unreal-notify

UnrealIRCd 5.0.5.1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Unfortunately we had to release a fix 2 days after 5.0.5 release. This
reverts the previously mentioned UTF8 support in Spamfilter. The reason
for this is that there is currently a bug in the PCRE2 regex library
which causes the IRCd to hang/freeze on certain regexes, in particular
ones which use () groups. Once PCRE2 has fixed this issue and has done
more tests, we may be able to reintroduce the issue in a future version,
but for now it is gone.

UnrealIRCd 5.0.5(.1) is now available. This releases focuses mainly on
new features, while also fixing a few bugs. See the release notes
<https://github.com/unrealircd/unrealircd/blob/d1d0237f2df2fc83d8dc235ed139d45de342a138/doc/RELEASE-NOTES.md#unrealircd-5051-release-notes>
for full details.

*UnrealIRCd 5!*

After more than 6 months of hard work, UnrealIRCd 5 was released in
December 2019 and is now our "stable" branch. In particular I would like
to thank Gottem and 'i' for their source code contributions and PeGaSuS
and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/d1d0237f2df2fc83d8dc235ed139d45de342a138/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 will be maintained until 31 December 2020 (security fixes
only). After that date UnrealIRCd 4 is no longer supported
<https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 in the first half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.5 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 5.0.5 is now available. This releases focuses mainly on new
features, while also fixing a few bugs. See the release notes
<https://github.com/unrealircd/unrealircd/blob/8213eca7d6d310e4d93034d51b9c9ddc444957e2/doc/RELEASE-NOTES.md#unrealircd-505-release-notes>
for full details.

*UnrealIRCd 5!*

After more than 6 months of hard work, UnrealIRCd 5 was released in
December 2019 and is now our "stable" branch. In particular I would like
to thank Gottem and 'i' for their source code contributions and PeGaSuS
and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/8213eca7d6d310e4d93034d51b9c9ddc444957e2/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 will be maintained until 31 December 2020 (security fixes
only). After that date UnrealIRCd 4 is no longer supported
<https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 in the first half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.4 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

It has been 2 months since previous UnrealIRCd release and the world has
changed a lot. We hope everyone is alright in these times.

This new 5.0.4 version fixes quite a number of bugs, there are only two
small feature improvements. See the release notes
<https://github.com/unrealircd/unrealircd/blob/a8a819614778f2963e56dc89a6968d2eda29f883/doc/RELEASE-NOTES.md#unrealircd-504-release-notes>
for full details.

*UnrealIRCd 5 is here!*

After more than 6 months of hard work UnrealIRCd 5 was released in
December 2019 and is now our new "stable" branch. In particular I would
like to thank Gottem and 'i' for their source code contributions and
PeGaSuS and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/a8a819614778f2963e56dc89a6968d2eda29f883/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 will be maintained until 31 December 2020 (security fixes
only). After that date UnrealIRCd 4 is no longer supported
<https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first
half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.3.1 released (fixes crash issue in 5.0.3)

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Apologies to bother you again.

UnrealIRCd 5.0.3 which was released last Saturday turned out to contain
another crash bug. The download has now been replaced with 5.0.3.1.

  * *For users using 5.0.0/5.0.1/5.0.2*: _no additional action_ is
    needed as this issue only affects 5.0.3 (this assumes you already
    installed the "hot patch" from Saturday
    <https://forums.unrealircd.org/viewtopic.php?f=1&t=8978>)
  * *For users running 5.0.3*: simply fix the issue by running this
    command in your UnrealIRCd directory, _no restart needed_:
    ./unrealircd hot-patch historycrash
  * *For new installations**(and also for Windows users)* you can
    install the newly released 5.0.3.1

I'm glad the ~150 admins who already upgraded to UnrealIRCd 5.0.3 can
again fix this issue without a restart so users won't notice anything.
Still, I apologize for the recent flood of announcements and releases.

**Additional information on the hot patch
**

Go to your UnrealIRCd directory: cd /home/youraccount/unrealircd
Then simply run: ./unrealircd hot-patch historycrash

After a lot of output it should end with this:

Patch applied successfully and installed. Rehashing your IRCd...
Rehashing UnrealIRCd
Done! All should be good now.

The command only works on UnrealIRCd 5.0.3. You should not use it on any
other version since only 5.0.3 has this bug.

*UnrealIRCd 5 is here!*

After more than 6 months of hard work UnrealIRCd 5 is now our new
"stable" branch. In particular I would like to thank Gottem and 'i' for
their source code contributions and PeGaSuS and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/21278d254963cfa6555e27b38228d7a5c3b8ce48/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 is now called "oldstable" and will be maintained until 31
December 2020 (major bugfixes only). After that date UnrealIRCd 4 is no
longer supported <https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first
half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.3 released (fixes flood issue)

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 5.0.3 is out. It fixes a user-triggerable flood issue with
labeled-response. This can be abused to start a serious flood on
multi-server networks.
We recommend users running 5.0.0/5.0.1/5.0.2 to apply the "hot patch" to
_fix the issue without a restart_ (see below) or to upgrade to 5.0.3.
To apply the hot patch, run the following command on your IRCd shell:
wget https://www.unrealircd.org/patches/labeledresponseflood-patcher &&
sh ./labeledresponseflood-patcher

Below is a short FAQ / Q&A on the hot patch. Further down is the
original UnrealIRCd 5 announcement.

The complete UnrealIRCd 5.0.3 release notes can be found here
<https://github.com/unrealircd/unrealircd/blob/a283a1cf51b5a35bc73f82d93122e2b59aac0dfc/doc/RELEASE-NOTES.md#unrealircd-503-release-notes>.
The 5.0.3 release contains several /other/ fixes and enhancements, such
as a new HISTORY command to retrieve
<https://www.unrealircd.org/docs/Channel_history#Ways_to_retrieve_history>
up to 100 lines of channel history (the limits in +H still apply).

*Q&A on the hot patch*

*How serious is the flood issue? Can it be abused?
*It can be triggered on purpose but it can also be triggered
accidentally. It will start a flood between servers which can consume
high amounts of bandwidth. Other than high bandwidth and possibly high
CPU usage there will be no signs of the flood to IRCOps. If you only
have one UnrealIRCd 5.x server then the issue cannot be triggered.

*Which UnrealIRCd versions are affected?
*UnrealIRCd 5.0.0, 5.0.1 and 5.0.2. The UnrealIRCd 4.x series are not
affected.

*What is hot patching?
*It is possible to fix this issue without having to restart your IRCd.
This is generally welcomed by admins. UnrealIRCd can do this because
most of the code is in modules that can be reloaded on the fly.

*I am on Windows, can I also use the hot patch?*
No, sorry, on Windows you will have to upgrade to UnrealIRCd 5.0.3.

*How do I apply the patch?
*Simply SSH to your IRCd shell and then run:
wget https://www.unrealircd.org/patches/labeledresponseflood-patcher &&
sh ./labeledresponseflood-patcher

*I don't trust the shell script, can I view the exact patch?
*Yes, you can also download the recommended patch as a .tar.gz instead.
It is available from
https://www.unrealircd.org/patches/labeledresponseflood-patcher.tar.gz

*UnrealIRCd 5 is here!*

After more than 6 months of hard work UnrealIRCd 5 is now our new
"stable" branch. In particular I would like to thank Gottem and 'i' for
their source code contributions and PeGaSuS and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/21278d254963cfa6555e27b38228d7a5c3b8ce48/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 is now called "oldstable" and will be maintained until 31
December 2020 (major bugfixes only). After that date UnrealIRCd 4 is no
longer supported <https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first
half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.2 released (fixes desync issue)

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 5.0.2 is out. It fixes a desync issue with halfops. When two
servers link, users with halfops will not appear on the other side of
the link, creating a so called "ghost user". This bug is present in both
5.0.0 and 5.0.1.
We recommend users running these versions to apply the "hot patch" to
_fix the issue without a restart_ (see below) or to upgrade to 5.0.2.
To apply the hot patch, run the following command on your IRCd shell:
wget https://www.unrealircd.org/patches/halfop-patcher && sh
./halfop-patcher

Below is a short FAQ / Q&A on the hot patch. Further down is the
original UnrealIRCd 5 announcement.

The complete UnrealIRCd 5.0.2 release notes can be found here
<https://github.com/unrealircd/unrealircd/blob/21278d254963cfa6555e27b38228d7a5c3b8ce48/doc/RELEASE-NOTES.md#unrealircd-502-release-notes>.
The 5.0.2 release contains several /other/ fixes and enhancements, such
as extended server bans
<https://www.unrealircd.org/docs/Extended_server_bans>.

*Q&A on the hot patch*

*How serious is the halfop desync issue? Can it be abused?
*This bug creates a "ghost user". These are users that exist in the
channel on server A but are not seen as in the channel by other users on
server B. First of all this creates a confusing situation where the nick
list is different on server A compared to server B. It can also have
more serious consequences if it is done on purpose. The ghost user /may/
see channel messages without other channel members being aware of it.
This highly depends on the channel settings and the linking topology.
There are also mitigating factors:

  * On a single-server unrealircd network this problem does not exist
  * On a multi-server network, usually at least a few other users are on
    the other side of the link. Those users will see that an additional
    person is present on that side.
  * A server (re)connect is needed to trigger the issue. So a netsplit
    or server restart. As long as your servers stay connected to each
    other, users cannot trigger the issue.

*Which UnrealIRCd versions are affected?
*UnrealIRCd 5.0.0 and 5.0.1. The UnrealIRCd 4.x series are not affected.

*What is hot patching?
*It is possible to fix this issue without having to restart your IRCd.
This is generally welcomed by admins. UnrealIRCd can do this because
most of the code is in modules that can be reloaded on the fly.

*I am on Windows, can I also use the hot patch?*
No, sorry, on Windows you will have to upgrade to UnrealIRCd 5.0.2.

