unreal-notify Mailing List for UnrealIRCd (Page 5)
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
unreal-notify
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
|
Oct
(1) |
Nov
|
Dec
(1) |
| 2002 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2003 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2004 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
(2) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2005 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2006 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(2) |
Jul
(3) |
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(4) |
| 2016 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(2) |
Oct
(3) |
Nov
(2) |
Dec
(3) |
| 2017 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(1) |
Dec
(2) |
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
(3) |
| 2019 |
Jan
|
Feb
(2) |
Mar
(1) |
Apr
(2) |
May
(1) |
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(2) |
Oct
(1) |
Nov
(3) |
Dec
(1) |
| 2020 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
(2) |
| 2021 |
Jan
(1) |
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(3) |
| 2022 |
Jan
(4) |
Feb
|
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
(3) |
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
| 2023 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(3) |
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(4) |
Nov
|
Dec
(4) |
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(1) |
Oct
(3) |
Nov
(2) |
Dec
(1) |
| 2025 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Bram M. <sy...@un...> - 2018-09-30 06:55:40
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, There have been so many changes in this and the last few 4.0.x versions, it justifies calling this new release "UnrealIRCd 4.2.0". Marking the beginning of the 4.2 series, this release introduces features such as "soft klines" and "soft actions". A significant number of optional modules are now loaded as default, including timed channel bans and textbans. Also, a lot more smaller changes are included in this release, such as fixes for TLSv1.3 and experimental WHOX support. See further down for a full list of changes. NOTE: Version 4.2.0 is the direct successor to 4.0.18. There will be no further 4.0.x releases (in particular there will be no 4.0.19). For more information, see the FAQ item: Questions about the new 4.2.x series <https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series>. Upgrade advice: if you are conservative about upgrades then feel free to wait for 4.2.1. Other than some blacklist fixes there are no major bugs fixed. This release is mostly about new features + some minor fixes. *Changes between version 4.0.18 and 4.2.0 *Improvements * New option to disable a module: blacklist-module <https://www.unrealircd.org/docs/Blacklist-module_directive>"modulename"; This will cause any 'loadmodule' lines for that module to be ignored. This is especially useful if you only want to disable a few modules that are (normally) automatically loaded by conf/modules.default.conf. * Next three new features have to do with SASL. More information on SASL in general can be found here <https://www.unrealircd.org/docs/SASL>. o A new require sasl <https://www.unrealircd.org/docs/Require_sasl_block> { } block which allows you to force users on the specified hostmask to use SASL. Any unauthenticated users matching the specified hostmask are are rejected. o New "soft kline" and "soft gline". These will not be applied to users that are authenticated to services using SASL. These are just GLINE/KLINE's but prefixed with a percent sign: Example: /KLINE %*@10.* 0 Only SASL allowed from here o New "soft" ban actions for spamfilter, blacklist, antirandom, etc. Actions such as "soft-kline" and "soft-kill" will only be applied to unauthenticated users. Users who are authenticated to services (SASL) are exempt from the corresponding spamfilter/blacklist/antirandom/.. See https://www.unrealircd.org/docs/Actions for the full action list. o WARNING: If your network is not 100% on v4.2.x then it is not recommended to use _global_ soft bans (such as soft gline or any spamfilter with soft-xx actions). There won't be havoc, but the bans won't be effective on parts of the network. Local soft bans such as a soft /kline %.. can still be used. * The following extban modules are not new but are now enabled by default: extbans/textban, extbans/timedban and extbans/msgbypass. In case you don't like them, use blacklist-module as mentioned earlier. These modules provide the following functionality: o TextBan: +b ~T:block:*badword* to block sentences with 'badword' o Timed bans: ~t:duration:mask These are bans that are automatically removed by the server. The duration is in minutes and the mask can be any ban mask. Some examples: + A 5 minute ban on a host: /+b ~t:5:*!*@host/ + A 5 minute quiet ban on a host (unable to speak):/+b ~t:5:~q:*!*@host/ + An invite exception for 1440m/24hrs: /+I ~t:1440:*!*@host/ + A temporary exempt ban for a services account: /+e ~t:1440:~a:Account/ + Allows someone to speak through +m for the next 24hrs: /+e ~t:1440:~m:moderated:*!*@host/ + And any other crazy ideas you can come up with... o Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood). o Ban exception ~m:type:mask which allows bypassing of message restrictions. Valid types are: 'external' (bypass +n), moderated (bypass +m/+M), 'filter' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T). Some examples: + Let LAN users bypass +m: /+e ~m:moderated:*!*@192.168.*/ + Let ops in #otherchan bypass +m in this channel: /+e ~m:moderated:~c:@#otherchan/ + Make GitHub commit bot bypass +n: /+e ~m:external:*!*@ipmask/ + Allow a services account to use color: /+e ~m:color:~a:ColorBot/ * AntiRandom <https://www.unrealircd.org/docs/Set_block#set::antirandom>: The module will now (by default) exempt WEBIRC gateways from antirandom checking because they frequently cause false positives. This new behavior can be disabled via: set { antirandom { except-webirc no; }; } * Server linking attempts and errors are now also put in the log file. * A new module that provides WHOX support, an enhanced and more standard version of WHO (NOTE: the command is still "WHO"). This allows, among other things, the client to request additional information, such as which services account each channel member is using. The module is currently experimental. To use it, add this to your conf: loadmodule "m_whox"; Major issues fixed * Blacklist: Potential crash issue when concurrently checking DNSBL for the WEBIRC gateway and the spoofed host. * Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists were not always checked properly. Minor issues fixed * Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18 (and possibly other Linux distributions as well) * Timeouts during server linking attempts were not displayed. * Delayjoin: Halfops did not see JOIN's when channel mode +D was set. * IRCOps with minimal privileges lost their user modes on MODE change. * IRCOps could not override channel mode +z (when not using SSL/TLS) * Channel names sometimes truncated if using accents or special chars. * TLSv1.3 ciphersuite setting was changed to reflect OpenSSL's behavior. There is now set::ssl::ciphersuites, specifically for TLSv1.3. Note that the default is perfectly fine so at this point in time it shouldn't need any adjustment (but the option is there...). *Removed * * allow::options::sasl has been removed. Use the new and more flexible require sasl { } block instead. *Other changes * * Windows users may be prompted to install the Visual C++ redistributable package for Visual Studio 2017. This is because we now build on VS 2017 instead of VS 2012. * We now use standard formatted messages for all K-Lines, G-Lines and any other bans that will cause the user to be disconnected. For technical details see the banned_client() function. * The except throttle <https://www.unrealircd.org/docs/Except_throttle_block>{ } block now also overrides any limitations from set::max-unknown-connection-per-ip <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>. Useful for WEBIRC gateways <https://www.unrealircd.org/docs/WebIRC_Support>. * Localhost connections are considered secure, so these can be used even if you have a plaintext-policy of 'deny' or 'warn'. (This was already the case for servers, but now also for users and opers) * Allow slashes in vhost/chghost/sethost/.. (but not through DNS) *For module coders* * Windows: Be aware that we now build with Visual Studio 2017. This means 3rd party modules should be compiled with VS 2017 (or VS 2015) as well. *Future versions (heads up):* * We intend to change the default plaintext oper policy from /warn/ to /deny/ later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server! *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2018-09-14 12:52:46
