 
feel free to do so. Please report any bugs you find at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. On *NIX you 
can use the command *./unrealircd upgrade --rc* to upgrade to this RC.

This release adds experimental JSON-RPC support which can be used by a 
web panel or other interface (this is work in progress). There's a new 
TLINE command to test *LINES, useful for e.g. /TLINE ~C:NL. Logging to 
files has been improved and some other enhancements. One notable change 
is that by default we now require TLSv1.2 (or higher) for IRC clients 
and a modern cipher. This should be no problem for clients using any 
reasonably new SSL/TLS library (from 2014 or later). Another notable 
change is that servers with websockets now also need to load the 
"webserver" module. Full release notes with all details are below.

Compared to 6.0.5-rc1 this 6.0.5-rc2 has some nice ./unrealircd script 
enhancements (see below) and various small bugfixes


      Enhancements:

  * Internally the websocket module has been split up into 3 modules:
    |websocket_common|, |webserver| and |websocket|. The
    |websocket_common| one is loaded by default via
    modules.default.conf, the other two are not.
    *Important:* if you use websockets then you need to load two modules
    now (instead of only one):

    |loadmodule "websocket"; loadmodule "webserver"; |

  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd. This is work in progress.
  * New |TLINE| command to test *LINEs. This can be especially useful
    for checking how many people match an extended server ban
    <https://www.unrealircd.org/docs/Extended_server_bans> such as
    |TLINE ~C:NL|
  * The |./unrealircd start| command will now refuse to start if
    UnrealIRCd is already running.
  * The |./unrealircd restart| command will validate the configuration
    file (it will call |./unrealircd configtest|). If there is a
    configuration error then the restart will not go through and the
    current UnrealIRCd process is kept running.
  * When an IRCOp is outside the channel and does |MODE #channel| they
    will now get to see the mode parameters too. This depends on the
    |channel:see:mode:remote| operclass permission
    <https://www.unrealircd.org/docs/Operclass_permissions> which all
    IRCOps have by default if you use the default operclasses.
  * Logging to a file <https://www.unrealircd.org/docs/Log_block> now
    creates a directory structure if needed.
      o You could already use:

        |log { source { !debug; all; } destination { file
        "ircd.%Y-%m-%d.log"; } } |

      o But now you can also use:

        |log { source { !debug; all; } destination { file
        "%Y-%m-%d/ircd.log"; } } |

        This is especially useful if you output to multiple log files
        and then want them grouped by date in a directory.
  * Add additional variables in blacklist::reason
    <https://www.unrealircd.org/docs/Blacklist_block>:
      o |$blacklist|: name of the blacklist block
      o |$dnsname|: the blacklist::dns::name
      o |$dnsreply|: the DNS reply code
  * Resolved technical issue so opers can |REHASH| from Websocket
    connections <https://www.unrealircd.org/docs/WebSocket_support>.
  * In the TLD block <https://www.unrealircd.org/docs/Tld_block> the use
    of |tld::motd| and |tld::rules| is now optional.
  * Log which oper actually initiated a server link request (|CONNECT|)


      Changes:

  * SSL/TLS: By default we now require TLSv1.2 or later and a modern
    cipher with forward secrecy. Otherwise the connection is refused.
      o Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect
        notice with a warning when they use an outdated TLS protocol or
        cipher that does not meet these requirements.
      o This move also reflects the phase out of versions below TLSv1.2
        which happened in browsers in 2020/2021.
      o In practice on the client-side this requires at least:
          + OpenSSL 1.0.1 (released in 2012)
          + GnuTLS 3.2.6 (2013)
          + Android 4.4.2 (2013)
          + Or presumably any other SSL/TLS library that is not 9+ years old
      o If you want to revert back to the previous less secure settings,
        then look under ''Previous less secure setting'' in TLS Ciphers
        and protocols
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols>.
  * The code for handling |set::anti-flood::everyone::connect-flood|
    <https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood>
    is now in its own module |connect-flood|. This module is loaded by
    default, no changes needed in your configuration file.
  * Similarly, |set:max-unknown-connections-per-ip|
    <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>
    is now handled by the new module |max-unknown-connections-per-ip|.
    This module is loaded by default as well, no changes needed in your
    configuration file.
  * Upgrade shipped PCRE2 to 10.41, curl-ca-bundle to 2022-10-11, on
    Windows LibreSSL to 3.6.1 and cURL to 7.86.0.
  * After people do a major upgrade on their Linux distro, UnrealIRCd
    may no longer start due to an |error while loading shared
    libraries|. We now print a more helpful message and link to the new
    FAQ entry <https://www.unrealircd.org/docs/FAQ#shared-library-error>
    about it.
  * When timing out on the authprompt
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    module, the error (quit message) is now |Account required to
    connect| instead of the generic |Registration timeout|.


      Fixes:

  * Crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Warning message about moddata creationtime when linking.
  * Snomask |+j| <https://www.unrealircd.org/docs/Snomasks> was not
    showing remote joins, even though it did show remote parts and kicks.
  * Leak of 1 file descriptor per /REHASH (the control socket).
  * Ban letters showing up twice in 005 EXTBAN=
  * Setting set::authentication-prompt::enabled
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    to |no| was ignored. The default is still |yes|.


      Developers and protocol:

  * Add |CALL_CMD_FUNC(cmd_func_name)| for calling commands in the same
    module, see this commit
    <https://github.com/unrealircd/unrealircd/commit/dc55c3ec9f19e5ed284e5a786f646d0e6bb60ef9>.
    Benefit of this is that it will keep working if we ever change
    command paramters.
  * Add |CALL_NEXT_COMMAND_OVERRIDE()| which can be used instead of
    |CallCommandOverride()|, see also this commit
    <https://github.com/unrealircd/unrealircd/commit/4e5598b6cf0986095f757f31a2540b03e4d235dc>.
    This too, will keep working if we ever change command parameters.
  * During loading and rehash we now set |loop.config_status| to one of
    |CONFIG_STATUS_*| so modules (and core) can see at what step we are
    during configuration file and module processing.
  * New RPC API. See the |src/modules/rpc/| directory for examples.
  * New function |get_nvplist(NameValuePrioList *list, const char *name)|

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.5-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.0.5 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

This release adds experimental JSON-RPC support which can be used by a 
web panel or other interface (this is work in progress). There's a new 
TLINE command to test *LINES, useful for e.g. /TLINE ~C:NL. Logging to 
files has been improved and some other enhancements. One notable change 
is that by default we now require TLSv1.2 (or higher) for IRC clients 
and a modern cipher. This should be no problem for clients using any 
reasonably new SSL/TLS library (from 2014 or later). Another notable 
change is that servers with websockets now also need to load the 
"webserver" module. Full release notes with all details are below.