*How do I apply the patch?
*Simply SSH to your IRCd shell and then run:
wget https://www.unrealircd.org/patches/halfop-patcher && sh
./halfop-patcher

*I don't trust the shell script, can I view the exact patch?
*Yes, you can also download the recommended patch as a .tar.gz instead.
It is available from
https://www.unrealircd.org/patches/halfop-patcher.tar.gz

*UnrealIRCd 5 is here!*

After more than 6 months of hard work UnrealIRCd 5 is now our new
"stable" branch. In particular I would like to thank Gottem and 'i' for
their source code contributions and PeGaSuS and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/21278d254963cfa6555e27b38228d7a5c3b8ce48/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 is now called "oldstable" and will be maintained until 31
December 2020 (major bugfixes only). After that date UnrealIRCd 4 is no
longer supported <https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first
half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

This UnrealIRCd 5.0.1 release fixes a few issues present in 5.0.0. The
release notes for 5.0.1 can be found here
<https://github.com/unrealircd/unrealircd/blob/672153cc4d9e4639dc6a2efd8812740eb3ab6886/doc/RELEASE-NOTES.md#unrealircd-501-release-notes>.


*UnrealIRCd 5 is here!*

After more than 6 months of hard work UnrealIRCd 5 is now our new
"stable" branch. In particular I would like to thank Gottem and 'i' for
their source code contributions and PeGaSuS and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/672153cc4d9e4639dc6a2efd8812740eb3ab6886/doc/RELEASE-NOTES.md#unrealircd-5>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*A word on third party modules*

Because of the many code changes in UnrealIRCd 5, all 3rd party modules
that work on UnrealIRCd 4 don't work on UnrealIRCd 5 out of the box. In
fact, modules need quite a lot of changes to work with UnrealIRCd 5.

Gottem and k4be have updated and uploaded their 3rd party modules
<https://modules.unrealircd.org/> to unrealircd-contrib so *NIX users
can now easily install them using the new Module manager
<https://www.unrealircd.org/docs/Module_manager>.

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 is now called "oldstable" and will be maintained until 31
December 2020 (major bugfixes only). After that date UnrealIRCd 4 is no
longer supported <https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first
half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0 released

[Bram M. <sy...@un...>]

Hi everyone,

*UnrealIRCd 5 is here!*

Today, Friday the 13th of December 2019, we are releasing UnrealIRCd
5.0.0. After more than 6 months of hard work UnrealIRCd 5 is now our new
"stable" branch.
In particular I would like to thank Gottem and 'i' for their source code
contributions and PeGaSuS and westor for testing releases.
When we transitioned from 3.2.x to 4.0.0 there were 175,000 lines of
source code added/removed during 3 years of development. This time it
was 120,000 lines in only 8 months, a major effort!

A short summary of release highlights is available here
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5>. The full
release notes are available here
<https://github.com/unrealircd/unrealircd/blob/unreal50/doc/RELEASE-NOTES.md>.
If you have some spare time, we recommended reading the full release
notes (the new and changed sections, anyway) so you don't miss out on
anything.

If you are upgrading from 4.x to 5.x then it would be wise to read
Upgrading from 4.x <https://www.unrealircd.org/docs/Upgrading_from_4.x>.
In any case, be sure to upgrade your services package first! (if you use
any). UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

*A word on third party modules*

Because of the many code changes in UnrealIRCd 5, all 3rd party modules
that work on UnrealIRCd 4 don't work on UnrealIRCd 5 out of the box. In
fact, modules need quite a lot of changes to work with UnrealIRCd 5.
At the moment, nearly all 3rd party coders have not yet updated their
modules for UnrealIRCd 5, presumably because they were waiting for 5.0.0
stable.
Once they do, we recommend those authors to submit
<https://www.unrealircd.org/docs/Rules_for_3rd_party_modules_in_unrealircd-contrib>
their modules to unrealircd-contrib so UnrealIRCd users can use the new
module manager <https://www.unrealircd.org/docs/Module_manager> to
easily install and update modules.

*UnrealIRCd 4 is still supported*

UnrealIRCd 4 is now called "oldstable" and will be maintained for the
next 12 months (major bug fixes only). Until 31 December 2020 to be
exact. After that date UnrealIRCd 4 is no longer supported
<https://www.unrealircd.org/docs/UnrealIRCd_4_EOL>.
Admins are recommended to upgrade to UnrealIRCd 5 somewhere in the first
half of 2020.

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0-rc2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second release candidate for UnrealIRCd 5 is out: 5.0.0-rc2. Focus
is 100% on fixing bugs and have a stable UnrealIRCd 5 release in
December 2019. You can help us a lot by testing this release. If you do,
please report any issues on https://bugs.unrealircd.org/.

The full release notes are available here
<https://github.com/unrealircd/unrealircd/blob/0f7f872a97a9c27b3c4f5cc7f385667956586066/doc/RELEASE-NOTES.md#unrealircd-500-rc2-release-notes>.

Changes between 5.0.0-rc1 and 5.0.0-rc2

  * Improve the text of some configure errors
  * The automated tests now cover more than 100 commands & features and
    we test with both anope & atheme
  * Fix bug which made atheme loop if logging to a channel
  * Fix SASL with atheme
  * Fix ident checking not always working (if enabled)
  * Fix a number of small memory leaks on rehash
  * Fix no error shown if sending a message to a +n channel
  * Fix crash with the new conditional configuration (@if $var ==
    "something")
  * Updating the ip in a listen block { } will now take effect after a
    rehash
  * Setting user mode +q (unkickable) now requires the
    self:unkickablemode operclass permission. This is included in the
    *-with-override operclasses by default.
  * Setting channel mode +L now requires +o (chanop or higher) rather
    than +q (channel owner)
  * Update numeric 470
  * KNOCK floods are now properly detected with channel mode +f.
    Unfortunately a side-effect is double knock notices if you run a
    mixed U4/U5 network.
  * Alias "type channel" was not working properly

UnrealIRCd 5 is known to work with the following services:

  * anope <https://www.anope.org/> (version 2.0.7 or higher) - with the
    "unreal4" protocol module
  * atheme <https://atheme.github.io/atheme.html> (version 7.2.9 or
    higher) - with the "unreal4" protocol module

As always, you can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0-rc1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

I'm pleased to announce 5.0.0-rc1, which is the first Release Candidate
for UnrealIRCd 5. There will be no module API changes anymore and no new
features will be added in the "release candidate" stage. Focus is 100%
on fixing bugs and have a stable UnrealIRCd 5 release in December 2019.
You can help us a lot by testing this release. If you do, please report
any issues on https://bugs.unrealircd.org/.

The full release notes are available here
<https://github.com/unrealircd/unrealircd/blob/dd38165cb0c7866d44108b5403435be7bc65822d/doc/RELEASE-NOTES.md#unrealircd-500-rc1-release-notes>.

Changes between 5.0.0-beta1 and 5.0.0-rc1

  * The new module manager
    <https://www.unrealircd.org/docs/Module_manager> now deals properly
    with HTTPS timeouts.
  * The automated tests were expanded a lot and now test more than 80
    different commands and features
  * Quite some fixes with regards to slightly wrong numeric output
  * Windows: if you install as a service it now runs with NetworkService
    credentials rather than LocalSystem, for increased security.
  * Fixes in require module { }
  * WARNING: if you are using anope, then be sure to run anope 2.0.7 or
    later with the unreal4 protocol module.

As always, you can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0-beta1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

After four 5.0.0 alpha versions we can now release the first beta. The
fact that UnrealIRCd 5 is in "beta" means it's mostly feature-complete
but not yet suitable for production servers.
Now it's time to test things thoroughly and get rid of bugs. For those
users who do dare to run it, feel free to report any issues on
https://bugs.unrealircd.org/.

The full release notes are available here
<https://github.com/unrealircd/unrealircd/blob/078c6696af4fbc22ebdd7415f038da2cfef7b46c/doc/RELEASE-NOTES.md#unrealircd-500-beta1-release-notes>.

Changes between 5.0.0-alpha4 and 5.0.0-beta1

  * New module manager <https://www.unrealircd.org/docs/Module_manager>
    (./unrealircd module) to list, install, upgrade, uninstall third
    party modules. Third party module coders can submit
    <https://www.unrealircd.org/docs/Rules_for_3rd_party_modules_in_unrealircd-contrib>
    their UnrealIRCd 5 module. Currently it only contains 1 dummy module.
  * Lots of old code for linking with UnrealIRCd 3.2.x has been removed.
  * Again, lot of restructuring in the code. Now that we are beta this
    should be much less, though.
  * New command "./unrealircd configtest" which only tests the
    configuration but does not start the server. Ideal when upgrading to
    check the configuration before you kill the old server.
  * We no longer use a blacklist for stats (set::oper-only-stats) but
    have a whitelist now instead (set::allow-user-stats).
  * Various bug- and crashfixes, such as when unloading modules, idle
    time being incorrect, SETNAME not working, REHASH issues, etc.
  * WARNING: if you are using anope, then note that starting with
    5.0.0-alpha4 you need to apply the following patch:
    https://github.com/anope/anope/commit/da6e2730c259d6d6356a0a948e85730ae34663ab.patch

As always, you can download UnrealIRCd from https://www.unrealircd.org/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0-alpha4 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The fourth alpha version of UnrealIRCd 5 is now available for download.
This is not a stable version, it is for testing only and the server may
misbehave. Some planned functionality for UnrealIRCd 5 is still missing,
but about 90% is there. UnrealIRCd 5 alpha versions are there to give
users an early opportunity to see what the current state of UnrealIRCd 5
is. For those users who do dare to run it, feel free to report any
issues you may find or comment on the many U5 features on
https://bugs.unrealircd.org/.