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The second Release Candidate for UnrealIRCd 4.0.19 is now available for download. You can help us by testing this release and reporting bugs to https://bugs.unrealircd.org/ A stable release is scheduled end of September. Compared with -rc1 this -rc2 version has halfop delayjoin fixes, ircop +z override, a channel truncation issue fixed, support for slashes in vhost and allow::options::sasl is removed. These are only minor changes compared to all the other release highlights. *Changes between version 4.0.18 and 4.0.19-rc2 *Improvements * New option to disable a module: blacklist-module <https://www.unrealircd.org/docs/Blacklist-module_directive>"modulename"; This will cause any 'loadmodule' lines for that module to be ignored. This is especially useful if you only want to disable a few modules that are (normally) automatically loaded by conf/modules.default.conf. * Next three new features have to do with SASL. More information on SASL in general can be found here <https://www.unrealircd.org/docs/SASL>. o A new require sasl <https://www.unrealircd.org/docs/Require_sasl_block> { } block which allows you to force users on the specified hostmask to use SASL. Any unauthenticated users matching the specified hostmask are are rejected. o New "soft kline" and "soft gline". These will not be applied to users that are authenticated to services using SASL. These are just GLINE/KLINE's but prefixed with a percent sign: Example: /KLINE %*@10.* 0 Only SASL allowed from here o New "soft" ban actions for spamfilter, blacklist, antirandom, etc. Actions such as "soft-kline" and "soft-kill" will only be applied to unauthenticated users. Users who are authenticated to services (SASL) are exempt from the corresponding spamfilter/blacklist/antirandom/.. See https://www.unrealircd.org/docs/Actions for the full action list. o WARNING: If your network also contains UnrealIRCd servers below v4.0.19 then it is not recommended to use _global_ soft bans (such as soft gline or any spamfilter with soft-xx actions). There won't be havoc, but the bans won't be effective on parts of the network. Local soft bans such as a soft /kline can still be used. * The following extban modules are not new but are now enabled by default: extbans/textban, extbans/timedban and extbans/msgbypass. In case you don't like them, use blacklist-module as mentioned earlier. Just as a reminder, they provide the following functionality: o TextBan: +b ~T:block:*badword* to block sentences with 'badword' o Timed bans: ~t:duration:mask These are bans that are automatically removed by the server. The duration is in minutes and the mask can be any ban mask. Some examples: + A 5 minute ban on a host: /+b ~t:5:*!*@host/ + A 5 minute quiet ban on a host (unable to speak):/+b ~t:5:~q:*!*@host/ + An invite exception for 1440m/24hrs: /+I ~t:1440:*!*@host/ + A temporary exempt ban for a services account: /+e ~t:1440:~a:Account/ + Allows someone to speak through +m for the next 24hrs: /+e ~t:1440:~m:moderated:*!*@host/ + And any other crazy ideas you can come up with... o Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood). o Ban exception ~m:type:mask which allows bypassing of message restrictions. Valid types are: 'external' (bypass +n), moderated (bypass +m/+M), 'filter' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T). Some examples: + Let LAN users bypass +m: /+e ~m:moderated:*!*@192.168.*/ + Let ops in #otherchan bypass +m in this channel: /+e ~m:moderated:~c:@#otherchan/ + Make GitHub commit bot bypass +n: /+e ~m:external:*!*@ipmask/ + Allow a services account to use color: /+e ~m:color:~a:ColorBot/ * AntiRandom <https://www.unrealircd.org/docs/Set_block#set::antirandom>: The module will now (by default) exempt WEBIRC gateways from antirandom checking because they frequently cause false positives. This new behavior can be disabled via: set { antirandom { except-webirc no; }; } * Server linking attempts and errors are now also put in the log file. * Delayjoin: Halfops did not see JOIN's when channel mode +D was set. * IRCOps with minimal privileges lost their user modes on MODE change. * IRCOps could not override channel mode +z (when not using SSL/TLS) * Channel names sometimes truncated if using accents or special chars. Major issues fixed * Blacklist: Potential crash issue when concurrently checking DNSBL for the WEBIRC gateway and the spoofed host. * Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists were not always checked properly. Minor issues fixed * Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18 (and possibly other Linux distributions as well) * Timeouts during server linking attempts were not displayed. *Removed * * allow::options::sasl has been removed. Use the new and more flexible require sasl { } block instead. *Other changes * * Windows users may be prompted to install the Visual C++ redistributable package for Visual Studio 2017. This is because we now build on VS 2017 instead of VS 2012. * We now use standard formatted messages for all K-Lines, G-Lines and any other bans that will cause the user to be disconnected. For technical details see the banned_client() function. * The except throttle <https://www.unrealircd.org/docs/Except_throttle_block>{ } block now also overrides any limitations from set::max-unknown-connection-per-ip <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>. Useful for WEBIRC gateways <https://www.unrealircd.org/docs/WebIRC_Support>. * Localhost connections are considered secure, so these can be used even if you have a plaintext-policy of 'deny' or 'warn'. (This was already the case for servers, but now also for users and opers) * Allow slashes in vhost/chghost/sethost/.. (but not through DNS) *For module coders* * Windows: Be aware that we now build with Visual Studio 2017. This means 3rd party modules should be compiled with VS 2017 (or VS 2015) as well. *Future versions (heads up):* * We intend to change the default plaintext oper policy from /warn/ to /deny/ later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server! *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2018-09-08 16:23:19
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The first Release Candidate for UnrealIRCd 4.0.19 is now available for download. You can help us by testing this release and reporting bugs to https://bugs.unrealircd.org/ A stable release is scheduled end of September / early October. *Changes between version 4.0.18 and 4.0.19-rc1 *Improvements * New option to disable a module: blacklist-module <https://www.unrealircd.org/docs/Blacklist-module_directive>"modulename"; This will cause any 'loadmodule' lines for that module to be ignored. This is especially useful if you only want to disable a few modules that are (normally) automatically loaded by conf/modules.default.conf. * Next three new features have to do with SASL. More information on SASL in general can be found here <https://www.unrealircd.org/docs/SASL>. o A new require sasl <https://www.unrealircd.org/docs/Require_sasl_block> { } block which allows you to force users on the specified hostmask to use SASL. Any unauthenticated users matching the specified hostmask are are rejected. o New "soft kline" and "soft gline". These will not be applied to users that are authenticated to services using SASL. These are just GLINE/KLINE's but prefixed with a percent sign: Example: /KLINE %*@10.* 0 Only SASL allowed from here o New "soft" ban actions for spamfilter, blacklist, antirandom, etc. Actions such as "soft-kline" and "soft-kill" will only be applied to unauthenticated users. Users who are authenticated to services (SASL) are exempt from the corresponding spamfilter/blacklist/antirandom/.. See https://www.unrealircd.org/docs/Actions for the full action list. o WARNING: If your network also contains UnrealIRCd servers below v4.0.19 then it is not recommended to use _global_ soft bans (such as soft gline or any spamfilter with soft-xx actions). There won't be havoc, but the bans won't be effective on parts of the network. Local soft bans such as a soft /kline can still be used. * The following extban modules are not new but are now enabled by default: extbans/textban, extbans/timedban and extbans/msgbypass. In case you don't like them, use blacklist-module as mentioned earlier. Just as a reminder, they provide the following functionality: o TextBan: +b ~T:block:*badword* to block sentences with 'badword' o Timed bans: ~t:duration:mask These are bans that are automatically removed by the server. The duration is in minutes and the mask can be any ban mask. Some examples: + A 5 minute ban on a host: /+b ~t:5:*!