Also a correction: in the release notes of 6.0.4.2 from 2 weeks ago it 
was claimed that a crash with server linking was fixed. Unfortunately 
the actual fix was not included (my mistake). The fix is included in 
this 6.0.5-rc1 and will be in 6.0.5. Since the crash only affects a 
limited number of people there is not another 6.0.4.x release planned to 
rectify this, especially since 6.0.5 stable will be released in the next 
3-6 weeks.


      Enhancements:

  * Internally the websocket module has been split up into 3 modules:
    |websocket_common|, |webserver| and |websocket|. The
    |websocket_common| one is loaded by default via
    modules.default.conf, the other two are not.
    *Important:* if you use websockets then you need to load two modules
    now (instead of only one):

    |loadmodule "websocket"; loadmodule "webserver"; |

  * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for
    UnrealIRCd. This is work in progress.
  * New |TLINE| command to test *LINEs. This can be especially useful
    for checking how many people match an extended server ban
    <https://www.unrealircd.org/docs/Extended_server_bans> such as
    |TLINE ~C:NL|
  * Logging to a file <https://www.unrealircd.org/docs/Log_block> now
    creates a directory structure if needed.
      o You could already use:

        |log { source { !debug; all; } destination { file
        "ircd.%Y-%m-%d.log"; } } |

      o But now you can also use:

        |log { source { !debug; all; } destination { file
        "%Y-%m-%d/ircd.log"; } } |

        This is especially useful if you output to multiple log files
        and then want them grouped by date in a directory.
  * When an IRCOp is outside the channel and does |MODE #channel| they
    will now get to see the mode parameters too. This depends on the
    |channel:see:mode:remote| operclass permission
    <https://www.unrealircd.org/docs/Operclass_permissions> which all
    IRCOps have by default if you use the default operclasses.
  * Add additional variables in blacklist::reason
    <https://www.unrealircd.org/docs/Blacklist_block>:
      o |$blacklist|: name of the blacklist block
      o |$dnsname|: the blacklist::dns::name
      o |$dnsreply|: the DNS reply code
  * Resolved technical issue so opers can |REHASH| from Websocket
    connections <https://www.unrealircd.org/docs/WebSocket_support>.
  * In the TLD block <https://www.unrealircd.org/docs/Tld_block> the use
    of |tld::motd| and |tld::rules| is now optional.


      Changes:

  * SSL/TLS: By default we now require TLSv1.2 or later and a modern
    cipher with forward secrecy. Otherwise the connection is refused.
      o Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect
        notice with a warning when they use an outdated TLS protocol or
        cipher that does not meet these requirements.
      o This move also reflects the phase out of TLSv1.2 that happened
        in browsers in 2020/2021.
      o In practice on the client-side this requires at least:
          + OpenSSL 1.0.1 (released in 2012)
          + GnuTLS 3.2.6 (2013)
          + Android 4.4.2 (2013)
          + Or presumably any other SSL/TLS library that is not 9+ years old
      o If you want to revert back to the previous less secure settings,
        then look under ''Previous less secure setting'' in TLS Ciphers
        and protocols
        <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols>.
  * The code for handling |set::anti-flood::everyone::connect-flood|
    <https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood>
    is now in its own module |connect-flood|. This module is loaded by
    default, no changes needed in your configuration file.
  * Similarly, |set:max-unknown-connections-per-ip|
    <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>
    is now handled by the new module |max-unknown-connections-per-ip|.
    This module is loaded by default as well, no changes needed in your
    configuration file.
  * Shipped PCRE2 library is now 10.41, curl-ca-bundle is now
    2022-10-11, also LibreSSL has been updated in the Windows build


      Fixes:

  * Fix crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Snomask |+j| <https://www.unrealircd.org/docs/Snomasks> was not
    showing remote joins, even though it did show remote parts and kicks.


      Developers and protocol:

  * Add |CALL_CMD_FUNC(cmd_func_name)| for calling commands in the same
    module, see this commit
    <https://github.com/unrealircd/unrealircd/commit/dc55c3ec9f19e5ed284e5a786f646d0e6bb60ef9>.
    Benefit of this is that it will keep working if we ever change
    command paramters.
  * Add |CALL_NEXT_COMMAND_OVERRIDE()| which can be used instead of
    |CallCommandOverride()|, see also this commit
    <https://github.com/unrealircd/unrealircd/commit/4e5598b6cf0986095f757f31a2540b03e4d235dc>.
    This too, will keep working if we ever change command parameters.
  * During loading and rehash we now set |loop.config_status| to one of
    |CONFIG_STATUS_*| so modules (and core) can see at what step we are
    during configuration file and module processing.
  * New RPC API. See the |src/modules/rpc/| directory for examples.
  * New function |get_nvplist(NameValuePrioList *list, const char *name)|

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4.2 released

[Bram M. <sy...@un...>]

Hi everyone,

UnrealIRCd 6.0.5 is not ready yet, it is scheduled for Dec 2022 / Jan 
2023 (with one or more RC's before that).

So, in the meantime we have released a small update today, UnrealIRCd 
6.0.4.2:

  * Fix crash when linking. This requires a certain sequence of events:
    first a server is linked in successfully, then we need to REHASH,
    and then a new link attempt has to come in with the same server name
    (for example because there is a network issue and the old link has
    not timed out yet). If all that happens, then an UnreaIRCd 6 server
    may crash, but not always.
  * Two IRCv3 specifications were ratified which we already supported as
    drafts:
      o Change CAP draft/extended-monitor to extended-monitor
      o Add message-tag bot next to existing (for now) draft/bot
  * Update Turkish translations

You can download UnrealIRCd from https://www.unrealircd.org/

Note for developers / git users: Like most dot releases of UnrealIRCd, 
this dot-release does not exist in git. It cherry picks a number of 
commits from 6.0.5 in git, bumps the version, and adds the release notes.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4.1 released

[Bram M. <sy...@un...>]

Hi everyone,

Today we released a small update to fix two issues in UnrealIRCd 6.0.x.
We only suggest upgrading if you are impacted by these problems. Most 
users will probably not upgrade and wait for 6.0.5 later this year.