The full release notes are available here
<https://github.com/unrealircd/unrealircd/blob/f5137678ff13071890a3f0d7c3ac312fba3435d8/doc/RELEASE-NOTES.md>.

Changes between 5.0.0-alpha3 and 5.0.0-alpha4

  * Various I/O engine changes to reduce CPU usage and make things more
    efficient
  * Many(!) code cleanups again
  * Support for IRCv3 draft/labeled-response-0.2
  * set::allowed-channelchars now defaults to only allowing utf8 in
    channel names (see release notes for more information)
  * Websockets now support type 'text' and you have to explicitly enable
    them per listen block (see release notes for more information)
  * Use generic numeric 531 to signal a blocked message to a person
  * We are also in the process of removing compatibility code for old
    protocols, such as UnrealIRCd 3.2.x. This will further clean up the
    source code and will get rid of old bugs
  * WARNING: if you are using anope, then note that starting with
    5.0.0-alpha4 you need to apply the following patch:
    https://github.com/anope/anope/commit/da6e2730c259d6d6356a0a948e85730ae34663ab.patch

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0-alpha3 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The third alpha version of UnrealIRCd 5 is now available for download.
This is not a stable version, it is for testing only and the server may
misbehave. Some planned functionality for UnrealIRCd 5 is still missing,
but about 90% is there. UnrealIRCd 5 alpha versions are there to give
users an early opportunity to see what the current state of UnrealIRCd 5
is. For those users who do dare to run it, feel free to report any
issues you may find or comment on the many U5 features on
https://bugs.unrealircd.org/.

Changes between 5.0.0-alpha2 and 5.0.0-alpha3

  * Lots of code cleanups again and things that break modules
  * To protect against evading spamfilters, spamfilter now strips UTF8
    nonbreakable spaces from input.
  * ./Config asks fewer questions (this was already in alpha2) and the
    configure process is faster, since we assume you are using a modern
    OS now.
  * The floodprot module was kicking innocent users if 't' (text flood)
    was in use without 'r' (repeat)
  * New set::min-nick-length to set a minimum nick length
  * New set::require-module to require certain module(s) on linked
    UnrealIRCd 5 servers
  * Conditional configuration was not working properly
  * WATCH was not working because the numeric output was wrong, same
    with ADMIN.
  * Ban exceptions (ELINE) were not stored properly in tkl.db
  * We are also in the process of removing compatibility code for old
    protocols, such as UnrealIRCd 3.2.x. This will further clean up the
    source code and will get rid of old bugs

Most people will only want to read the release notes rather than run or
even test this version. That's perfectly fine. The release notes are
available at https://forums.unrealircd.org/viewtopic.php?f=1&t=8919

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0-alpha2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

The second alpha version of UnrealIRCd 5, 5.0.0-alpha2, is now available
for download. This is not a stable version, it is for testing only and
the server may misbehave. Some planned functionality for UnrealIRCd 5 is
still missing, but about 90% is there. UnrealIRCd 5 alpha versions are
there to give users an early opportunity to see what the current state
of UnrealIRCd 5 is. For those users who do dare to run it, feel free to
report any issues you may find or comment on the many U5 features on
https://bugs.unrealircd.org/.

Changes between 5.0.0-alpha1 and 5.0.0-alpha2

  * Most work has been on a rewrite of the TKL system, more cleanups and
    the Windows build (now 64-bit).
  * The most notable new feature in alpha2 is the ability to add ban
    exceptions via /ELINE.
  * Bugs fixed: list modes from channeldb were not restored properly and
    a message bug that triggered atheme warnings.
  * The crash reporter has been improved (*NIX) to include more crash
    details.
  * We are also in the process of removing compatibility code for old
    protocols, such as 3.2.x. This will further clean up the source code
    and will get rid of old bugs.

Most people will only want to read the release notes rather than run or
even test this version. That's perfectly fine. The release notes are
available at https://forums.unrealircd.org/viewtopic.php?f=1&t=8918

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 5.0.0-alpha1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

Major UnrealIRCd 5 news. First of all, U5 development is now public. On
GitHub, the repository is called 'unreal50' and on the bug tracker we
made all U5 bug reports and feature requests public as well. We are also
releasing the first alpha version, 5.0.0-alpha1. Now, this certainly
isn't a stable version, the server may crash occasionally or behave
weird. Also, some of the planned functionality for UnrealIRCd 5 is still
missing (I would say about 80% is there). This alpha version is simply
here to give users an early opportunity to see what the current state of
UnrealIRCd 5 is. For those users who do dare to run it, feel free to
report any issues you may find or comment on the many U5 features on
https://bugs.unrealircd.org/.

Most people will only want to read the release notes, rather than run or
even test this version, that's perfectly fine. The release notes are
available at https://forums.unrealircd.org/viewtopic.php?f=1&t=8914

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.2.4.1 and 4.x/5.x release plans

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

A new 4.2.4.1 release and an update on UnrealIRCd 4.x and 5.x release plans:

*UnrealIRCd 4.2.4.1*
UnrealIRCd 4.2.4.1 (stable) is now available for download.

This fixes an issue with Debian 10 that was released this weekend.
On Debian 10 the list of permitted SSL/TLS protocols was ignored
(set::ssl::protocols).
Other than that, set::ssl::outdated-protocols and
set::ssl::outdated-ciphers are now configurable (rarely needed, though).

Needless to say, there's no reason to upgrade to 4.2.4.1 unless you are
(newly) installing on Debian 10.

*UnrealIRCd 5 and the UnrealIRCd 4 EOL date*
The development of UnrealIRCd 5 is going well. At this point it is not
public yet nor is there a (alpha) release, but the development looks
promising enough that we expect a stable UnrealIRCd 5 out by Q4 2019.
This also means we can communicate a (provisional) End Of Life date for
UnrealIRCd 4.x, which will be December 31, 2020. After that, all support
for 4.x will end, including bug fixes and security fixes.
This means all users will have 12+ months to upgrade from UnrealIRCd 4.x
to UnrealIRCd 5.x, which is the same 12 months that users had when
moving from UnrealIRCd 3.2.x to 4.x.

The following table summarizes the support periods:
https://www.unrealircd.org/docs/UnrealIRCd_releases
As you can see, UnrealIRCd 4 is now also effectively bugfix only. With
all new features being done on the 5.x branch.

More UnrealIRCd 5.x news can be expected at the end of July / early
August, 2019.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.2.4 released (also fixes crash issue)

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 4.2.4 (stable) is now available for download.

This release fixes a crash issue if UnrealIRCd is configured to use utf8
or chinese character sets in set::allowed-nickchars
<https://www.unrealircd.org/docs/Nick_Character_Sets>. This is not the
default.
We don't expect many users to run their IRCd with this enabled, as the
utf8 support was tagged as experimental and the chinese/gbk
implementation is incomplete.

In addition to the bug fix from above, this release also contains a
number of other fixes and enhancements. In particular the reputation and
connthrottle modules <https://www.unrealircd.org/docs/Connthrottle> are
now working better and there were some major Windows fixes.

*Changes between version 4.2.3 and 4.2.4
*Improvements

  * Improve server linking error messages.
  * Enhance WHOX to WHO auto-conversion for "WHO +s serv.er.name"

*Major issues fixed*

  * A crash issue if using utf8 or chinese in set::allowed-nickchars
    (not the default).
  * The Windows version only accepted very few clients.
  * The Windows version should warn and not error if using old-style regex.
  * The Windows version did not save the reputation database.

*Minor issues fixed
*

  * The 'connthrottle' module incorrectly allowed 0 unknown users in
    when it was throttling, rather than the set rate.
  * The 'reputation' module did not show scores for remote users in
    /WHOIS, only after 5 minutes had passed.
  * Some users may have experienced a "Registration Timeout" error when
    connecting. This happened because their ident server accepted the
    TCP/IP connection but after that failed to respond to the ident request.
    We have now lowered set::ident::read-timeout to 15 seconds to fix this.
  * If successfully logged in using SASL then avoid an "You are already
    logged in" error message that could happen due to PASS forwarding.

*For module coders
*

  * If you are debugging or developing modules then we encourage you to
    use AddressSanitizer.
    This does come at a 5-10x performance slowdown and can consume a lot
    more memory, but it is very useful in tracing common C mistakes such
    as out of bounds read/writes, double frees, and so on. You will see
    exactly where a mistake was made. To use this, in the last ./Config
    question you answer: --enable-asan

*IRC protocol*

  * No changes in this release.

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the summer of 2019. This will deny /OPER when issued from
    a non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Older release notes*

  * If you are not running previous release, then you may be interested
    in reading the release notes of older 4.2.x versions, these are
    available here
    <https://github.com/unrealircd/unrealircd/blob/unreal42/doc/RELEASE-NOTES.old>.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 20 years: a look at the past and the future (UnrealIRCd 5)

[Bram M. <sy...@un...>]

This month UnrealIRCd celebrates its 20th birthday. I'm involved with
the project for 18 years now. I feel dedicated to the project and feel a
responsibility to IRC as a whole. Still, I think the people who really
deserve a thanks are the people who support the project by running IRC
servers, providing feedback, helping others and of course everyone who
uses IRC today. Without you, there would be no UnrealIRCd!

For those who are interested, I will tell something about the history of
the project, or at least my view on it. I will finish by briefly
touching on the future, UnrealIRCd 5.

*The birth of the project*
UnrealIRCd was founded by Stskeeps in May 1999. I was not involved with
the first 2 years of the project so that makes it a bit difficult for me
to write about this. In any case, a significant point was when
UnrealIRCd 3.0.x and 3.1.x came out in the year 2000. The latter,
UnrealIRCd 3.1.x, was already quite popular and some old users may still
remember it.