*@host/ + A 5 minute quiet ban on a host (unable to speak):/+b ~t:5:~q:*!*@host/ + An invite exception for 1440m/24hrs: /+I ~t:1440:*!*@host/ + A temporary exempt ban for a services account: /+e ~t:1440:~a:Account/ + Allows someone to speak through +m for the next 24hrs: /+e ~t:1440:~m:moderated:*!*@host/ + And any other crazy ideas you can come up with... o Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood). o Ban exception ~m:type:mask which allows bypassing of message restrictions. Valid types are: 'external' (bypass +n), moderated (bypass +m/+M), 'filter' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T). Some examples: + Let LAN users bypass +m: /+e ~m:moderated:*!*@192.168.*/ + Let ops in #otherchan bypass +m in this channel: /+e ~m:moderated:~c:@#otherchan/ + Make GitHub commit bot bypass +n: /+e ~m:external:*!*@ipmask/ + Allow a services account to use color: /+e ~m:color:~a:ColorBot/ * AntiRandom <https://www.unrealircd.org/docs/Set_block#set::antirandom>: The module will now (by default) exempt WEBIRC gateways from antirandom checking because they frequently cause false positives. This new behavior can be disabled via: set { antirandom { except-webirc no; }; } * Server linking attempts and errors are now also put in the log file. Major issues fixed * Blacklist: Potential crash issue when concurrently checking DNSBL for the WEBIRC gateway and the spoofed host. * Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists were not always checked properly. Minor issues fixed * Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18 (and possibly other Linux distributions as well) * Timeouts during server linking attempts were not displayed. *Other changes * * Windows users may be prompted to install the Visual C++ redistributable package for Visual Studio 2017. This is because we now build on VS 2017 instead of VS 2012. * We now use standard formatted messages for all K-Lines, G-Lines and any other bans that will cause the user to be disconnected. For technical details see the banned_client() function. * The except throttle <https://www.unrealircd.org/docs/Except_throttle_block>{ } block now also overrides any limitations from set::max-unknown-connection-per-ip <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>. Useful for WEBIRC gateways <https://www.unrealircd.org/docs/WebIRC_Support>. * Localhost connections are considered secure, so these can be used even if you have a plaintext-policy of 'deny' or 'warn'. (This was already the case for servers, but now also for users and opers) *For module coders* * Windows: Be aware that we now build with Visual Studio 2017. This means 3rd party modules should be compiled with VS 2017 (or VS 2015) as well. *Future versions (heads up):* * We intend to change the default plaintext oper policy from /warn/ to /deny/ later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server! *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2018-06-23 15:02:59
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, UnrealIRCd 4.0.18 (stable) is now available for download. This is a recommended upgrade because it fixes some memory leaks / security issues present in 4.0.17 and earlier versions. There's no need to rush the upgrade (there is no imminent threat), but it is advised to upgrade somewhere in the next few weeks. Naturally there are also enhancements and other bug fixes since 4.0.17, see below. *Changes between version 4.0.17 and 4.0.18 *Improvements * Support for checking IPv6 addresses in DNS blacklists. * The blacklist module now checks WEBIRC users as well. * For SSL/TLS we now set the default ECDH(E) curves to be X25519:secp521r1:secp384r1:prime256v1 if using a recent version of OpenSSL/LibreSSL. This can be overridden via set::ssl::ecdh-curve. * You can now require SASL <https://www.unrealircd.org/docs/SASL> authentication for all clients via the allow block (for example, on a dedicated server that permits proxies/tor): allow { ip *; class clients; maxperip 2; options { require-sasl; }; }; Major issues fixed * A number of (potential) security issues were fixed: o Memory leaks: this could allow an attacker to slowly consume all available memory and ultimately cause UnrealIRCd to crash. o Out of bounds read: in practice this does not seem to be exploitable due to the many restrictions that are imposed. * Compile issues on macOS * Bug in blacklist module which could have caused false negatives, allowing bad guys in which should have been denied. * The new optional feature 'set::cloak-method ip' caused identical cloaks Minor issues fixed * When using '/REHASH -ssl' or './unrealircd reloadtls' it did not reload the SSL certificate/key if you were using ssl-options in listen, sni or link blocks. In short: it only reloaded the ones from set::ssl until now. * m_ircops sent a conflicting numeric, confusing some clients. * Starting UnrealIRCd through a non-interactive(!) ssh session could cause the ssh session to hang. *Other changes * * The built-in time synchronization feature is now disabled by default. TimeSynch was added back in 2006 when lots of operating systems did not ship with time synchronization turned on by default. Since incorrect time severely breaks IRC networks this was a major problem. Nowadays this is completely different with most Linux distro's, OS X, Windows, etc. doing time synchronization out of the box. Since UnrealIRCd's implementation is less precise and lacks authentication it's best left over to the system. You can still re-enable timesynch via: set { timesynch { enabled yes; }; }; .. but you should really use NTP or similar for system-wide time synchronization instead. * For developers there's now the --with-werror compile option which will add -Werror. * Added a lot more Travis-CI tests: various LibreSSL/OpenSSL versions and also test macOS. This to prevent us from releasing broken stuff. * Various code cleanups to get rid of lots of needless casts and to eliminate compiler warnings. * Just as a reminder (this change was already in version 4.0.17): UnrealIRCd will no longer give user mode +z to users on WEBIRC gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some assurance that the client<->webirc gateway connection is also secure (eg: https). This is the regular WEBIRC format: WEBIRC password gateway hostname ip This indicates a secure client connection (NEW): WEBIRC password gateway hostname ip :secure Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol. *For module coders* * HOOKTYPE_CHANNEL_SYNCED prototype changed, the 'merge' and 'removetheirs' is now no longer an 'unsigned short' but an 'int' instead. * HOOKTYPE_MODE_DEOP prototype changed, the 'modechar' is now no longer a 'char' but an 'int' instead. * In addition to safestrdup() there's now also safestrldup() which allows you to specify a maximum allocated length (so including the nul byte). This is used in m_pass.c and m_topic.c. * New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION> *Future versions (heads up):* * We intend to change the default plaintext oper policy from /warn/ to /deny/ later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server! *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ |
|
From: Bram M. <sy...@un...> - 2018-06-16 17:16:46