  * Fix sporadic crash when linking a server (after successful
    authentication).
    This feels like a compiler bug. It affected only some people with
    GCC and only in some situations.
    When compiled with clang there was no problem. Hopefully we can work
    around it this way.
  * Make /INVITE bypass (nearly) all channel mode restrictions, as it
    used to be in UnrealIRCd 5.x. Both for invites by channel ops and
    for OperOverride.
    This also fixes a bug where an IRCOp with OperOverride could not
    bypass +l (limit) and other restrictions and would have to resort
    back to using MODE or SAMODE. Only +b and +i could be bypassed via
    INVITE OperOverride.

You can download UnrealIRCd from https://www.unrealircd.org/

Note for developers / git users: Like most dot releases of UnrealIRCd, 
this dot-release does not exist in git. It cherry picks commits 
0e6fc07bd9000ecc463577892cf2195a670de4be and 
0d139c6e7c268e31ca8a4c9fc5cb7bfeb4f56831 from 6.0.5 in git, bumps the 
version, and adds the release notes.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Looking for webdevs to make an UnrealIRCd webpanel

[Bram M. <sy...@un...>]

Hi everyone,

As a one-time exception, not a release announcement, but a request for 
help on a new part we would like to see developed:

We are envisioning an "admin panel" where IRCOps would be able to do a 
number of server tasks, starting with:

  * Status overview / dashboard
  * Spamfilter and *LINE management: that would be a lot easier via the
    web than on IRC

These two things would already be a great start. Naturally more can be 
added, i'm sure there are lots of ideas.

The admin panel would be installed on a (web)server and would connect to 
UnrealIRCd using the new JSON-RPC API 
<https://www.unrealircd.org/docs/JSON-RPC> that is currently being 
developed. It does not have to run on the same machine as UnrealIRCd.

We are looking for webdevs who would like to help out on the HTML/CSS 
and the coding-side. Do you have experience with web development and do 
you have time this summer to work on this? If you do, what would you 
prefer/suggest?

  * Which language/environment to use? PHP? NodeJS? Python?
  * Which coding framework should be used? Eg in case of PHP: Laravel,
    Symphony, ..? In case of JS/python... what?
  * Which CSS/front end framework to use? Eg Bootstrap?

Most of the UnrealIRCd devs are backend coders with less experience on 
webdev/frontend. For us it would be relatively easy to make a 
quick-and-dirty PHP-without-famework non-AJAX "proof of concept" that is 
ugly and hard to extend. That is not what we are after. The idea is to 
have clean code that stays maintainable on the long run. We would like 
to hear who would like to work on this and what choices should be made.
On our side we can help with getting people together, hosting it as an 
official (sub)project and exchanging ideas. On the technical side we can 
provide the right API calls and options in UnrealIRCd.

We have created a new channel *#unreal-webpanel* on irc.unrealircd.org 
(IRC TLS on port 6697) that we can use for the discussion. Or you can 
reply on the forum thread 
<https://forums.unrealircd.org/viewtopic.php?t=9195>.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4 released

[Bram M. <sy...@un...>]

Hi everyone,

I'm happy to announce UnrealIRCd 6.0.4 (stable). This release comes with 
lots of features and enhancements. In particular, security groups and 
mask items now allow you to write cleaner and more flexible 
configuration files. There are also JSON logging enhancements and 
several bug fixes. Thanks a lot to everyone who tested the release 
candidates!


      Enhancements:

  * Show security groups in |WHOIS|
  * The security-group block
    <https://www.unrealircd.org/docs/Security-group_block> has been
    expanded and the same functionality is now available in mask items
    <https://www.unrealircd.org/docs/Mask_item> too:
      o This means the existing options like |identified|, |webirc|,
        |tls| and |reputation-score| can be used in |allow::mask| etc.
      o New options (in both security-group and mask) are:
          + |connect-time|: time a user is connected to IRC
          + |security-group|: to check another security group
          + |account|: services account name
          + |country|: country code, as found by GeoIP
          + |realname|: realname (gecos) of the user
          + |certfp|: certificate fingerprint
      o Every option also has an exclude- variant, eg.
        |exclude-country|. If a user matches any |exclude-| option then
        it is considered not a match.
      o The modules connthrottle
        <https://www.unrealircd.org/docs/Connthrottle>,
        restrict-commands
        <https://www.unrealircd.org/docs/Set_block#set::restrict-commands>
        and antirandom
        <https://www.unrealircd.org/docs/Set_block#set::antirandom> now
        use the new |except| sub-block which is a mask item. The old
        syntax (eg |set::antirandom::except-webirc|) is still accepted
        by UnrealIRCd and converted to the appropriate new setting
        behind the scenes (|set::antirandom::except::webirc|).
      o The modules blacklist
        <https://www.unrealircd.org/docs/Blacklist_block> and
        antimixedutf8
        <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8>
        now also support the |except| block (a mask item).
      o Other than that the extended functionality is available in these
        blocks: |allow|, |oper|, |tld|, |vhost|, |deny channel|, |allow
        channel|.
      o Example of direct use in a ::mask item:

        |/* Spanish MOTD for Spanish speaking countries */ tld { mask {
        country { ES; AR; BO; CL; CO; CR; DO; EC; SV; GT; HN; MX; NI;
        PA; PY; PE; PR; UY; VE; } } motd "motd.es.txt"; rules
        "rules.es.txt"; } |

      o Example of defining a security group and using it in a mask item
        later:

        |security-group irccloud { mask { ip1; ip2; ip3; ip4; } } allow
        { mask { security-group irccloud; } class clients; maxperip 128;
        } except ban { mask { security-group irccloud; } type {
        blacklist; connect-flood; handshake-data-flood; } } |

  * Because the mask item is so powerful now, the |password| in the oper
    block <https://www.unrealircd.org/docs/Oper_block> is optional now.
  * We now support oper::auto-login, which means the user will become
    IRCOp automatically if they match the conditions on-connect. This
    can be used in combination with certificate fingerprint
    <https://www.unrealircd.org/docs/Certificate_fingerprint>
    authentication for example:

    |security-group Syzop { certfp "1234etc."; } oper Syzop { auto-login
    yes; mask { security-group Syzop; } operclass
    netadmin-with-override; class opers; } except ban { mask {
    security-group Syzop; } type all; } |