*UnrealIRCd 3.2*
In 2001 I got involved as a coder with the UnrealIRCd project, joining
Stskeeps and codemastr as head coders. This was at a time when 3.2.x was
very much under development and the first beta's came out. It took
almost 3 years from the first beta to the first stable release. In fact,
the development period was so long that many people started running beta
versions on their production network. After the first stable release in
2004 the series were maintained for 12 years. It was UnrealIRCd 3.2.x
that made us conquer the market, resulting in a market share of over
50%. Feature-wise 3.2 brought a completely new configuration file,
unlike all other IRC Daemons, which made us very flexible. Other notable
major features were: support for modules, anti-flood features like
channel mode +f and spam filtering.

*The development stall*
Then comes a period that I have mixed feelings about. There were many
satisfied UnrealIRCd 3.2.x users and indeed 3.2.x was great and very
stable as well, in fact it was our most successful series. At the same
time, it was also clear for us developers that UnrealIRCd 3.2.x could
not live on forever. The source code contained too many "quirks" and
needed major restructuring. We couldn't do such restructuring within the
3.2.x series because that would affect the stability of the server (and
other reasons). So after a while UnrealIRCd 3.2.x entered a stage where
it became "bugfix only" with few new features being added. Various
attempts were made to work on a successor series and failed. This was
also the moment that a number of people left the project due to lack of
progress and the state of codebase at the time, for which I cannot blame
them. I myself was out of the running for a while as well due to wrist
issues. In fact, I even briefly resigned my position as maintainer but I
came back after a few months.

*UnrealIRCd 4*
In 2013 I realized it was a "now or never" situation. A survey was held
among our users to learn what they found important. Then, a few months
later, in 2014, I decided to lead the development on the new series
myself. Nenolod and Heero helped and a lot of development effort took place.

Looking at the 4.0.0 release in December 2015 and the subsequent 4.x
updates that followed I think I can say 4.x was a big move forward. We
received a lot of positive feedback. The documentation was improved and
things were a lot more "consistent" and "logical" due to the many
configuration changes. Naturally there were a lot of new features and
enhancements, but the thing that made the most difference would be the
many security enhancements, such as: DNSBL checking, rate- and
target-limiting of commands, the new reputation and connthrottle
features to fight off drone attacks, and many more. These make IRC a
more peaceful place with "less noise", both for administrators and
end-users.

*UnrealIRCd 5*
Recently development was started on UnrealIRCd 5 and last week Gottem
and 'i' joined the coding team. Possibly we will welcome more coders
later. There are some major changes in the source code going on that
will enable us to implement a lot more IRCv3 features. Of course, there
will be other new features and enhancements as well. For end-users, and
in particular people new to IRC, this should bring a more positive IRC
experience. At this point in time, I don't want to go into much details
about the exact features UnrealIRCd 5 will contain, until we have a more
complete picture and the development work is at a more advanced stage.

The negative side of this is that the source code changes will affect
all modules. All 3rd party modules will require code changes. When the
time comes, we will assist module coders where necessary with
suggestions and help. The popular 3rd party modules from Gottem will get
an update for sure, no worries about that.

With previous major upgrade, when upgrading from UnrealIRCd 3.2.x to
UnrealIRCd 4.x, there were a lot of configuration items that were
changed. I can reassure everyone that the upgrade from 4.x to 5.x will
be no where like that. It should be a seamless upgrade from UnrealIRCd
4.x to UnrealIRCd 5.x with only few mandatory configuration changes, if any.

So can we see the code? Can we run it or connect to a test server? No,
not yet. However, I do expect a release in some shape or form in Q3 2019
already.

UnrealIRCd 4.2.3 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 4.2.3 (stable) is now available for download.

This release adds new modules to combat drones, it bumps the default
concurrent user limit, and UnrealIRCd can now easily deal with 1 million
*LINE's placed on *@IP without any noticeable performance impact.
There is also one important change with regards to old style 'posix'
spamfilters (see under "Deprecated"), these will raise a warning but
will continue to work for now.

*Changes between version 4.2.2 and 4.2.3
*Improvements

  * New optional modules reputation and connthrottle to fight drones:
      o The *reputation* module will learn what users (IP addresses) are
        frequently seen on your server and classify these as "known IP's".
        For every 5 minutes that someone is connected, the IP address
        receives +1 point. IP's with registered users receive +2 points
        per 5 minutes.
        An IRCOp can /WHOIS a user to view this "reputation score". The
        "/REPUTATION nick" and "/REPUTATION ip" commands are also available.
        Note that the reputation score is capped at a maximum of 10000
        and entries expire if the IP has not been seen online for 30
        days (or even sooner for very low reputation scores).
      o The *connthrottle* module puts users in one of these two groups:
          + "known users" with IP addresses that have been online before
            on your network for some time. By default: 2+ hours past 30
            days.
          + "new users" who have not been seen online before (or too short).
        Users in the "known users" group can connect without any
        limitation. Similarly, users who authenticate to services using
        SASL can also always get in.
        However, "new users" can be limited, for example at a maximum
        rate of 20 "new users" per minute.
        The end result and goal is that in case of a drone attack, 99%
        of your regular users can still connect as usual. This, while
        drones and other unknown IP's are limited at, for example, 20
        per minute.
        By limiting the connection rate for drones and other unknown
        users the damage is limited. It also gives IRCOps a chance to
        react and take additional countermeasures, if possible.
      o The modules are not loaded by default. If you want to use them,
        then have a look at their example configuration in the file
        conf/modules.optional.conf
      o The reputation module needs to be running for some time before
        it contains a meaningful database of "known users". Therefore
        the connthrottle module will be disabled until the reputation
        module has gathered sufficient data. This defaults to 1 week.
      o Full documentation is available at
        https://www.unrealircd.org/docs/Connthrottle
  * On *NIX we now default to 'auto' mode to discover MAXCONNECTIONS. On
    systems that support it this means UnrealIRCd supports up to 8192
    connections by default.
    It automatically falls back to a lower value such as 2048 or 1024 if
    the user account has a lower limit or if the OS does not support it.
    We recommend users to no longer set any specific value in ./Config
    and just leave it at 'auto'.
    If you want to see the effective limit, then look at this message
    when you start the server on the console: "This server can handle
    XYZ concurrent sockets".
  * UnrealIRCd now uses a technique that makes KLINE's, GLINE's and
    (G)ZLINE's placed on individual IP's (*@IP) extremely fast. Just to
    illustrate:
      o Previously it took 129 seconds to add 100k ZLINE's, now it takes
        2.5 secs.
      o Checking a connection against 100,000 ZLINE's is now 250 times
        faster.
      o Previously 7,500 clients could connect per minute, now 33,560
        per minute.
      o Even with 1 million ZLINE's on *@IP it can handle 30,000
        connections p/m.
      o Rejecting Z-lined users is even faster at 435,000 connections
        per minute with 100,000 active ZLINE's.
    Benchmarked on a 2GHz Intel Xeon Skylake CPU with Linux 4.15. To
    benefit from these speed improvements, just place a *LINE on *@IP.
  * When the server has just been restarted, many users will reconnect
    and rejoin channels. We now disable the join flood limit in channel
    mode +f during the first 75 seconds since startup.
    This so the channel does not become +i or +R due to "flooding". See:
    https://www.unrealircd.org/docs/Set_block#set::modef-boot-delay

Deprecated

  * Spamfilter has 3 matching methods: 'simple', 'regex' and 'posix'.
    The old method 'posix' is deprecated as this uses the TRE regex
    library which contains bugs and has not been maintained for more
    than 10 years.
    On *NIX the 'make install' script will try to upgrade the example
    spamfilter.conf. This may not work if you have customizations in
    that file or if it was originating from 3.2.x.
    Helpful warnings or error messages are printed when you try to start
    UnrealIRCd, to guide the user in this upgrade process. For details see:
    https://www.unrealircd.org/docs/FAQ#spamfilter-posix-deprecated
    https://www.unrealircd.org/docs/FAQ#old-spamfilter-conf

*Minor issues fixed
*

  * Changing the set::anti-flood::invite-flood setting had no effect.
  * Sometimes when a server (re)links to the network via 2+ connections
    it could trigger a race condition where the server would be delinked
    again.

*For module coders
*

  * We now compile with a lot more compiler warnings enabled by default.
    Similarly, our Travis-CI compiles with --with-werror which enables
    the -Werror compiler option, which you may want to use as well. This
    enables the compiler to detect more possible bugs and sketchy code.
  * Some modules still prepend DLLFUNC to functions. This is unnecessary.
  * Similarly, if (!cep->ce_varname) is unnecessary, it never happens.
  * The functions del_Command() and such have been removed. You never
    needed to use this. Just use CommandAdd() and UnrealIRCd takes care
    of the rest.
  * For command functions we encourage you to use CMD_FUNC(m_something),
    this is not new.
    New is that we now also have something similar for command
    overrides, namely: CMD_OVERRIDE_FUNC(override_something).
    This way you don't have to type yourself the int parc, char *parv[]
    etc. stuff and this way we can also easily change the passed
    parameters in the future in an automatic way. Eg: provide more
    variables.
  * If you use linked lists and you use AddListItem() or DelListItem()
    then you should always have pointers to prev and next at the
    beginning of your struct (and in that order!), otherwise you risk
    memory corruption.
    Because this is an easy mistake to make we will now abort() we
    detect such an error at runtime in AddListItem or DelListItem (on *NIX).

*IRC protocol*

  * Many things changed in previous release (4.2.2)
  * No changes in this release.

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the summer of 2019. This will deny /OPER when issued from
    a non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.2.3-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

This is the first release candidate for UnrealIRCd 4.2.3. You can help
us with testing this release so we can release a 4.2.3 stable version in
May. If you find any issues, please report them at
https://bugs.unrealircd.org/

This version adds new modules to combat drones, it bumps the default
concurrent user limit, and UnrealIRCd can now easily deal with 1 million
*LINE's placed on *@IP without any noticeable performance impact.
There is also one important change with regards to old style 'posix'
spamfilters (see under "Deprecated"), these will raise a warning but
will continue to work for now.