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The second Release Candidate for UnrealIRCd 4.0.18 is now available for download. This fixes an SSL/TLS bug introduced in the first release candidate. *Changes between version 4.0.18-rc1 and 4.0.18-rc2 * * Fix for SSL: ECDHE was not working with older OpenSSL versions *Changes between version 4.0.17 and 4.0.18-rc1 *Improvements * Support for checking IPv6 addresses in DNS blacklists. * The blacklist module now checks WEBIRC users as well. * For SSL/TLS we now set the default ECDH(E) curves to be X25519:secp521r1:secp384r1:prime256v1 if using a recent version of OpenSSL/LibreSSL. This can be overridden via set::ssl::ecdh-curve. * You can now require SASL <https://www.unrealircd.org/docs/SASL> authentication for clients via the allow block (for example, on a dedicated server that permits proxies/tor): allow { ip *; class clients; maxperip 2; options { require-sasl; }; }; Major issues fixed * Compile issues on macOS * Bug in blacklist module which could have caused false negatives, allowing bad guys in which should have been denied. * The new optional feature 'set::cloak-method ip' caused identical cloaks Minor issues fixed * When using '/REHASH -ssl' or './unrealircd reloadtls' it did not reload the SSL certificate/key if you were using ssl-options in listen, sni or link blocks. In short: it only reloaded the ones from set::ssl until now. * m_ircops sent a conflicting numeric, confusing some clients. * Starting UnrealIRCd through a non-interactive(!) ssh session could cause the ssh session to hang. *Other changes * * The built-in time synchronization feature is now disabled by default. TimeSynch was added back in 2006 when lots of operating systems did not ship with time synchronization turned on by default. Since incorrect time severely breaks IRC networks this was a major problem. Nowadays this is completely different with most Linux distro's, OS X, Windows, etc. doing time synchronization out of the box. Since UnrealIRCd's implementation is less precise and lacks authentication it's best left over to the system. You can still re-enable timesynch via: set { timesynch { enabled yes; }; }; .. but you should really use NTP or similar for system-wide time synchronization instead. * For developers there's now the --with-werror compile option which will add -Werror. * Added a lot more Travis-CI tests: various LibreSSL/OpenSSL versions and also test macOS. This to prevent us from releasing broken stuff. * Various code cleanups to get rid of lots of needless casts and to eliminate compiler warnings. * Just as a reminder (this change was already in version 4.0.17): UnrealIRCd will no longer give user mode +z to users on WEBIRC gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some assurance that the client<->webirc gateway connection is also secure (eg: https). This is the regular WEBIRC format: WEBIRC password gateway hostname ip This indicates a secure client connection (NEW): WEBIRC password gateway hostname ip :secure Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol. *For module coders* * HOOKTYPE_CHANNEL_SYNCED prototype changed, the 'merge' and 'removetheirs' is now no longer an 'unsigned short' but an 'int' instead. * HOOKTYPE_MODE_DEOP prototype changed, the 'modechar' is now no longer a 'char' but an 'int' instead. * In addition to safestrdup() there's now also safestrldup() which allows you to specify a maximum allocated length (so including the nul byte). This is used in m_pass.c and m_topic.c. * New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION> *Future versions (heads up):* * We intend to change the default plaintext oper policy from /warn/ to /deny/ later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server! *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2018-06-11 11:27:22
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The Release Candidate for UnrealIRCd 4.0.18 is now available for download. *Changes between version 4.0.17 and 4.0.18-rc1 *Improvements * Support for checking IPv6 addresses in DNS blacklists. * The blacklist module now checks WEBIRC users as well. * For SSL/TLS we now set the default ECDH(E) curves to be X25519:secp521r1:secp384r1:prime256v1 if using a recent version of OpenSSL/LibreSSL. This can be overridden via set::ssl::ecdh-curve. * You can now require SASL <https://www.unrealircd.org/docs/SASL> authentication for clients via the allow block (for example, on a dedicated server that permits proxies/tor): allow { ip *; class clients; maxperip 2; options { require-sasl; }; }; Major issues fixed * Compile issues on macOS * Bug in blacklist module which could have caused false negatives, allowing bad guys in which should have been denied. * The new optional feature 'set::cloak-method ip' caused identical cloaks Minor issues fixed * When using '/REHASH -ssl' or './unrealircd reloadtls' it did not reload the SSL certificate/key if you were using ssl-options in listen, sni or link blocks. In short: it only reloaded the ones from set::ssl until now. * m_ircops sent a conflicting numeric, confusing some clients. * Starting UnrealIRCd through a non-interactive(!) ssh session could cause the ssh session to hang. *Other changes * * The built-in time synchronization feature is now disabled by default. TimeSynch was added back in 2006 when lots of operating systems did not ship with time synchronization turned on by default. Since incorrect time severely breaks IRC networks this was a major problem. Nowadays this is completely different with most Linux distro's, OS X, Windows, etc. doing time synchronization out of the box. Since UnrealIRCd's implementation is less precise and lacks authentication it's best left over to the system. You can still re-enable timesynch via: set { timesynch { enabled yes; }; }; .. but you should really use NTP or similar for system-wide time synchronization instead. * For developers there's now the --with-werror compile option which will add -Werror. * Added a lot more Travis-CI tests: various LibreSSL/OpenSSL versions and also test macOS. This to prevent us from releasing broken stuff. * Various code cleanups to get rid of lots of needless casts and to eliminate compiler warnings. * Just as a reminder (this change was already in version 4.0.17): UnrealIRCd will no longer give user mode +z to users on WEBIRC gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some assurance that the client<->webirc gateway connection is also secure (eg: https). This is the regular WEBIRC format: WEBIRC password gateway hostname ip This indicates a secure client connection (NEW): WEBIRC password gateway hostname ip :secure Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol. *For module coders* * HOOKTYPE_CHANNEL_SYNCED prototype changed, the 'merge' and 'removetheirs' is now no longer an 'unsigned short' but an 'int' instead. * HOOKTYPE_MODE_DEOP prototype changed, the 'modechar' is now no longer a 'char' but an 'int' instead. * In addition to safestrdup() there's now also safestrldup() which allows you to specify a maximum allocated length (so including the nul byte). This is used in m_pass.c and m_topic.c. * New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION> *Future versions (heads up):* * We intend to change the default plaintext oper policy from /warn/ to /deny/ later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server! *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-12-22 09:51:58
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, UnrealIRCd 4.0.17 (stable) is now available for download. The most visible changes are experimental utf8 support in set::allowed-nickchars and two new (optional) modules "timed bans" (remove ban after X minutes) and "msgbypass". *Changes between version 4.0.16(.1) and 4.0.17 *Improvements * Two optional modules. These are not loaded by default. To use them, include modules.optional.conf, or add these loadmodule lines: loadmodule "extbans/timedban"; loadmodule "extbans/msgbypass"; o Timed bans: ~t:duration:mask These are bans that are automatically removed by the server. The duration is in minutes and the mask can be any ban mask. Some examples: + A 5 minute ban on a host: /+b ~t:5:*!*@host/ + A 5 minute quiet ban on a host (unable to speak):/+b ~t:5:~q:*!*@host/ + An invite exception for 1440m/24hrs: /+I ~t:1440:*!*@host/ + A temporary exempt ban for a services account: /+e ~t:1440:~a:Account/ + Allows someone to speak through +m for the next 24hrs: /+e ~t:1440:~m:moderated:*!*@host/ + And any other crazy ideas you can come up with... o New ban exception ~m:type:mask which allows bypassing of message restrictions. Valid types are: 'external' (bypass +n), moderated (bypass +m/+M), 'filter' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T). Some examples: + Let LAN users bypass +m: /+e ~m:moderated:*!*@192.168.*/ + Let ops in #otherchan bypass +m in this channel: /+e ~m:moderated:~c:@#otherchan/ + Make GitHub commit bot bypass +n: /+e ~m:external:*!