  * For JSON logging <https://www.unrealircd.org/docs/JSON_logging> a
    number of fields were added when a client is expanded:
      o |geoip|: with subitem |country_code| (eg. |NL|)
      o |tls|: with subitems |cipher| and |certfp|
      o Under subitem |users|:
          + |vhost|: if the visible host differs from the realhost then
            this is set (thus for both vhost and cloaked host)
          + |cloakedhost|: this is always set (except for eg. services
            users), even if the user is not cloaked so you can easily
            search on a cloaked host.
          + |idle_since|: last time the user has spoken (local clients only)
          + |channels|: list of channels (array), with a maximum of 384
            chars.
  * The JSON logging now also strips ASCII below 32, so color- and
    control codes.
  * Support IRCv3 |+draft/channel-context|
  * Add |example.es.conf| (Spanish example configuration file)
  * The country of users is now communicated in the message-tag
    <https://www.unrealircd.org/docs/Message_tags>
    |unrealircd.org/geoip| (only to IRCOps).
  * Add support for linking servers via UNIX domain sockets
    (|link::outgoing::file|).


      Fixes:

  * Crash in |except ban| with |~security-group:xyz|
  * Crash if hideserver module was loaded but |LINKS| was not blocked.
  * Crash on Windows when using the "Rehash" GUI option.
  * Infinite loop if one security-group referred to another.
  * Duplicate entries in the |+beI| lists of |+P| channels.
  * Regular users were able to -o a service bot (that has umode +S)
  * Module manager did not stop on compile error
  * |set::modes-on-join|
    <https://www.unrealircd.org/docs/Set_block#set::modes-on-join> did
    not work with |+f| + timed bans properly, eg |[3t#b1]:10|
  * Several log messages were missing some information.
  * Reputation syncing across servers had a small glitch. Fix is mostly
    useful for servers that were not linked to the network for days or
    weeks.


      Changes:

  * Clarified that UnrealIRCd is licensed as "GPLv2 or later"
  * Fix use of variables in |set::reject-message|
    <https://www.unrealircd.org/docs/Set_block#set::reject-message> and
    in |blacklist::reason|
    <https://www.unrealircd.org/docs/Blacklist_block>: previously short
    forms of variables were (unintentionally) expanded as well, such as
    |$serv| for |$server|. This is no longer supported, you need to use
    the correct full variable names.


      Developers and protocol:

  * The |creationtime| is now communicated of users. Until now this
    information was only known locally (the thing that was communicated
    that came close was "last nick change" but that is not the same).
    This is synced via (early) moddata across servers. Module coders can
    use |get_connected_time()|.
  * The |RPL_HOSTHIDDEN| is now sent from |userhost_changed()| so you
    don't explicitly send it yourself anymore.
  * The |SVSO| command is back, so services can make people IRCOp again.
    See |HELPOP SVSO| or the commit
    <https://github.com/unrealircd/unrealircd/commit/50e5d91c798e7d07ca0c68d9fca302a6b6610786>
    for more information.
  * Due to last change the |HOOKTYPE_LOCAL_OPER| parameters were changed.
  * Module coders can enhance the JSON logging
    <https://www.unrealircd.org/docs/JSON_logging> expansion items for
    clients and channels via new hooks like
    |HOOKTYPE_JSON_EXPAND_CLIENT|. This is used by the geoip and tls
    modules.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for 6.0.4 is now available for testing. You 
can help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.

Compared to 6.0.4-rc1, this rc2 adds an oper autologin feature (see near 
the end under /Enhancements/), fixes set::restrict-commands not working, 
fixes for security-group for account and CIDR, fix multiline log 
messages being cut, fix Ubuntu 22.04 compile problem and fix +H not 
working on set::modes-on-join. Also update various example.*conf files.


      Enhancements:

  * Show security groups in |WHOIS|
  * The security-group block
    <https://www.unrealircd.org/docs/Security-group_block> has been
    expanded and the same functionality is now available in mask items
    <https://www.unrealircd.org/docs/Mask_item> too:
      o This means the existing options like |identified|, |webirc|,
        |tls| and |reputation-score| can be used in |allow::mask| etc.
      o New options (in both security-group and mask) are:
          + |connect-time|: time a user is connected to IRC
          + |security-group|: to check another security group
          + |account|: services account name
          + |country|: country code, as found by GeoIP
          + |realname|: realname (gecos) of the user
          + |certfp|: certificate fingerprint
      o Every option also has an exclude- variant, eg.
        |exclude-country|. If a user matches any |exclude-| option then
        it is considered not a match.
      o The modules connthrottle
        <https://www.unrealircd.org/docs/Connthrottle>,
        restrict-commands
        <https://www.unrealircd.org/docs/Set_block#set::restrict-commands>
        and antirandom
        <https://www.unrealircd.org/docs/Set_block#set::antirandom> now
        use the new |except| sub-block which is a mask item. The old
        syntax (eg |set::antirandom::except-webirc|) is still accepted
        by UnrealIRCd and converted to the appropriate new setting
        behind the scenes (|set::antirandom::except::webirc|).
      o The modules blacklist
        <https://www.unrealircd.org/docs/Blacklist_block> and
        antimixedutf8
        <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8>
        now also support the |except| block (a mask item).
      o Other than that the extended functionality is available in these
        blocks: |allow|, |oper|, |tld|, |vhost|, |deny channel|, |allow
        channel|.
      o Example of direct use in a ::mask item:

        |/* Spanish MOTD for Spanish speaking countries */ tld { mask {
        country { ES; AR; BO; CL; CO; CR; DO; EC; SV; GT; HN; MX; NI;
        PA; PY; PE; PR; UY; VE; } } motd "motd.es.txt"; rules
        "rules.es.txt"; } |

      o Example of defining a security group and using it in a mask item
        later:

        |security-group irccloud { mask { ip1; ip2; ip3; ip4; } } allow
        { mask { security-group irccloud; } class clients; maxperip 128;
        } except ban { mask { security-group irccloud; } type {
        blacklist; connect-flood; handshake-data-flood; } } |