*Changes between version 4.2.2 and 4.2.3
*Improvements

  * New optional modules reputation and connthrottle to fight drones:
      o The *reputation* module will learn what users (IP addresses) are
        frequently seen on your server and classify these as "known IP's".
        For every 5 minutes that someone is connected, the IP address
        receives +1 point. IP's with registered users receive +2 points
        per 5 minutes.
        An IRCOp can /WHOIS a user to view this "reputation score". The
        "/REPUTATION nick" and "/REPUTATION ip" commands are also available.
        Note that the reputation score is capped at a maximum of 10000
        and entries expire if the IP has not been seen online for 30
        days (or even sooner for very low reputation scores).
      o The *connthrottle* module puts users in one of these two groups:
          + "known users" with IP addresses that have been online before
            on your network for some time. By default: 2+ hours past 30
            days.
          + "new users" who have not been seen online before (or too short).
        Users in the "known users" group can connect without any
        limitation. Similarly, users who authenticate to services using
        SASL can also always get in.
        However, "new users" can be limited, for example at a maximum
        rate of 20 "new users" per minute.
        The end result and goal is that in case of a drone attack, 99%
        of your regular users can still connect as usual. This, while
        drones and other unknown IP's are limited at, for example, 20
        per minute.
        By limiting the connection rate for drones and other unknown
        users the damage is limited. It also gives IRCOps a chance to
        react and take additional countermeasures, if possible.
      o The modules are not loaded by default. If you want to use them,
        then have a look at their example configuration in the file
        conf/modules.optional.conf
      o The reputation module needs to be running for some time before
        it contains a meaningful database of "known users". Therefore
        the connthrottle module will be disabled until the reputation
        module has gathered sufficient data. This defaults to 1 week.
      o Full documentation is available at
        https://www.unrealircd.org/docs/Connthrottle
  * On *NIX we now default to 'auto' mode to discover MAXCONNECTIONS. On
    systems that support it this means UnrealIRCd supports up to 8192
    connections by default.
    It automatically falls back to a lower value such as 2048 or 1024 if
    the user account has a lower limit or if the OS does not support it.
    We recommend users to no longer set any specific value in ./Config
    and just leave it at 'auto'.
    If you want to see the effective limit, then look at this message
    when you start the server on the console: "This server can handle
    XYZ concurrent sockets".
  * UnrealIRCd now uses a technique that makes KLINE's, GLINE's and
    (G)ZLINE's placed on individual IP's (*@IP) extremely fast. Just to
    illustrate:
      o Previously it took 129 seconds to add 100k ZLINE's, now it takes
        2.5 secs.
      o Checking a connection against 100,000 ZLINE's is now 250 times
        faster.
      o Previously 7,500 clients could connect per minute, now 33,560
        per minute.
      o Even with 1 million ZLINE's on *@IP it can handle 30,000
        connections p/m.
      o Rejecting Z-lined users is even faster at 435,000 connections
        per minute with 100,000 active ZLINE's.
    Benchmarked on a 2GHz Intel Xeon Skylake CPU with Linux 4.15. To
    benefit from these speed improvements, just place a *LINE on *@IP.
  * When the server has just been restarted, many users will reconnect
    and rejoin channels. We now disable the join flood limit in channel
    mode +f during the first 75 seconds since startup.
    This so the channel does not become +i or +R due to "flooding". See:
    https://www.unrealircd.org/docs/Set_block#set::modef-boot-delay

Deprecated

  * Spamfilter has 3 matching methods: 'simple', 'regex' and 'posix'.
    The old method 'posix' is deprecated as this uses the TRE regex
    library which contains bugs and has not been maintained for more
    than 10 years.
    On *NIX the 'make install' script will try to upgrade the example
    spamfilter.conf. This may not work if you have customizations in
    that file or if it was originating from 3.2.x.
    Helpful warnings or error messages are printed when you try to start
    UnrealIRCd, to guide the user in this upgrade process. For details see:
    https://www.unrealircd.org/docs/FAQ#spamfilter-posix-deprecated
    https://www.unrealircd.org/docs/FAQ#old-spamfilter-conf

*Minor issues fixed
*

  * Changing the set::anti-flood::invite-flood setting had no effect.
  * Sometimes when a server (re)links to the network via 2+ connections
    it could trigger a race condition where the server would be delinked
    again.

*For module coders
*

  * We now compile with a lot more compiler warnings enabled by default.
    Similarly, our Travis-CI compiles with --with-werror which enables
    the -Werror compiler option, which you may want to use as well. This
    enables the compiler to detect more possible bugs and sketchy code.
  * Some modules still prepend DLLFUNC to functions. This is unnecessary.
  * Similarly, if (!cep->ce_varname) is unnecessary, it never happens.
  * The functions del_Command() and such have been removed. You never
    needed to use this. Just use CommandAdd() and UnrealIRCd takes care
    of the rest.
  * For command functions we encourage you to use CMD_FUNC(m_something),
    this is not new.
    New is that we now also have something similar for command
    overrides, namely: CMD_OVERRIDE_FUNC(override_something).
    This way you don't have to type yourself the int parc, char *parv[]
    etc. stuff and this way we can also easily change the passed
    parameters in the future in an automatic way. Eg: provide more
    variables.
  * If you use linked lists and you use AddListItem() or DelListItem()
    then you should always have pointers to prev and next at the
    beginning of your struct (and in that order!), otherwise you risk
    memory corruption.
    Because this is an easy mistake to make we will now abort() we
    detect such an error at runtime in AddListItem or DelListItem (on *NIX).

*IRC protocol*

  * Many things changed in previous release (4.2.2)
  * No changes in this release.

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the summer of 2019. This will deny /OPER when issued from
    a non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.2.2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 4.2.2 (stable) is now available for download. It contains
several major enhancements, in particular with regards to flood controls.
It also fixes a crash issue in the websocket module. Note that this is
module is not loaded by default (only via modules.optional.conf or
explicitly via a loadmodule "websocket").

*Changes between version 4.2.1 and 4.2.2*

**Improvements

  * Quicker connection handshake for clients which use CAP and/or SASL.
  * With "TOPIC #chan" and "MODE #chan +b" (and +e/+I) you can see who
    set the topic and bans/exempts/invex. The default is to only show
    the nick of the person who set the item. This can be changed (not
    the default) by setting:
    set { topic-setter nick-user-host; };
    set { ban-setter nick-user-host; };
  * The 'set by' and 'set at' information for +beI lists are now
    synchronized when servers link. You still see the MODE originating
    from the server, however when the banlist is queried you will now be
    able to see the original nick and time of the bansetter rather than
    serv.er.name.
    If you want the OLD behavior you can use: set { ban-setter-sync no; };
  * The default maximum topic length has been increased from 307 to 360.
  * You can now set more custom limits. The default settings are shown
    below:
    set {
        topic-length 360; /* maximum: 360 */
        away-length 307; /* maximum: 360 */
        quit-length 307; /* maximum: 395 */
        kick-length 307; /* maximum: 360 */
    };
  * The message sent to users upon *LINE can now be adjusted completely
    via set::reject-message::kline
    <https://www.unrealircd.org/docs/Set_block#set::reject-message> and
    set::reject-message::gline
    <https://www.unrealircd.org/docs/Set_block#set::reject-message>.
  * New set::anti-flood::max-concurrent-conversations
    <https://www.unrealircd.org/docs/Set_block#set::anti-flood::max-concurrent-conversations>
    which configures the maximum number of conversations a user can have
    with other users at the same time.
    Until now this was hardcoded at limiting /MSG and /INVITE to 20
    different users in a 15 second period. The new default is 10 users,
    which serves as a protection measure against spambots.
  * New set::max-targets-per-command
    <https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command>
    which configures the maximum number of targets accepted for a
    command, such as 4 to allow e.g. /MSG nick1,nick2,nick3,nick4 hi.
    Also changed the following defaults (previously hardcoded):
      o PRIVMSG from 20 to 4 targets, to counter /amsg spam
      o NOTICE from 20 to 1 target, to counter /anotice spam
      o KICK from 1 to 4 targets, to make it easier for channel
        operators to quickly kick a large amount of spambots
  * Added INVITE and KNOCK flood protection (command rate limiting):
      o set::anti-flood::invite-flood
        <https://www.unrealircd.org/docs/Set_block#set::anti-flood::invite-flood>
        now defaults to 4 per 60 seconds (previously the effective limit
        was 1 invite per 6 seconds).
      o set::anti-flood::knock-flood
        <https://www.unrealircd.org/docs/Set_block#set::anti-flood::knock-flood>
        now defaults to 4 per 120 seconds.
  * New set::outdated-tls-policy
    <https://www.unrealircd.org/docs/Set_block#set::outdated-tls-policy>
    which describes what to do with clients that use outdated SSL/TLS
    protocols (eg: TLSv1.0) and ciphers.
    The default settings are to warn in all cases: users connecting,
    opers /OPER'ing up and servers linking in. The user will see a
    message telling them to upgrade their IRC client.
    This should help with migrating such users, since in the future, say
    one or two years from now, we would want to change the default to
    only allow TSLv1.2+ with ciphers that provide Forward Secrecy.
    Instead of rejecting clients without any error message, this
    provides a way to warn them and give them some time to upgrade their
    outdated IRC client.

Major issues fixed

  * Crash issue in the 'websocket' module.