*@ipmask/ + Allow a services account to use color: /+e ~m:color:~a:ColorBot/ * Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood). This is only available if the previously mentioned extbans/timedban module is loaded. * Added experimental UTF8 support in set::allowed-nickchars. See https://www.unrealircd.org/docs/Nick_Character_Sets /Example: set { allowed-nickchars { latin-utf8; }; }; / Important remarks: o All your servers must be on UnrealIRCd 4.0.17+ o Most services do not support this, so users using UTF8 nicknames won't be able to register at NickServ. o In set::allowed-nickchars you must either choose an utf8 language or a non-utf8 character set. You cannot combine the two. o You also cannot combine multiple scripts/alphabets, such as: latin, greek, cyrillic and hebrew. You must choose one. o If you are already using set::allowed-nickchars on your network (eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'): + Your clients may still assume non-UTF8 + If users registered nicks with accents or other special characters at NickServ then they may not be able to access their old account after the migration to UTF8. o There is no CASEMAPPING or "visually identical character"-checking. + Just like in the old (non-utf8) charsys this means there is no lower/uppercase checking for allowed-nickchars nicks. So a nick with "O with accent" can be online at the same time as "o with accent". They are treated as two different users. + The identical character looking issue is particular noticeable in Cyrillic script where for example cyrillic "A" looks identical to latin "A" and thus can be used to impersonate a user. + Improved CASEMAPPING and "visually similar character"-checking is part of ongoing research. * Ability to customize the reject connection messages: set { reject-message { password-mismatch "Password mismatch"; too-many-connections "Too many connections from your IP"; server-full "This server is full."; unauthorized "You are not authorized to connect to this server"; }; }; * Added optional AppArmor profile in extras/security/apparmor/unrealircd (see Using AppArmor with UnrealIRCd <https://www.unrealircd.org/docs/Using_AppArmor_with_UnrealIRCd>) Major issues fixed * Crash when using OperOverride (*NIX only) * Fix hang in (outgoing) server linking * Fix crash when linking anope over SSL from non-localhost * '/SPAMFILTER del <id>' did not remove the spamfilter on other servers Minor issues fixed * set::restrict-extendedbans was not always applied (when stacked) *Other changes * * UnrealIRCd will no longer give user mode +z to users on WEBIRC gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some assurance that the client<->webirc gateway connection is also secure (eg: https). This is the regular WEBIRC format: WEBIRC password gateway hostname ip This indicates a secure client connection (NEW): WEBIRC password gateway hostname ip :secure Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol. *For module coders* * New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION> *For services coders:* * Don't forget to send an EOS (End Of Synch) at the end of the handshake, if you are not doing so already. It's important: :your.services.server EOS *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-12-01 10:04:47
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Not one but two UnrealIRCd releases today. But they are not for everyone.. ;) UnrealIRCd *4.0.16.1* fixes a couple of issues that affected only a few users. If your UnrealIRCd 4.0.16 is working fine then I'm not recommending an upgrade at this point. Just use it for new installations. Also available is an early first release candidate for next release, UnrealIRCd *4.0.17-rc1*. The most visible changes are experimental utf8 support in set::allowed-nickchars and two new (optional) modules "msgbypass" and "timed bans" (remove ban after X minutes). The stable release for 4.0.17 is scheduled end of December. You can help us by testing and reporting any issues/bugs at https://bugs.unrealircd.org/. The changes in both versions are outlined below: *Changes between version 4.0.16 and 4.0.16.1* An interim release with a couple of backported fixes: * Fix hang in (outgoing) server linking * Fix crash when linking anope over SSL from non-localhost * '/SPAMFILTER del <id>' did not remove the spamfilter on other servers * set::restrict-extendedbans was not always applied (when stacked) * Update automated build scripts *Changes between version 4.0.16(.1) and 4.0.17-rc1 *Improvements * Added experimental UTF8 support in set::allowed-nickchars. See https://www.unrealircd.org/docs/Nick_Character_Sets /Example: set { allowed-nickchars { latin-utf8; }; }; / Important remarks: o All your servers must be on UnrealIRCd 4.0.17-rc1 o Most(?) services do not support this, so users using UTF8 nicknames won't be able to register at NickServ. o In set::allowed-nickchars you must either choose an utf8 language or a non-utf8 character set. You cannot combine the two. o You also cannot combine multiple scripts/alphabets, such as: latin, greek, cyrillic and hebrew. You must choose one. o If you are already using set::allowed-nickchars on your network (eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'): + Your clients may still assume non-UTF8 + If users registered nicks with accents or other special characters at NickServ then they may not be able to access their old account after the migration to UTF8. o There is no CASEMAPPING or "visually identical character"-checking. + Just like in the old (non-utf8) charsys this means there is no lower/uppercase checking for allowed-nickchars nicks. So a nick with "O with accent" can be online at the same time as "o with accent". They are treated as two different users. + The identical character looking issue is particular noticeable in Cyrillic script where for example cyrillic "A" looks identical to latin "A" and thus can be used to impersonate a user. + Improved CASEMAPPING and "visually similar character"-checking is part of ongoing research at the IRCv3 working group. * Two optional modules. These are not loaded by default. To use them, include modules.optional.conf, or add these loadmodule lines: loadmodule "extbans/msgbypass"; loadmodule "extbans/timedban"; o New ban exception ~m:type:mask which allows bypassing of message restrictions. Valid types are: 'external' (bypass +n), moderated (bypass +m/+M), 'filter' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T). Some examples: + Let LAN users bypass +m: /+e ~m:moderated:*!*@192.168.*/ + Let ops in #otherchan bypass +m in this channel: /+e ~m:moderated:~c:@#otherchan/ + Make GitHub commit bot bypass +n: /+e ~m:external:*!*@ipmask/ + Allow a services account to use color: /+e ~m:color:~a:ColorBot/ o Timed bans: ~t:duration:mask These are bans that are automatically removed by the server. The duration is in minutes and the mask can be any ban mask. Some examples: + A 5 minute ban on a host: /+b ~t:5:*!*@host/ + A 5 minute quiet ban on a host (unable to speak):/+b ~t:5:~q:*!*@host/ + An invite exception for 1440m/24hrs: /+I ~t:1440:*!*@host/ + A temporary exempt ban for a services account: /+e ~t:1440:~a:Account/ + Allows someone to speak through +m for the next 24hrs: /+e ~t:1440:~m:moderated:*!*@host/ + And any other crazy ideas you can come up with... * Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood). This is only available if the previously mentioned extbans/timedban module is loaded. * Ability to customize the reject connection messages: set { reject-message { password-mismatch "Password mismatch"; too-many-connections "Too many connections from your IP"; server-full "This server is full."; unauthorized "You are not authorized to connect to this server"; }; }; Major issues fixed * Fix hang in (outgoing) server linking * Fix crash when linking anope over SSL from non-localhost * '/SPAMFILTER del <id>' did not remove the spamfilter on other servers Minor issues fixed * set::restrict-extendedbans was not always applied (when stacked) *Other changes * * UnrealIRCd will no longer give user mode +z to users on WEBIRC gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some assurance that the client<->webirc gateway connection is also secure (eg: https). This is the regular WEBIRC format: WEBIRC password gateway hostname ip This indicates a secure client connection (NEW): WEBIRC password gateway hostname ip :secure Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol. *For module coders* * New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION <https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION> *For services coders:* * Don't forget to send an EOS (End Of Synch) at the end of the handshake, if you are not doing so already. It's important: :your.services.server EOS *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-11-12 07:07:56