  * Because the mask item is so powerful now, the |password| in the oper
    block <https://www.unrealircd.org/docs/Oper_block> is optional now.
  * We now support oper::auto-login, which means the user will become
    IRCOp automatically if they match the conditions on-connect. This
    can be used in combination with certificate fingerprint
    <https://www.unrealircd.org/docs/Certificate_fingerprint>
    authentication for example:

    |security-group Syzop { mask { certfp "1234etc."; } } oper Syzop {
    auto-login yes; mask { security-group Syzop; } operclass
    netadmin-with-override; class opers; } except ban { mask {
    security-group Syzop; } type all; } |

  * For JSON logging <https://www.unrealircd.org/docs/JSON_logging> a
    number of fields were added when a client is expanded:
      o |geoip|: with subitem |country_code| (eg. |NL|)
      o |tls|: with subitems |cipher| and |certfp|
      o Under subitem |users|:
          + |vhost|: if the visible host differs from the realhost then
            this is set (thus for both vhost and cloaked host)
          + |cloakedhost|: this is always set (except for eg. services
            users), even if the user is not cloaked so you can easily
            search on a cloaked host.
          + |idle_since|: last time the user has spoken (local clients only)
          + |channels|: list of channels (array), with a maximum of 384
            chars.
  * The JSON logging now also strips ASCII below 32, so color- and
    control codes.
  * Support IRCv3 |+draft/channel-context|
  * Add |example.es.conf| (Spanish example configuration file)
  * The country of users is now communicated in the message-tag
    <https://www.unrealircd.org/docs/Message_tags>
    |unrealircd.org/geoip| (only to IRCOps).
  * Add support for linking servers via UNIX domain sockets
    (|link::outgoing::file|).


      Fixes:

  * Crash in |except ban| with |~security-group:xyz|
  * Crash if hideserver module was loaded but |LINKS| was not blocked.
  * Crash on Windows when using the "Rehash" GUI option.
  * Infinite loop if one security-group referred to another.
  * Duplicate entries in the |+beI| lists of |+P| channels.
  * Module manager did not stop on compile error
  * |set::modes-on-join|
    <https://www.unrealircd.org/docs/Set_block#set::modes-on-join> did
    not work with |+f| + timed bans properly, eg |[3t#b1]:10|
  * Several log messages were missing some information.
  * Reputation syncing across servers had a small glitch. Fix is mostly
    useful for servers that were not linked to the network for days or
    weeks.


      Changes:

  * Clarified that UnrealIRCd is licensed as "GPLv2 or later"


      Developers and protocol:

  * The |creationtime| is now communicated of users. Until now this
    information was only known locally (the thing that was communicated
    that came close was "last nick change" but that is not the same).
    This is synced via (early) moddata across servers. Module coders can
    use |get_connected_time()|.
  * The |RPL_HOSTHIDDEN| is now sent from |userhost_changed()| so you
    don't explicitly send it yourself anymore.
  * The |SVSO| command is back, so services can make people IRCOp again.
    See |HELPOP SVSO| or the commit
    <https://github.com/unrealircd/unrealircd/commit/50e5d91c798e7d07ca0c68d9fca302a6b6610786>
    for more information.
  * Due to last change the |HOOKTYPE_LOCAL_OPER| parameters were changed.
  * Module coders can enhance the JSON logging
    <https://www.unrealircd.org/docs/JSON_logging> expansion items for
    clients and channels via new hooks like
    |HOOKTYPE_JSON_EXPAND_CLIENT|. This is used by the geoip and tls
    modules.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.4-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The release candidate for 6.0.4 is now available for testing. You can 
help us by testing and reporting any issues at 
https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>.


      Enhancements:

  * Show security groups in |WHOIS|
  * The security-group block
    <https://www.unrealircd.org/docs/Security-group_block> has been
    expanded and the same functionality is now available in mask items
    <https://www.unrealircd.org/docs/Mask_item> too:
      o This means the existing options like |identified|, |webirc|,
        |tls| and |reputation-score| can be used in |allow::mask| etc.
      o New options (in both security-group and mask) are:
          + |connect-time|: time a user is connected to IRC
          + |security-group|: to check another security group
          + |account|: services account name
          + |country|: country code, as found by GeoIP
          + |realname|: realname (gecos) of the user
          + |certfp|: certificate fingerprint
      o Every option also has an exclude- variant, eg.
        |exclude-country|. If a user matches any |exclude-| option then
        it is considered not a match.
      o The modules connthrottle
        <https://www.unrealircd.org/docs/Connthrottle>,
        restrict-commands
        <https://www.unrealircd.org/docs/Set_block#set::restrict-commands>
        and antirandom
        <https://www.unrealircd.org/docs/Set_block#set::antirandom> now
        use the new |except| sub-block which is a mask item. The old
        syntax (eg |set::antirandom::except-webirc|) is still accepted
        by UnrealIRCd and converted to the appropriate new setting
        behind the scenes (|set::antirandom::except::webirc|).
      o The modules blacklist
        <https://www.unrealircd.org/docs/Blacklist_block> and
        antimixedutf8
        <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8>
        now also support the |except| block (a mask item).
      o Other than that the extended functionality is available in these
        blocks: |allow|, |oper|, |tld|, |vhost|, |deny channel|, |allow
        channel|.
      o Example of direct use in a ::mask item:

        |/* Spanish MOTD for Spanish speaking countries */ tld { mask {
        country { ES; AR; BO; CL; CO; CR; DO; EC; SV; GT; HN; MX; NI;
        PA; PY; PE; PR; UY; VE; } } motd "motd.es.txt"; rules
        "rules.es.txt"; } |

      o Example of defining a security group and using it in a mask item
        later:

        |security-group irccloud { mask { ip1; ip2; ip3; ip4; } } allow
        { mask { security-group irccloud; } class clients; maxperip 128;
        } except ban { mask { security-group irccloud; } type {
        blacklist; connect-flood; handshake-data-flood; } } |

  * For JSON logging <https://www.unrealircd.org/docs/JSON_logging> a
    number of fields were added when a client is expanded:
      o |geoip|: with subitem |country_code| (eg. |NL|)
      o |tls|: with subitems |cipher| and |certfp|
      o Under subitem |users|:
          + |vhost|: if the visible host differs from the realhost then
            this is set (thus for both vhost and cloaked host)
          + |cloakedhost|: this is always set (except for eg. services
            users), even if the user is not cloaked so you can easily
            search on a cloaked host.
          + |idle_since|: last time the user has spoken (local clients only)
          + |channels|: list of channels (array), with a maximum of 384
            chars.
  * The JSON logging now also strips ASCII below 32, so color- and
    control codes.
  * Support IRCv3 |+draft/channel-context|
  * Add |example.es.conf| (Spanish example configuration file)
  * The country of users is now communicated in the message-tag
    <https://www.unrealircd.org/docs/Message_tags>
    |unrealircd.org/geoip| (only to IRCOps).
  * Add support for linking servers via UNIX domain sockets
    (|link::outgoing::file|).