*Minor issues fixed
*

  * The advertised "link-security" was incorrectly downgraded from level
    2 to 1 if spkifp was used as an authentication method.
  * In case of a crash, the ./unrealircd backtrace script was not
    working correctly in non-English environments, leading to less
    accurate bug reports.
  * Various crashes if a server receives incorrect commands from a
    trusted linked server.
  * A number of memory leaks on REHASH (about 1K).
  * SASL was not working post-registration, eg: when services link back
    in. This is now fixed in UnrealIRCd, but may require a services
    update as well.

*Changed
*

  * The noctcp user mode (+T) will now only block CTCP's and not CTCP
    REPLIES. Also, IRCOps can bypass user mode +T restrictions.
  * The server will warn if your ulines { } are matching UnrealIRCd servers.
  * The m_whox module now contains various features that m_who already had.
    Also, m_whox will try to convert classic UnrealIRCd WHO requests
    such as "WHO +i 127.0.0.1" to whox style "WHO 127.0.0.1 i".
    Unfortunately auto-converting WHO requests is not always possible.
    When in doubt the WHOX syntax is assumed. Users are thus (still)
    encouraged to use the whox style when m_whox is loaded.

*For module coders
*

  * New hook HOOKTYPE_WELCOME
    <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_WELCOME>
    (aClient *acptr, int after_numeric): allows you to send a message at
    very specific places during the initial welcome.
  * New Isupport functions: IsupportSet, IsupportSetFmt and
    IsupportDelByName.
  * The M_ANNOUNCE flag in the command add functions should no longer be
    used as CMDS= is removed. Please update your module.
  * New "SJSBY" in PROTOCTL, which is used in SJOIN to sync extra data.
    See the last part of the SJOIN documentation
    <https://www.unrealircd.org/docs/Server_protocol:SJOIN_command>.
  * For a command with 2 arguments, eg "PRIVMSG #a :txt", parv[1] is
    "#a", parv[2] is "txt" and parv[3] is NULL. Any arguments beyond
    that, such as parv[4] should not be accessed. To help module coders
    with detecting such bugs we now poison unused parv[] elements that
    should never be accessed. Note that without this poison your code
    will also crash, now it just crashes more consistently.

*IRC protocol*

  * Many changes in the tokens used in numeric 005 (RPL_ISUPPORT):
      o Removed CMDS= because this was an unnecessary abstraction and it
        was not picked up by any other IRCd.
      o The tokens KNOCK MAP USERIP have been added (moved from CMDS=..)
      o STARTTLS is no longer advertised in 005 since doing so would be
        too late. Also STARTTLS is not the preferred method of using
        SSL/TLS anyway.
      o Added TARGMAX= to communicate the limits from
        set::max-targets-per-command
        <https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command>.
      o Removed the MAXTARGETS= token because TARGMAX= replaces it.
      o Added DEAF=d to signal what user mode is used for "deaf"
      o Added QUITLEN to communicate the set::quit-length setting (after
        all, why communicate length for KICK but not for QUIT?).
      o The 005 tokens are now sorted alphabetically
  * When hitting the TARGMAX limit (set::max-targets-per-command), for
    example with /MSG k001,k002,k003,k004,k005 hi, you will see:
    :server 407 me k005 :Too many targets. The maximum is 4 for PRIVMSG.
  * When hitting the set::anti-flood::max-concurrent-conversations limit
    (so not per command, but per time frame), you will see:
    :server 439 me k011 :Message target change too fast. Please wait 7
    seconds
  * When hitting the set::anti-flood::invite-flood limit you will get:
    :server 263 me INVITE :Flooding detected. Please wait a while and
    try again.
  * When hitting the set::anti-flood::knock-flood limit you will get:
    :server 480 me :Cannot knock on #channel (You are KNOCK flooding)
  * Not a protocol change. But when a server returns from a netsplit and
    syncs modes such as: :server MODE #chan +b this!is...@an...n
    Then later on you can query the banlist (MODE #chan b) and you may
    see the actual original setter and timestamp of the ban.
    If a user wishes to see the banlist then IRC clients are encouraged
    to actively query the banlist before displaying it. Fortunately
    most, if not all, clients do this.
  * If the set::topic-setter or set::ban-setter are set to
    nick-user-host then the "added by" field in numerics that show these
    entries will contain nick!user@host instead of nick, eg:
    :server 367 me #channel this!is...@so...n bansetter!user@some.host
    1549461765

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the year 2019. This will deny /OPER when issued from a
    non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.2.2-rc2 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

This is the second release candidate for UnrealIRCd 4.2.2. You can help
us with testing this release so we can release a 4.2.2 stable version in
March 2019. If you find any issues, please do report them at
https://bugs.unrealircd.org/
The release contains a lot of enhancements, in particular with regards
to flood controls.

This -rc2 version fixes a number of important issues present in -rc1,
such as a crash bug if ::ssl-options is used, and an issue when syncing
channels in a mixed version UnrealIRCd network.

*Changes between version 4.2.1 and 4.2.2
*Improvements

  * Quicker connection handshake for clients which use CAP and/or SASL.
  * With "TOPIC #chan" and "MODE #chan +b" (and +e/+I) you can see who
    set the topic and bans/exempts/invex. The default is to only show
    the nick of the person who set the item. This can be changed (not
    the default) by setting:
    set { topic-setter nick-user-host; };
    set { ban-setter nick-user-host; };
  * The 'set by' and 'set at' information for +beI lists are now
    synchronized when servers link. You still see the MODE originating
    from the server, however when the banlist is queried you will now be
    able to see the original nick and time of the bansetter rather than
    serv.er.name.
    If you want the OLD behavior you can use: set { ban-setter-sync no; };
  * The default maximum topic length has been increased from 307 to 360.
  * You can now set more custom limits. The default settings are shown
    below:
    set {
        topic-length 360; /* maximum: 360 */
        away-length 307; /* maximum: 360 */
        quit-length 307; /* maximum: 395 */
        kick-length 307; /* maximum: 360 */
    };
  * The message sent to users upon *LINE can now be adjusted completely
    via set::reject-message::kline
    <https://www.unrealircd.org/docs/Set_block#set::reject-message> and
    set::reject-message::gline
    <https://www.unrealircd.org/docs/Set_block#set::reject-message>.
  * New set::anti-flood::max-concurrent-conversations
    <https://www.unrealircd.org/docs/Set_block#set::anti-flood::max-concurrent-conversations>
    which configures the maximum number of conversations a user can have
    with other users at the same time.
    Until now this was hardcoded at limiting /MSG and /INVITE to 20
    different users in a 15 second period. The new default is 10 users,
    which serves as a protection measure against spambots.
  * New set::max-targets-per-command
    <https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command>
    which configures the maximum number of targets accepted for a
    command, such as 4 to allow e.g. /MSG nick1,nick2,nick3,nick4 hi.
    Also changed the following defaults (previously hardcoded):
      o PRIVMSG from 20 to 4 targets, to counter /amsg spam
      o NOTICE from 20 to 1 target, to counter /anotice spam
      o KICK from 1 to 4 targets, to make it easier for channel
        operators to quickly kick a large amount of spambots
  * Added INVITE and KNOCK flood protection (command rate limiting):
      o set::anti-flood::invite-flood
        <https://www.unrealircd.org/docs/Set_block#set::anti-flood::invite-flood>
        now defaults to 4 per 60 seconds (previously the effective limit
        was 1 invite per 6 seconds).
      o set::anti-flood::knock-flood
        <https://www.unrealircd.org/docs/Set_block#set::anti-flood::knock-flood>
        now defaults to 4 per 120 seconds.
  * New set::outdated-tls-policy
    <https://www.unrealircd.org/docs/Set_block#set::outdated-tls-policy>
    which describes what to do with clients that use outdated SSL/TLS
    protocols (eg: TLSv1.0) and ciphers.
    The default settings are to warn in all cases: users connecting,
    opers /OPER'ing up and servers linking in. The user will see a
    message telling them to upgrade their IRC client.
    This should help with migrating such users, since in the future, say
    one or two years from now, we would want to change the default to
    only allow TSLv1.2+ with ciphers that provide Forward Secrecy.
    Instead of rejecting clients without any error message, this
    provides a way to warn them and give them some time to upgrade their
    outdated IRC client.

Major issues fixed

  * None

*Minor issues fixed
*

  * The advertised "link-security" was incorrectly downgraded from level
    2 to 1 if spkifp was used as an authentication method.
  * In case of a crash, the ./unrealircd backtrace script was not
    working correctly in non-English environments, leading to less
    accurate bug reports.
  * Various crashes if a server receives incorrect commands from a
    trusted linked server.
  * A number of memory leaks on REHASH (about 1K).
  * SASL was not working post-registration, eg: when services link back
    in. This is now fixed in UnrealIRCd, but may require a services
    update as well.

*Changed
*

  * The noctcp user mode (+T) will now only block CTCP's and not CTCP
    REPLIES. Also, IRCOps can bypass user mode +T restrictions.
  * The server will warn if your ulines { } are matching UnrealIRCd servers.
  * The m_whox module now contains various features that m_who already had.
    Also, m_whox will try to convert classic UnrealIRCd WHO requests
    such as "WHO +i 127.0.0.1" to whox style "WHO 127.0.0.1 i".
    Unfortunately auto-converting WHO requests is not always possible.
    When in doubt the WHOX syntax is assumed. Users are thus (still)
    encouraged to use the whox style when m_whox is loaded.

*For module coders
*

  * New hook HOOKTYPE_WELCOME
    <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_WELCOME>
    (aClient *acptr, int after_numeric): allows you to send a message at
    very specific places during the initial welcome.
  * New Isupport functions: IsupportSet, IsupportSetFmt and
    IsupportDelByName.
  * The M_ANNOUNCE flag in the command add functions should no longer be
    used as CMDS= is removed. Please update your module.
  * New "SJSBY" in PROTOCTL, which is used in SJOIN to sync extra data.
    See the last part of the SJOIN documentation
    <https://www.unrealircd.org/docs/Server_protocol:SJOIN_command>.
  * For a command with 2 arguments, eg "PRIVMSG #a :txt", parv[1] is
    "#a", parv[2] is "txt" and parv[3] is NULL. Any arguments beyond
    that, such as parv[4] should not be accessed. To help module coders
    with detecting such bugs we now poison unused parv[] elements that
    should never be accessed. Note that without this poison your code
    will also crash, now it just crashes more consistently.