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, UnrealIRCd 4.0.16 (stable) is now available for download. This release consists of a huge amount of enhancements and other changes. Thanks to everyone who previously tested the release candidate. *Changes between version 4.0.15 and 4.0.16 *Improvements * There's now an easy method to remove spamfilters. '/SPAMFILTER del' will show a list of spamfilters along with the appropriate command to remove them (by id). * CAP v3.2 support. * CAP 'cap-notify': notify users of any CAP changes. * CAP 'extended-join': show account and gecos in JOIN. * CAP 'chghost': notify on user/host changes. Note that if you use set::allow-userhost-change force-rejoin then clients which support CAP 'chghost' will not see the PART+JOIN+MODE sequence as it is unnecessary. They already receive a "CHGHOST" message as part of CAP 'chghost' instead. * Updated CAP 'sasl' to specification 3.2 (includes mechlist). * Automatically discover SASL server if saslmechlist is sent by services and set::sasl-server is not set by the administrator. This should help to get more networks to support SASL automatically (if you run up to date services, of course) * We send "CAP DEL sasl" if set::sasl-server squits and a "CAP NEW" message when the server returns (to cap-notify and CAPv3.2 clients). * Added password::type 'spkifp'. It's similar to 'sslclientcertfp' but is a hash based on the public TLS key rather than the certificate. The benefit of this is that the 'spkifp' can stay the same even if you get a new certificate from Let's Encrypt. Note that 'certbot' does not re-use keys by default so you will still get a different spkifp every 60-90 days. Consider using another (3rd party) client or tell the certbot guys to finally implement --reuse-key at https://github.com/certbot/certbot/issues/3788 * The command './unrealircd spkifp' will output the SPKI fingerprint (this is now used in the updated Linking servers tutorial <https://www.unrealircd.org/docs/Tutorial:_Linking_servers>) * New option set::handshake-delay will delay the handshake (when a user is connecting) up to this amount of time. * If you have any blacklist { } block then UnrealIRCd will set an set::handshake-delay of 2 seconds by default. This will allow (most) DNSBL checking to be finished before the user comes online (and thus get bad users killed before they appear), while still allowing a smooth user experience. If your DNS(BL) is slow then you could raise this setting slightly. * You can now have multiple webirc { } blocks with the same mask. This permits multiple blocks like.. webirc { mask *; password "....." { sslclientcertfp; }; }; ..should you need it. In other words: we don't stop matching upon an authentication failure. * Move CONNECTTIMEOUT to set::handshake-timeout <https://www.unrealircd.org/docs/Set_block#set::handshake-timeout>. * Move MAXUNKNOWNCONNECTIONSPERIP to set::max-unknown-connections-per-ip <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>. * Add set { cloak-method ip; }; which will make cloaking only be done on the IP and thus result in an XX.YY.ZZ.IP cloaked host. This so you can have "IP cloaking" without disabling DNS lookups. GLINES on hosts still work and IRCOps (and yourself) can still see the host in /WHOIS. * New option set { ban-include-username yes; }; which will make bans placed by spamfilters (and some other systems) to be placed not on *@ip but on user@ip. Note that this won't work for ZLINE/GZLINE since no no ident/username lookups are done in such cases. Major issues fixed * None Minor issues fixed * Gracefully handle incorrect server-to-server messages. These no longer cause UnrealIRCd to crash. Note that this does not mean you can now go send random RAW messages from a trusted server connection. Doing so can cause desynchs, KILLs and SQUITs. We just try not to crash anymore. * A small memory leak upon 'DNS i' (IRCOp only command) *Removed* * Various old config.h settings that didn't have any effect. * A few config.h settings that should never be turned off have been removed altogether (eg: NO_FLOOD_AWAY is now always on). * The deprecated and unused commands "CAP CLEAR" and "CAP ACK". *Other changes * * When linking servers and not having any certificate validation, UnrealIRCd will give you specific instructions on how to use password::spkifp or verify-certificate. This to fix a possible Man-in-the-Middle attack. Note that you'll only see this message when linking two servers that are 4.0.16+. * When a user does a nick change from a registered nick you will now see the user mode -r. Previously this happened invisibly. * The default oper snomask now includes 'S' (spamfilter notices). *For module coders* * API change for HOOKTYPE_PRE_INVITE: int hook_pre_invite(aClient *sptr, aClient *target, aChannel *chptr, int *override) Modules must now send the error message instead of only returning HOOK_DENY. Also check for operoverride and set *override=1. * Please use the following procedure in case of an user/host change: userhost_save_current(acptr); /* now do what you need to do: like change username or hostname */ userhost_changed(acptr); This function will take care of notifying other clients about the userhost change, such as doing PART+JOIN+MODE if force-rejoin is enabled, and sending :xx CHGHOST user host messages to "CAP chghost" capable clients. *For services coders:* * If you provide SASL then please send the mechlist like this: MD client your.services.server saslmechlist :EXTERNAL,PLAIN * Don't forget to send an EOS (End Of Synch) at the end of the handshake, if you are not doing so already. It's important: :your.services.server EOS *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-10-29 14:36:39
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The first Release Candidate for UnrealIRCd 4.0.16 is now available. This release consists of a huge amount of enhancements and other changes. We'd really appreciate some testing by the public before calling this 4.0.16 stable. *Changes between version 4.0.15 and 4.0.16-rc1 *Improvements * There's now an easy method to remove spamfilters. '/SPAMFILTER del' will show a list of spamfilters along with the appropriate command to remove them (by id). * CAP v3.2 support. * CAP 'cap-notify': notify users of any CAP changes. * CAP 'extended-join': show account and gecos in JOIN. * CAP 'chghost': notify on user/host changes. Note that if you use set::allow-userhost-change force-rejoin then clients which support CAP 'chghost' will not see the PART+JOIN+MODE sequence as it is unnecessary. They already receive a "CHGHOST" message as part of CAP 'chghost' instead. * Updated CAP 'sasl' to specification 3.2 (includes mechlist). * Automatically discover SASL server if saslmechlist is sent by services and set::sasl-server is not set by the administrator. This should help to get more networks to support SASL automatically (if you run up to date services, of course) * We send "CAP DEL sasl" if set::sasl-server squits and a "CAP NEW" message when the server returns (to cap-notify and CAPv3.2 clients). * Added password::type 'spkifp'. It's similar to 'sslclientcertfp' but is a hash based on the public TLS key rather than the certificate. The benefit of this is that the 'spkifp' can stay the same even if you get a new certificate from Let's Encrypt. Note that 'certbot' does not re-use keys by default so you will still get a different spkifp every 60-90 days. Consider using another (3rd party) client or tell the certbot guys to finally implement --reuse-key at https://github.com/certbot/certbot/issues/3788 * The command './unrealircd spkifp' will output the SPKI fingerprint (this is now used in the updated Linking servers tutorial <https://www.unrealircd.org/docs/Tutorial:_Linking_servers>) * New option set::handshake-delay will delay the handshake (when a user is connecting) up to this amount of time. * If you have any blacklist { } block then UnrealIRCd will set an set::handshake-delay of 2 seconds by default. This will allow (most) DNSBL checking to be finished before the user comes online (and thus get bad users killed before they appear), while still allowing a smooth user experience. If your DNS(BL) is slow then you could raise this setting slightly. * You can now have multiple webirc { } blocks with the same mask. This