      Fixes:

  * Crash in |except ban| with |~security-group:xyz|
  * Crash if hideserver module was loaded but |LINKS| was not blocked.
  * Crash on Windows when using the "Rehash" GUI option.
  * Infinite loop if one security-group referred to another.
  * Duplicate entries in the |+beI| lists of |+P| channels.
  * Module manager did not stop on compile error
  * |set::modes-on-join|
    <https://www.unrealircd.org/docs/Set_block#set::modes-on-join> did
    not work with |+f| + timed bans properly, eg |[3t#b1]:10|
  * Several log messages were missing some information.
  * Reputation syncing across servers had a small glitch. Fix is mostly
    useful for servers that were not linked to the network for days or
    weeks.


      Changes:

  * Clarified that UnrealIRCd is licensed as "GPLv2 or later"


      Developers and protocol:

  * The |creationtime| is now communicated of users. Until now this
    information was only known locally (the thing that was communicated
    that came close was "last nick change" but that is not the same).
    This is synced via (early) moddata across servers. Module coders can
    use |get_connected_time()|.
  * The |RPL_HOSTHIDDEN| is now sent from |userhost_changed()| so you
    don't explicitly send it yourself anymore.
  * Module coders can enhance the JSON logging
    <https://www.unrealircd.org/docs/JSON_logging> expansion items for
    clients and channels via new hooks like
    |HOOKTYPE_JSON_EXPAND_CLIENT|. This is used by the geoip and tls
    modules.

You can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.3 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

A number of serious issues were discovered in UnrealIRCd 6. We recommend 
everyone who is running UnrealIRCd 6 to upgrade to 6.0.3.
Among the issues fixed is an issue which will likely crash the IRCd 
sooner or later if you /REHASH with any active clients connected. Read 
the UnrealIRCd 6.0.3 release notes 
<https://github.com/unrealircd/unrealircd/blob/cedd23ae9cdd5985ce16e9869cbdb808479c3fc4/doc/RELEASE-NOTES.md#unrealircd-603> 
for more details and the full list of changes.

If you are not using UnrealIRCd 6 yet and want to migrate from 5.x to 
6.x, then check out the general item What's new in UnrealIRCd 6 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_6> and 
Upgrading from 5.x <https://www.unrealircd.org/docs/Upgrading_from_5.x>. 
Note that UnrealIRCd 5.2.x is still supported 
<https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> at this time, but no 
new features are added to it anymore.

As always, you can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

OpenSSL issue causing 100% CPU and unresponsive server

[Bram M. <sy...@un...>]

*Summary
*OpenSSL and LibreSSL have a bug in their SSL/TLS library that most 
likely also affects UnrealIRCd. An attacker could cause UnrealIRCd to 
enter a 100% CPU loop. This makes UnrealIRCd unresponsive to any 
commands. The ircd will appear "frozen" or "stalled".

***Details
*OpenSSL released a security advisory 
<https://www.openssl.org/news/secadv/20220315.txt> for CVE-2022-0778 on 
2022-03-15. LibreSSL is similarly affected. Any client capable of 
initiating an SSL/TLS session could cause an SSL/TLS server to hang. In 
case of IRC it should be noted that this likely also affects passworded 
(hub) servers as the attacker does not need to authenticate and does not 
need to send any IRC commands. Again, this issue is not 
UnrealIRCd-specific, it likely affects any SSL/TLS program that uses 
OpenSSL or LibreSSL and reads peer certificates such as apache, nginx, 
exim, etc. According to OpenSSL the issue "only" causes a hang, it does 
not allow privilege escalation, no remote code execution.
At the time of sending this email there is no active exploit released 
yet, but this may change sooner or later.

***Advice for *NIX users*
On *NIX we recommend admins to upgrade the OpenSSL package and then 
restart UnrealIRCd. Consult your distro on how to check and verify 
openssl updates. There is no new UnrealIRCd release for *NIX as there is 
no bug in UnrealIRCd itself. The issue is in OpenSSL / LibreSSL.
Although slightly off-topic, it should be pointed out that many Linux 
distro's backport OpenSSL fixes, and they often do it in such a way that 
using /VERSION on UnrealIRCd as an IRCOp to see the SSL library is 
completely useless. It often cannot be used to check if you are patched 
or not. For example, on Ubuntu 20.04 LTS you will see "OpenSSL 1.1.1f 31 
Mar 2020" before you upgraded OpenSSL and you also see the same version 
"OpenSSL 1.1.1f 31 Mar 2020" after you upgraded to the March 2022 
openssl version with the fix. The only way to verify is to check on the 
command line with dpkg or rpm or by checking .so files to see if the 
OpenSSL version upgrade went OK or not. And even then you must be sure 
that the process (unrealircd in our case) has been restarted after the 
openssl upgrade for it to be effective.

*Advice for Windows users*
For Windows we have released two new versions: 5.2.4b and 6.0.2b. This 
is because for Windows we ship binaries so they include LibreSSL DLL 
files. Windows users should upgrade to this version and restart UnrealIRCd.
The UnrealIRCd versions on Windows will still identify themselves as 
"5.2.4" and "6.0.2" everywhere, without any "b" suffix at the end. This 
is because their UnrealIRCd codebase is 5.2.4 / 6.0.2, there are zero 
unrealircd source code changes. If you wish to verify that you are 
indeed running with the fixed SSL library then run /VERSION on IRC as an 
IRCOp. If you see LibreSSL 3.4.3 then you are good. Any lower LibreSSL 
version is bad. Again, this is only true for Windows.