*IRC protocol*

  * Many changes in the tokens used in numeric 005 (RPL_ISUPPORT):
      o Removed CMDS= because this was an unnecessary abstraction and it
        was not picked up by any other IRCd.
      o The tokens KNOCK MAP USERIP have been added (moved from CMDS=..)
      o STARTTLS is no longer advertised in 005 since doing so would be
        too late. Also STARTTLS is not the preferred method of using
        SSL/TLS anyway.
      o Added TARGMAX= to communicate the limits from
        set::max-targets-per-command
        <https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command>.
      o Removed the MAXTARGETS= token because TARGMAX= replaces it.
      o Added DEAF=d to signal what user mode is used for "deaf"
      o Added QUITLEN to communicate the set::quit-length setting (after
        all, why communicate length for KICK but not for QUIT?).
      o The 005 tokens are now sorted alphabetically
  * When hitting the TARGMAX limit (set::max-targets-per-command), for
    example with /MSG k001,k002,k003,k004,k005 hi, you will see:
    :server 407 me k005 :Too many targets. The maximum is 4 for PRIVMSG.
  * When hitting the set::anti-flood::max-concurrent-conversations limit
    (so not per command, but per time frame), you will see:
    :server 439 me k011 :Message target change too fast. Please wait 7
    seconds
  * When hitting the set::anti-flood::invite-flood limit you will get:
    :server 263 me INVITE :Flooding detected. Please wait a while and
    try again.
  * When hitting the set::anti-flood::knock-flood limit you will get:
    :server 480 me :Cannot knock on #channel (You are KNOCK flooding)
  * Not a protocol change. But when a server returns from a netsplit and
    syncs modes such as: :server MODE #chan +b this!is...@an...n
    Then later on you can query the banlist (MODE #chan b) and you may
    see the actual original setter and timestamp of the ban.
    If a user wishes to see the banlist then IRC clients are encouraged
    to actively query the banlist before displaying it. Fortunately
    most, if not all, clients do this.
  * If the set::topic-setter or set::ban-setter are set to
    nick-user-host then the "added by" field in numerics that show these
    entries will contain nick!user@host instead of nick, eg:
    :server 367 me #channel this!is...@so...n bansetter!user@some.host
    1549461765

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the year 2019. This will deny /OPER when issued from a
    non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.2.2-rc1 available for testing

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

This is the first release candidate for UnrealIRCd 4.2.2. You can help
us with testing this release so we can release a 4.2.2 stable version in
March 2019. If you find any issues, please do report them at
https://bugs.unrealircd.org/
The release contains a lot of enhancements, in particular with regards
to flood controls.

*Changes between version 4.2.1 and 4.2.2
*Improvements

  * With "TOPIC #chan" and "MODE #chan +b" (and +e/+I) you can see who
    set the topic and bans/exempts/invex. The default is to only show
    the nick of the person who set the item. This can be changed (not
    the default) by setting:
    set { topic-setter nick-user-host; };
    set { ban-setter nick-user-host; };
  * The 'set by' and 'set at' information for +beI lists are now
    synchronized when servers link. You still see the MODE originating
    from the server, however when the banlist is queried you will now be
    able to see the original nick and time of the bansetter rather than
    serv.er.name.
    If you want the OLD behavior you can use: set { ban-setter-sync no; };
  * The default maximum topic length has been increased from 307 to 360.
  * You can now set more custom limits. The default settings are shown
    below:
    set {
        topic-length 360; /* maximum: 360 */
        away-length 307; /* maximum: 360 */
        quit-length 307; /* maximum: 395 */
        kick-length 307; /* maximum: 360 */
    };
  * The message sent to users upon *LINE can now be adjusted completely
    via set::reject-message::kline
    <https://www.unrealircd.org/docs/Set_block#set::reject-message> and
    set::reject-message::gline
    <https://www.unrealircd.org/docs/Set_block#set::reject-message>.
  * New set::anti-flood::max-concurrent-conversations
    <https://www.unrealircd.org/docs/Set_block#set::anti-flood::max-concurrent-conversations>
    which configures the maximum number of conversations a user can have
    with other users at the same time.
    Until now this was hardcoded at limiting /MSG and /INVITE to 20
    different users in a 15 second period. The new default is 10 users,
    which serves as a protection measure against spambots.
  * New set::max-targets-per-command
    <https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command>
    which configures the maximum number of targets accepted for a
    command, such as 4 to allow e.g. /MSG nick1,nick2,nick3,nick4 hi.
    Also changed the following defaults (previously hardcoded):
      o PRIVMSG from 20 to 4 targets, to counter /amsg spam
      o NOTICE from 20 to 1 target, to counter /anotice spam
      o KICK from 1 to 4 targets, to make it easier for channel
        operators to quickly kick a large amount of spambots
  * Added INVITE and KNOCK flood protection (command rate limiting):
      o set::anti-flood::invite-flood
        <https://www.unrealircd.org/docs/Set_block#set::anti-flood::invite-flood>
        now defaults to 4 per 60 seconds (previously the effective limit
        was 1 invite per 6 seconds).
      o set::anti-flood::knock-flood
        <https://www.unrealircd.org/docs/Set_block#set::anti-flood::knock-flood>
        now defaults to 4 per 120 seconds.
  * New set::outdated-tls-policy
    <https://www.unrealircd.org/docs/Set_block#set::outdated-tls-policy>
    which describes what to do with clients that use outdated SSL/TLS
    protocols (eg: TLSv1.0) and ciphers.
    The default settings are to warn in all cases: users connecting,
    opers /OPER'ing up and servers linking in. The user will see a
    message telling them to upgrade their IRC client.
    This should help with migrating such users, since in the future, say
    one or two years from now, we would want to change the default to
    only allow TSLv1.2+ with ciphers that provide Forward Secrecy.
    Instead of rejecting clients without any error message, this
    provides a way to warn them and give them some time to upgrade their
    outdated IRC client.

Major issues fixed

  * None

*Minor issues fixed
*

  * The advertised "link-security" was incorrectly downgraded from level
    2 to 1 if spkifp was used as an authentication method.
  * In case of a crash, the ./unrealircd backtrace script was not
    working correctly in non-English environments, leading to less
    accurate bug reports.

*Changed
*

  * The noctcp user mode (+T) will now only block CTCP's and not CTCP
    REPLIES. Also, IRCOps can bypass user mode +T restrictions.
  * The server will warn if your ulines { } are matching UnrealIRCd servers.
  * The m_whox module now contains various features that m_who already had.
    Also, m_whox will try to convert classic UnrealIRCd WHO requests
    such as "WHO +i 127.0.0.1" to whox style "WHO 127.0.0.1 i".
    Unfortunately auto-converting WHO requests is not always possible.
    When in doubt the WHOX syntax is assumed. Users are thus (still)
    encouraged to use the whox style when m_whox is loaded.

*For module coders
*

  * New hook HOOKTYPE_WELCOME
    <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_WELCOME>
    (aClient *acptr, int after_numeric): allows you to send a message at
    very specific places during the initial welcome.
  * New Isupport functions: IsupportSet, IsupportSetFmt and
    IsupportDelByName.
  * The M_ANNOUNCE flag in the command add functions should no longer be
    used as CMDS= is removed. Please update your module.
  * New "SJSBY" in PROTOCTL, which is used in SJOIN to sync extra data.
    See the last part of the SJOIN documentation
    <https://www.unrealircd.org/docs/Server_protocol:SJOIN_command>.
  * For a command with 2 arguments, eg "PRIVMSG #a :txt", parv[1] is
    "#a", parv[2] is "txt" and parv[3] is NULL. Any arguments beyond
    that, such as parv[4] should not be accessed. To help module coders
    with detecting such bugs we now poison unused parv[] elements that
    should never be accessed. Note that without this poison your code
    will also crash, now it just crashes more consistently.

*IRC protocol*

  * Many changes in the tokens used in numeric 005 (RPL_ISUPPORT):
      o Removed CMDS= because this was an unnecessary abstraction and it
        was not picked up by any other IRCd.
      o The tokens KNOCK MAP USERIP have been added (moved from CMDS=..)
      o STARTTLS is no longer advertised in 005 since doing so would be
        too late. Also STARTTLS is not the preferred method of using
        SSL/TLS anyway.
      o Added TARGMAX= to communicate the limits from
        set::max-targets-per-command
        <https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command>.
      o Removed the MAXTARGETS= token because TARGMAX= replaces it.
      o Added DEAF=d to signal what user mode is used for "deaf"
      o Added QUITLEN to communicate the set::quit-length setting (after
        all, why communicate length for KICK but not for QUIT?).
      o The 005 tokens are now sorted alphabetically
  * When hitting the TARGMAX limit (set::max-targets-per-command), for
    example with /MSG k001,k002,k003,k004,k005 hi, you will see:
    :server 407 me k005 :Too many targets. The maximum is 4 for PRIVMSG.
  * When hitting the set::anti-flood::max-concurrent-conversations limit
    (so not per command, but per time frame), you will see:
    :server 439 me k011 :Message target change too fast. Please wait 7
    seconds
  * When hitting the set::anti-flood::invite-flood limit you will get:
    :server 263 me INVITE :Flooding detected. Please wait a while and
    try again.
  * When hitting the set::anti-flood::knock-flood limit you will get:
    :server 480 me :Cannot knock on #channel (You are KNOCK flooding)
  * Not a protocol change. But when a server returns from a netsplit and
    syncs modes such as: :server MODE #chan +b this!is...@an...n
    Then later on you can query the banlist (MODE #chan b) and you may
    see the actual original setter and timestamp of the ban.
    If a user wishes to see the banlist then IRC clients are encouraged
    to actively query the banlist before displaying it. Fortunately
    most, if not all, clients do this.
  * If the set::topic-setter or set::ban-setter are set to
    nick-user-host then the "added by" field in numerics that show these
    entries will contain nick!user@host instead of nick, eg:
    :server 367 me #channel this!is...@so...n bansetter!user@some.host
    1549461765

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the year 2019. This will deny /OPER when issued from a
    non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Re: UnrealIRCd 4.2.1 released

[Bram M. <sy...@un...>]

There was a small mistake in the UnrealIRCd 4.2.1 release:
SAJOIN/SAPART/SAMODE did not work (/Permission denied/). The 4.2.1
download has now been replaced with a fixed version.