permits multiple blocks like.. webirc { mask *; password "....." { sslclientcertfp; }; }; ..should you need it. In other words: we don't stop matching upon an authentication failure. * Move CONNECTTIMEOUT to set::handshake-timeout <https://www.unrealircd.org/docs/Set_block#set::handshake-timeout>. * Move MAXUNKNOWNCONNECTIONSPERIP to set::max-unknown-connections-per-ip <https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip>. * Add set { cloak-method ip; }; which will make cloaking only be done on the IP and thus result in an XX.YY.ZZ.IP cloaked host. This so you can have "IP cloaking" without disabling DNS lookups. GLINES on hosts still work and IRCOps (and yourself) can still see the host in /WHOIS. * New option set { ban-include-username yes; }; which will make bans placed by spamfilters (and some other systems) to be placed not on *@ip but on user@ip. Note that this won't work for ZLINE/GZLINE since no no ident/username lookups are done in such cases. Major issues fixed * None Minor issues fixed * Gracefully handle incorrect server-to-server messages. These no longer cause UnrealIRCd to crash. Note that this does not mean you can now go send random RAW messages from a trusted server connection. Doing so can cause desynchs, KILLs and SQUITs. We just try not to crash anymore. * A small memory leak upon 'DNS i' (IRCOp only command) *Removed* * Various old config.h settings that didn't have any effect. * A few config.h settings that should never be turned off have been removed altogether (eg: NO_FLOOD_AWAY is now always on). * The deprecated and unused commands "CAP CLEAR" and "CAP ACK". *Other changes * * When linking servers and not having any certificate validation, UnrealIRCd will give you specific instructions on how to use password::spkifp or verify-certificate. This to fix a possible Man-in-the-Middle attack. Note that you'll only see this message when linking two servers that are 4.0.16+. * When a user does a nick change from a registered nick you will now see the user mode -r. Previously this happened invisibly. * The default oper snomask now includes 'S' (spamfilter notices). *For module coders* * API change for HOOKTYPE_PRE_INVITE: int hook_pre_invite(aClient *sptr, aClient *target, aChannel *chptr, int *override) Modules must now send the error message instead of only returning HOOK_DENY. Also check for operoverride and set *override=1. * Please use the following procedure in case of an user/host change: userhost_save_current(acptr); /* now do what you need to do: like change username or hostname */ userhost_changed(acptr); This function will take care of notifying other clients about the userhost change, such as doing PART+JOIN+MODE if force-rejoin is enabled, and sending :xx CHGHOST user host messages to "CAP chghost" capable clients. *For services coders:* * If you provide SASL then please send the mechlist like this: MD client your.services.server saslmechlist :EXTERNAL,PLAIN * Don't forget to send an EOS (End Of Synch) at the end of the handshake, if you are not doing so already. It's important: :your.services.server EOS *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-10-01 12:32:25
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, All UnrealIRCd versions up to and including 4.0.14 can be crashed by a remote user. It is a crash only. Remote code execution is not possible. There are actually two bugs. One of them can be triggered before the user is fully connected (so this also affects hubs and password-protected servers). The other bug requires a fully connected client to trigger. Credit goes to Joseph Bisch for finding the first bug. The other bug was found internally after doing similar testing. We have released UnrealIRCd 4.0.15 which addresses this issue. There is also a "hot fix" available so you can patch your server _without requiring an UnrealIRCd restart_. See *How to get the fix/patch?* below. *Note for UnrealIRCd 3.2.x users:* It was reported that UnrealIRCd 3.2.x is also affected. However the 3.2.x series are deprecated and no longer maintained <https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>. We announced _back in 2015_ that all support, including security fixes, would stop for 3.2.x after the year 2016. If you are still running 3.2.x you should _really_ upgrade to UnrealIRCd 4. Upgrading is not hard, see the Upgrading from 3.2.x <https://www.unrealircd.org/docs/Upgrading_from_3.2.x> wiki article. It seems 3.2.x is only affected by the first issue and the patch is identical. Therefore, for 3.2.x users on *NIX the patch script below should work as well. However, _no_ warranty is provided and this is the _last time_ such a fix is available. Upgrade to UnrealIRCd 4.x! We already gave you two years of time. *How to get the fix/patch?* Windows users should install UnrealIRCd 4.0.15. Linux/BSD/.. users can also install 4.0.15 *OR *you can choose to patch UnrealIRCd on-the-fly _without a restart_. Since the patch is usually the easiest and most user friendly solution, we recommend it. Run the following on the IRC shell (be sure to do this under the correct user account and not as root): wget https://www.unrealircd.org/patch/20171001patcher && sh ./20171001patcher *Q&A* *Have there been any reports of these bugs being abused by anyone? *Not yet. But the issue is easy to trigger, so don't wait for it. *Should I upgrade? *Yes. You should upgrade or install the hot-fix as soon as possible. * ****Are there any workarounds so I don't have to upgrade?* **For UnrealIRCd 4.0.x on *NIX you can use the hot fix / patch so you don't need to restart. ***** ***Can I upgrade without restarting the IRC server? **With UnrealIRCd 4.0.x on Linux/BSD/.. yes. Run the following on the shell: wget https://www.unrealircd.org/patch/20171001patcher && sh ./20171001patcher * ****I don't like the patch script. How I can fix this by hand? *If, for whatever reason, you don't want to use the simple patch script from above then you can download https://www.unrealircd.org/patch/20171001patcher.tar.gz instead. Extract it somewhere and look at the contents. Among other things it contains two .patch files. Apply the patches (note that the 20171001.2nd.patch is for 4.0.x only), recompile and rehash your UnrealIRCd.* *This is exactly the same as the patch script would do. ** More information about the bug **There are two bugs: * There's a handshake bug can be triggered before the user is fully connected. This allows a user to crash an UnrealIRCd server, even those with restrictions such as password protected hubs. This one has a CVSSv3 score of 7.5 (High): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * The other bug requires the client to fully connect, join a channel and have chanops. This one has a CVSSv3 score of 6.5 (Medium): CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Both issues are caused by dereferencing a NULL pointer. Remote code execution through these bugs is not possible. *Time line* Both issues were fixed within 24 hours: 2017-09-30 17:42 Handshake crash issue reported by Joseph Bisch 2017-09-30 18:15 Issue confirmed 2017-09-30 19:00 Started looking for similar issues 2017-10-01 00:31 Preannouncement of the security issue (via Twitter and UnrealIRCd forums) 2017-10-01 03:30 Additional security issue found internally after running similar tests 2017-10-01 15:00 Security advisory, fixed version and patch published /All date and times are in UTC/ *Updates to this advisory *This release announcement/advisory can be found here <https://forums.unrealircd.org/viewtopic.php?f=1&t=8751>. Small corrections/updates will be posted there, if any. -- Bram Matthys Software developer/Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: 2ABD 57FA 7783 5ADD C5EC 8ED7 DE93 B8B4 7E74 5EB3 |
|
From: Bram M. <sy...@un...> - 2017-09-15 09:07:27