*Revisions
*If there are any changes we will update the post at 
https://forums.unrealircd.org/viewtopic.php?t=9177

UnrealIRCd 6.0.2 released

[Bram M. <sy...@vu...>]

Hi everyone,

See the other announcement a few minutes ago for an important crash fix 
in 5.x and 6.x, that one can be hot-patched without restart for most 
users, so you don't have to upgrade to 6.0.2.

The post below is about the new release UnrealIRCd 6.0.2 and what it has 
to offer, since it includes _much more_ than just the previous announced 
small crash fix. Upgrading to 6.0.2 may be worth it if you want these 
new features and fixes. And of course you can also decide to hot-patch 
the important crash issue first and consider upgrading later in the next 
few weeks. Or wait for a 6.0.3 release in feb/march. It's up to you.

If you are not using UnrealIRCd 6 yet and want to migrate from 5.x to 
6.x, then check out the general item What's new in UnrealIRCd 6 
<https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_6> and 
Upgrading from 5.x <https://www.unrealircd.org/docs/Upgrading_from_5.x>.

Fixes:

  * Fix crash that can be triggered by regular users if you have any
    deny dcc blocks in the config or any spamfilters with the d (DCC)
    target.
    NOTE: You don't *have* to upgrade to 6.0.2 to fix this, you can also
    hot-patch this issue without restart, see the other news announcement.
  * Windows: fix crash with IPv6 clients (local or remote) due to GeoIP
    lookup
  * Fix infinite hang on "Loading IRCd configuration" if DNS is not
    working. For example if the 1st DNS server in |/etc/resolv.conf| is
    down or refusing requests.
  * Some |MODE| server-to-server commands were missing a timestamp at
    the end, even though this is mandatory for modes coming from a server.
  * The channeldb
    <https://www.unrealircd.org/docs/Set_block#set::channeldb> module
    now converts letter extbans to named extbans (eg |~a| to
    |~account|). Previously it did not, which caused letter extbans to
    appear in the banlist. Later on, when linking servers, this would
    cause duplicate entries to appear as well, with both the old and new
    format. The extbans were still effective though, so this is mostly a
    visual +b/+e/+I list issue.
  * Some Extended Server Bans
    <https://www.unrealircd.org/docs/Extended_server_bans> were not
    working correctly for WEBIRC proxies. In particular, a server ban or
    exempt (ELINE) on |~country:XX| was only checked against the WEBIRC
    proxy.

Enhancements:

  * Support for logging to a channel
    <https://www.unrealircd.org/docs/Log_block#Logging_to_a_channel>.
    Similar to snomasks but then for channels.
  * Command line interface changes:
      o The CLI tool
        <https://www.unrealircd.org/docs/Command_Line_Interface> now
        communicates to the running UnrealIRCd process via a UNIX socket
        to send commands and retrieve output.
      o The command |./unrealircd rehash| will now show the rehash
        output, including warnings and errors, and return a proper exit
        code.
      o The same for |./unrealircd reloadtls|
      o New command |./unrealircd status| to show if UnrealIRCd is
        running, the version, channel and user count, ..
      o The command |./unrealircd genlinkblock| is now documented
        <https://www.unrealircd.org/docs/Linking_servers_(genlinkblock)>
        and is referred to from the Linking servers tutorial
        <https://www.unrealircd.org/docs/Tutorial:_Linking_servers>.
      o On Windows in the |C:\Program Files\UnrealIRCd 6\bin| directory
        there is now an |unrealircdctl.exe| that can be used to do
        similar things to what you can do on *NIX. Supported operations
        are: |rehash|, |reloadtls|, |mkpasswd|, |gencloak| and |spkifp|.
  * New option set::server-notice-show-event
    <https://www.unrealircd.org/docs/Set_block#set::server-notice-show-event>
    which can be set to |no| to hide the event information (eg
    |connect.LOCAL_CLIENT_CONNECT|) in server notices. This can be
    overridden per-oper in the Oper block
    <https://www.unrealircd.org/docs/Oper_block> via
    oper::server-notice-show-event.
  * Support for IRC over UNIX sockets (on the same machine), if you
    specify a file in the listen block
    <https://www.unrealircd.org/docs/Listen_block> instead of an
    ip/port. This probably won't be used much, but the option is there.
    Users will show up with a host of |localhost| and IP |127.0.0.1| to
    keep things simple.
  * The |MAP| command now shows percentages of users
  * Add |WHO| option to search clients by time connected (eg. |WHO <300
    t| to search for less than 300 seconds)
  * Rate limiting of |MODE nick -x| and |-t| via new |vhost-flood|
    option in set::anti-flood block
    <https://www.unrealircd.org/docs/Anti-flood_settings>.

Changes:

  * Update Russian |help.ru.conf|.

Developers and protocol:

  * People packaging UnrealIRCd (eg. to an .rpm/.deb):
      o Be sure to pass the new |--with-controlfile| configure option
      o There is now an |unrealircdctl| tool that the |unrealircd| shell
        script uses, it is expected to be in |bindir|.
  * |SVSMODE #chan -b nick| will now correctly remove extbans that
    prevent |nick| from joining. This fixes a bug where it would remove
    too much (for |~time|) or not remove extbans (most other extbans, eg
    |~account|). |SVSMODE #chan -b| has also been fixed accordingly
    (remove all bans preventing joins). Note that all these commands do
    not remove bans that do not affect joins, such as |~quiet| or |~text|.
  * For module coders: setting the |EXTBOPT_CHSVSMODE| flag in
    |extban.options| is no longer useful, the flag is ignored. We now
    decide based on |BANCHK_JOIN| being in |extban.is_banned_events| if
    the ban should be removed or not upon SVS(2)MODE -b.

As always, you can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Important: crash issue in UnrealIRCd 5 and UnrealIRCd 6

[Bram M. <sy...@vu...>]

UnrealIRCd 5 and UnrealIRCd 6 can be crashed by a regular user when a 
certain command is sent. This results in all users being disconnected 
from the server. There is no other risk than crashing (no buffer 
overflow or anything, no risk of remote code execution).

If you have any deny dcc { } blocks in the config file or spamfilters on 
the 'd' (dcc) target then the server can be crashed. This is true for 
many servers as there is a deny dcc { } block in the example 
configuration file (example.conf).

All U5 and U6 versions before January 28, 2022 are affected, so:

  * UnrealIRCd 5.0.0 - 5.2.3
  * UnrealIRCd 6.0.0 - 6.0.2-rc1

We recommend admins to apply the hot-patch (see next) ASAP which will 
fix the issue with zero downtime.