If you already downloaded 4.2.1 in the past 36 hours then you can easily
apply the fix without a restart since it's just a typo in a
configuration file:
Open /conf/operclass.default.conf/ and replace "sacmds" with "sacmd" at
two places. Save and /REHASH. That's it.

Sorry for this!

On 27/12/2018 09:25, Bram Matthys wrote:
> UnrealIRCd 4.0.0 released (You can unsubscribe from this list here
> <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)
>
> Hi everyone,
>
> UnrealIRCd 4.2.1 (stable) is now available for download. This version
> enhances support for authentication
> <https://www.unrealircd.org/docs/Authentication>. Also new is a module
> to combat mixed UTF8 character spam, a rewrite of the operclass
> privileges and more secure password hashing with Argon2.
>
> If you missed the 4.2.0 release, then consider looking at the previous
> release announcement
> <https://forums.unrealircd.org/viewtopic.php?f=1&t=8843> as well.
>
> NOTE: There will be no further 4.0.x releases. Current stable is
> 4.2.x. For more information, see the FAQ item: Questions about the new
> 4.2.x series
> <https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series>.
>
> *Changes between version 4.2.0 and 4.2.1
> *Improvements
>
>   * Support for authentication prompt
>     <https://www.unrealircd.org/docs/Authentication>:
>     Since 4.2.0 you can require specific users to authenticate
>     themselves with their nickname and password via SASL. We now offer
>     a new experimental module called 'authprompt' which will help
>     non-SASL users by showing a notice and asking them to authenticate
>     to their account via /AUTH <user>:<pass>. See the new
>     authentication article
>     <https://www.unrealircd.org/docs/Authentication> on the wiki for
>     an overview and set::authentication-prompt
>     <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
>     for specific information on the module.
>   * New optional module 'antimixedutf8' to combat mixed UTF8 character
>     spam (also called freenode spam) that has been plaguing networks.
>     See the set::antimixedutf8 docs
>     <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8> for
>     more information.
>   * Support for Argon2 password hashing, which is more resilient
>     against brute force cracking (/mkpasswd argon2 passwd)
>   * Indicate 's' in WHO reply flags if the user is secure (SSL/TLS).
>
> Configuration changes
>
>   * The require sasl { } block is now called require authentication { }
>   * The operclass privileges have been redone.
>     There were too many changes to list them here. If, like 99% of the
>     users, you use default operclasses such as "globop" and
>     "admin-with-override" then you don't need to do anything.
>     However, if you have custom operclass { } blocks then the
>     privileges will have to be redone. See here
>     <https://www.unrealircd.org/docs/FAQ#New_operclass_permissions>
>     for more information on the conversion process.
>     See also the new list of permissions
>     <https://www.unrealircd.org/docs/Operclass_permissions>, with much
>     better naming and grouping.
>   * In the configuration file you can now use } instead of };
>     Both forms are accepted. There's no need to change if you don't
>     like it.
>   * A /* comment in the configuration file is now terminated at the
>     first occurrence of */, instead of two /* /* requiring two */ */.
>     Most people will be unaffected. But if you are, see the FAQ:
>     nesting comments
>     <https://www.unrealircd.org/docs/FAQ#Nesting_comments> for more
>     information.
>
> Major issues fixed
>
>   * The blacklist module
>     <https://www.unrealircd.org/docs/Blacklist_block> did not act on
>     IPv6 users listed in DNSBLs.
>
> *Minor issues fixed
> *
>
>   * By default a user shouldn't be allowed to change to a banned nick,
>     unless (s)he has +hoaq in the channel. This was broken since 4.0.0.
>     This feature can be disabled via set { check-target-nick-bans no; };
>   * Rehash error messages sent to opers regarding remote includes now
>     no longer include authentication information (replaced with ***:***).
>
> *Deprecated
> *
>
>   * The authentication types 'md5', 'sha1' and 'ripemd160' have been
>     deprecated because they can be cracked at high speeds. They still
>     work, but a warning will be shown on boot and on rehash.
>     Please use the new 'argon2' type instead: Type /MKPASSWD argon2
>     passwd on IRC, or ./unrealircd mkpasswd argon2 on the command line
>     to generate the password hash.
>
> *For module coders*
>
>   * Priorities in command overrides were reversed (was added in 4.2.0)
>
> *Future versions (heads up):*
>
>   * We intend to change the default plaintext oper policy from /warn/
>     to /deny/ in the year 2019. This will deny /OPER when issued from
>     a non-SSL connection.
>     For security, IRC Operators should really use SSL/TLS when
>     connecting to an IRC server!
>
> *Download*
> As always, you can download UnrealIRCd from https://www.unrealircd.org/
> All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)
>
> *Bug reports and feature enhancements
> *Please report all bugs and feature suggestions at
> https://bugs.unrealircd.org/
> Our GitHub repository is available on
> https://github.com/unrealircd/unrealircd/
> -- 
> Bram Matthys
> Security researcher                     sy...@vu...
> Website:                                  www.vulnscan.org
> PGP key:                       www.vulnscan.org/pubkey.asc
> PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.2.1 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 4.2.1 (stable) is now available for download. This version
enhances support for authentication
<https://www.unrealircd.org/docs/Authentication>. Also new is a module
to combat mixed UTF8 character spam, a rewrite of the operclass
privileges and more secure password hashing with Argon2.

If you missed the 4.2.0 release, then consider looking at the previous
release announcement
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8843> as well.

NOTE: There will be no further 4.0.x releases. Current stable is 4.2.x.
For more information, see the FAQ item: Questions about the new 4.2.x
series
<https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series>.

*Changes between version 4.2.0 and 4.2.1
*Improvements

  * Support for authentication prompt
    <https://www.unrealircd.org/docs/Authentication>:
    Since 4.2.0 you can require specific users to authenticate
    themselves with their nickname and password via SASL. We now offer a
    new experimental module called 'authprompt' which will help non-SASL
    users by showing a notice and asking them to authenticate to their
    account via /AUTH <user>:<pass>. See the new authentication article
    <https://www.unrealircd.org/docs/Authentication> on the wiki for an
    overview and set::authentication-prompt
    <https://www.unrealircd.org/docs/Set_block#set::authentication-prompt>
    for specific information on the module.
  * New optional module 'antimixedutf8' to combat mixed UTF8 character
    spam (also called freenode spam) that has been plaguing networks.
    See the set::antimixedutf8 docs
    <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8> for
    more information.
  * Support for Argon2 password hashing, which is more resilient against
    brute force cracking (/mkpasswd argon2 passwd)
  * Indicate 's' in WHO reply flags if the user is secure (SSL/TLS).

Configuration changes

  * The require sasl { } block is now called require authentication { }
  * The operclass privileges have been redone.
    There were too many changes to list them here. If, like 99% of the
    users, you use default operclasses such as "globop" and
    "admin-with-override" then you don't need to do anything.
    However, if you have custom operclass { } blocks then the privileges
    will have to be redone. See here
    <https://www.unrealircd.org/docs/FAQ#New_operclass_permissions> for
    more information on the conversion process.
    See also the new list of permissions
    <https://www.unrealircd.org/docs/Operclass_permissions>, with much
    better naming and grouping.
  * In the configuration file you can now use } instead of };
    Both forms are accepted. There's no need to change if you don't like it.
  * A /* comment in the configuration file is now terminated at the
    first occurrence of */, instead of two /* /* requiring two */ */.
    Most people will be unaffected. But if you are, see the FAQ: nesting
    comments <https://www.unrealircd.org/docs/FAQ#Nesting_comments> for
    more information.

Major issues fixed

  * The blacklist module
    <https://www.unrealircd.org/docs/Blacklist_block> did not act on
    IPv6 users listed in DNSBLs.

*Minor issues fixed
*

  * By default a user shouldn't be allowed to change to a banned nick,
    unless (s)he has +hoaq in the channel. This was broken since 4.0.0.
    This feature can be disabled via set { check-target-nick-bans no; };
  * Rehash error messages sent to opers regarding remote includes now no
    longer include authentication information (replaced with ***:***).

*Deprecated
*

  * The authentication types 'md5', 'sha1' and 'ripemd160' have been
    deprecated because they can be cracked at high speeds. They still
    work, but a warning will be shown on boot and on rehash.
    Please use the new 'argon2' type instead: Type /MKPASSWD argon2
    passwd on IRC, or ./unrealircd mkpasswd argon2 on the command line
    to generate the password hash.

*For module coders*

  * Priorities in command overrides were reversed (was added in 4.2.0)

*Future versions (heads up):*

  * We intend to change the default plaintext oper policy from /warn/ to
    /deny/ in the year 2019. This will deny /OPER when issued from a
    non-SSL connection.
    For security, IRC Operators should really use SSL/TLS when
    connecting to an IRC server!

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at
https://bugs.unrealircd.org/
Our GitHub repository is available on
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security researcher                     sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6