Apply hot-patch; no restart needed
*NIX users can fix this issue without needing to restart their IRC 
server. Windows users will have to upgrade (see next section).

Go to your UnrealIRCd installation directory and then run:|./unrealircd 
hot-patch dcc_crash|
This should end with the message "Done! All should be good now.". It is 
a good idea to double-check on IRC that your server is fixed, see the 
end of this news article.

The command from above is the recommended method. If instead you prefer 
to fiddle with patch files and know how to apply these, then they can be 
fetched for U5 <https://www.unrealircd.org/patches/dcc.u5.patch> or for 
U6 <https://www.unrealircd.org/patches/dcc.u6.patch>. Another 
alternative is to upgrade to 6.0.2 or 5.2.4 (see next).

Alternative: Upgrading
You can also choose to upgrade your entire UnrealIRCd. For example, 
because you want the latest UnrealIRCd 6 features, or because you are on 
Windows and cannot apply the hot-patch. For this we have released two 
new UnrealIRCd versions:

  * UnrealIRCd 5.2.4: compared to previous release the only thing extra
    is the patch for the crash and a version bump
  * UnrealIRCd 6.0.2: compared to previous release it contains lots of
    enhancements, fixes and of course also the patch for the crash and
    version bump

*NIX users typically upgrade to this version by running:|./unrealircd 
upgrade|
You can also manually download and install UnrealIRCd from 
www.unrealircd.org <https://www.unrealircd.org/>.

Verifying the server is now OK / Checking vulnerable / not vulnerable
As an IRCOp you can check on IRC whether the hot-patch has been applied 
successfully, or if you have upgraded OK, or if the server is still 
crashable (still has the bug). This is a good idea to check.

Run the command */MODULE -all* and then search for the line about the 
*message* module (about 20 lines before the end of the output). There is 
a difference in the message module version number that can be seen (if 
you are IRCOp):

  * Vulnerable versions (both UnrealIRCd 5 and UnrealIRCd 6) look like:
    *** message 5.0 - private message and notice - by UnrealIRCd Team
  * Fixed version UnrealIRCd 5 looks like: *** message 5.2.4 - private
    message and notice - by UnrealIRCd Team
  * Fixed version UnrealIRCd 6 looks like: *** message 6.0.2 - private
    message and notice - by UnrealIRCd Team
  * If you don't see a version number then you are not an IRC Operator.
    You need to OPER up to see version numbers of modules.

You can also check remote servers by running */MODULE -all 
name.of.server.net*

Further updates on this issue

In case there are any errors that need to be corrected (typo's or 
further info), then the news item will be updated on the forums 
<https://forums.unrealircd.org/viewforum.php?f=1>.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Heads up: important UnrealIRCd release on Friday (Jan 28)

[Bram M. <sy...@vu...>]

Here's a heads up (preannouncement), so UnrealIRCd admins know they 
should pay attention next Friday:

Internally we discovered a serious issue in UnrealIRCd. A regular user 
can cause UnrealIRCd to crash, which results in all users being 
disconnected from the server. There is no other risk (no risk of remote 
code execution) but such a crash is serious enough to warrant this 
preannouncement and a fix soon.
This issue affects both UnrealIRCd 5 and UnrealIRCd 6. Fixed versions 
will be released on *Friday, January 28 2022, at 16:00 GMT*.
At the same date/time we will also release a "hot patch" so *NIX users 
can fix the issue without restart.

We recommend admins to apply the patch (or to upgrade) soon after it has 
been released on Friday. This is also why there is a preannouncement 
with an exact date and time, so people can be "ready".

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.2-rc1 available for testing

[Bram M. <sy...@vu...>]

Hi everyone,

The release candidate for UnrealIRCd 6.0.2 is now available for testing 
(6.0.2-rc1). This fixes a number of issues and contains several nice 
feature enhancements, see the release notes 
<https://github.com/unrealircd/unrealircd/blob/35c3c87dc443fa6c0481bf65779b135f9521ed9e/doc/RELEASE-NOTES.md#unrealircd-602-rc1> 
for more information.
If you find any issues with this release candidate, let us know so we 
can fix them before the real 6.0.2 stable release. Thanks!

As always, you can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 6.0.1 & 5.2.3 released

[Bram M. <sy...@vu...>]

Hi everyone,

Two new releases today: UnrealIRCd 6.0.1 and UnrealIRCd 5.2.3. Both of 
them fix a number of small issues.

*UnrealIRCd 5*

The UnrealIRCd 5 series will receive bug fixes until July 1, 2022 and 
security fixes until July 1, 2023.
To read what has changed between 5.2.2 and 5.2.3, see the release notes 
<https://github.com/unrealircd/unrealircd/blob/9ea7aebef2d43152ae202d4ac2f7271f93f2de12/doc/RELEASE-NOTES.md#unrealircd-523-release-notes>.

*UnrealIRCd 6*

If you are already running 6.0.0, then see the list of changes between 
6.0.0 and 6.0.1 in the release notes 
<https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#unrealircd-601>. 
If you are new to UnrealIRCd 6 then continue reading below:

UnrealIRCd 6 comes with a completely redone logging system (with 
optional JSON support), named extended bans, four new IRCv3 features, 
GeoIP support and remote includes support built-in.
Additionally, things are more customizable such as what gets sent to 
which snomask. All the +vhoaq channel modes are now modular as well, 
handy for admins who don't want or need halfops or +q/+a. For WHOIS it 
is now customizable in detail who gets to see what.

Many 3rd party modules have not been upgraded yet for use in UnrealIRCd 
6. If you use these, or if you are a bit cautious with upgrading in 
general, then just stay with UnrealIRCd 5 for now.

How to get started with UnrealIRCd 6:

  * For a /short summary/ of the new features, see: What's new in
    UnrealIRCd 6
    <https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_6>
  * For the /complete list/ of features/changes with all the details,
    see the release notes
    <https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#summary>.
  * Upgrading? Read Upgrading from 5.x to 6.x
    <https://www.unrealircd.org/docs/Upgrading_from_5.x>
  * As always, you can download UnrealIRCd from
    https://www.unrealircd.org/ <https://www.unrealircd.org/>.

-- 
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6