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, UnrealIRCd 4.0.14 (stable) is now available for download. This release consists of several SSL/TLS related improvements. A new tutorial was added, Using Let's Encrypt with UnrealIRCd <https://www.unrealircd.org/docs/Using_Let%27s_Encrypt_with_UnrealIRCd>, which should help people get a "proper" SSL certificate. You may also be interested in my blog post Improving IRC Security Step By Step <https://www.vulnscan.org/improving-irc-security-step-by-step/> which tells the journey that IRC has taken so far with regards to SSL/TLS deployment. It includes UnrealIRCd's perspective and recent improvements like draft/sts (4.0.13) and plaintext-policy (4.0.14). *Changes between version 4.0.13 and 4.0.14 *Improvements * New *set::plaintext-policy* configuration settings. This defines what happens to users/ircops/servers that are not using SSL/TLS. The default settings are: set { plaintext-policy { user allow; /* allow any user to connect */ oper warn; /* warn on /OPER if not using SSL/TLS */ server deny; /* deny servers without SSL/TLS, except localhost */ }; }; You can change each of the three classes to /allow/, /warn/ or /deny/. More information: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy If your services do not run on localhost /and/ link without SSL/TLS then you may get an error during linking. In such a case check out this FAQ item <https://www.unrealircd.org/docs/FAQ#ERROR:_Servers_need_to_use_SSL.2FTLS>. * You can now ask UnrealIRCd to *verify certificates**of server links* by: link irc1.test.net { [..] verify-certificate yes; }; This will verify the certificate of the link, making sure the certificate is valid, issued for the specified name (/irc1.test.net/) and given out by a trusted Certificate Authority (like Let's Encrypt). Obviously, if you use self-signed certificates then you can't use this. * Introduce a concept called *link security level*. This will rate the security of your network from 0 to 2. Whenever security is degraded due to a new server link UnrealIRCd will print a warning about it. See https://www.unrealircd.org/docs/Link_security for more information. This also adds a new command /LINKSECURITY (IRCop-only). * The plaintext-policy and link-security is shown in "CAP LS". Major issues fixed * None Minor issues fixed * If you had a link block named /irc1.example.net/ and did an outgoing connect to that server, then the server could introduce himself under a different name, such as /irc1.other.net/. Not a security issue, since all authentication has to be passed, but this could cause confusing autoconnect attempts. * password::sslclientcert did not accept relative paths * Compile problem with LibreSSL (regarding SSL_CTX_get0_param) * set::modes-on-connect: was refusing certain (old) modes like +N *Other changes * * The ssl options 'verify-certificate' and 'no-self-signed' have been removed. Use link::verify-certificate instead. It makes no sense to verify certificates or prevent self signed certificates elsewhere such as in vhost or oper, since there is no hostname to match against. * Weak cipher suites such as 3DES and RC4 are disabled by default but previously you could still enable them through set::ssl::ciphers. Now you can no longer, since there is no legitimate reason to do so. * Update cipher suite to work with TLS 1.3. This ensures you can use TLS 1.3 in UnrealIRCd 4.0.14+ when OpenSSL supports it (in the future). * Bump MODDATA_MAX_CLIENT from 8 to 12: needed if you have a lot of 3rd party modules loaded. Also moved MODDATA_MAX_* to include/config.h *For module coders* * You can now attach ModData to server objects as well (including &me). * Please do not use UmodeDel, CmdoverrideDel and any other *Del() functions from MOD_UNLOAD. These undocumented functions are unnecessary since 2008 or so. UnrealIRCd takes care of unloading all module objects. It can cause a crash if someone unloads the module in UnrealIRCd 4 (more specifically: double free if unloading modules which use ModData). Attempts to use these functions in future UnrealIRCd versions may result in a compile error. *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security res...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-09-08 07:14:44
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The first Release Candidate for UnrealIRCd 4.0.14 is now available. This release consists of several SSL/TLS related improvements. We'd really appreciate some testing by the public before calling this 4.0.14 stable. Also new is a tutorial called Using Let's Encrypt with UnrealIRCd <https://www.unrealircd.org/docs/Using_Let%27s_Encrypt_with_UnrealIRCd>. Feedback about this tutorial is welcome in this forum thread <https://forums.unrealircd.org/viewtopic.php?f=46&t=8741>. If you have twitter, consider following @Unreal_IRCd <https://twitter.com/Unreal_IRCd> where we post more frequent updates. In particular, not all (:D) release candidates and dot-releases are not announced via this mailing list to keep it low-volume. *Changes between version 4.0.13 and 4.0.14-rc1 *Improvements * New *set::plaintext-policy* configuration settings. This defines what happens to users/ircops/servers that are not using SSL/TLS. The default settings are: set { plaintext-policy { user allow; /* allow any user to connect */ oper warn; /* warn on /OPER if not using SSL/TLS */ server deny; /* deny servers without SSL/TLS, except localhost */ }; }; You can change each of the three classes to /allow/, /warn/ or /deny/. More information: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy If your services do not run on localhost /and/ link without SSL/TLS then you may get an error during linking. In such a case check out this FAQ item <https://www.unrealircd.org/docs/FAQ#ERROR:_Servers_need_to_use_SSL.2FTLS>. * You can now ask UnrealIRCd to *verify certificates**of server links* by: link irc1.test.net { [..] verify-certificate yes; }; This will verify the certificate of the link, making sure the certificate is valid, issued for the specified name (/irc1.test.net/) and given out by a trusted Certificate Authority (like Let's Encrypt). Obviously, if you use self-signed certificates then you can't use this. * Introduce a concept called *link security level*. This will rate the security of your network from 0 to 2. Whenever security is degraded due to a new server link UnrealIRCd will print a warning about it. See https://www.unrealircd.org/docs/Link_security for more information. This also adds a new command /LINKSECURITY (IRCop-only). * The plaintext-policy and link-security is shown in "CAP LS". Major issues fixed * None Minor issues fixed * If you had a link block named /irc1.example.net/ and did an outgoing connect to that server, then the server could introduce himself under a different name, such as /irc1.other.net/. Not a security issue, since all authentication has to be passed, but this could cause confusing autoconnect attempts. * password::sslclientcert did not accept relative paths * Compile problem with LibreSSL (regarding SSL_CTX_get0_param) * set::modes-on-connect: was refusing certain (old) modes like +N *Other changes * * The ssl options 'verify-certificate' and 'no-self-signed' have been removed. Use link::verify-certificate instead. It makes no sense to verify certificates or prevent self signed certificates elsewhere such as in vhost or oper, since there is no hostname to match against. * Weak cipher suites such as 3DES and RC4 are disabled by default but previously you could still enable them through set::ssl::ciphers. Now you can no longer, since there is no legitimate reason to do so. * Update cipher suite to work with TLS 1.3. This ensures you can use TLS 1.3 in UnrealIRCd 4.0.14+ when OpenSSL supports it (in the future). * Bump MODDATA_MAX_CLIENT from 8 to 12: needed if you have a lot of 3rd party modules loaded. Also moved MODDATA_MAX_* to include/config.h *For module coders* * You can now attach ModData to server objects as well (including &me). *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security res...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-08-15 12:40:15
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, UnrealIRCd 4.0.13 is now available. It adds support for two SSL/TLS-related features: STS <https://www.unrealircd.org/docs/SSL/TLS#Strict_Transport_Security> (Strict Transport Security) and SNI <https://www.unrealircd.org/docs/Sni_block> (Server Name Indication). This release also fixes a number of bugs, the most encountered ones being related to 'simple' spamfilters and the previously introduced +Z user mode. If you have twitter, consider following @Unreal_IRCd <https://twitter.com/Unreal_IRCd> where we post more frequent updates. In particular, release candidates and insignificant dot-releases are not announced via this mailing list to keep it low-volume. *Changes between version 4.0.12 and 4.0.13 *Improvements * Support for Strict Transport Security <https://www.unrealircd.org/docs/SSL/TLS#Strict_Transport_Security> (draft/sts). When enabled, this tells capable clients to (re)connect using SSL/TLS. This is a nice security feature, although only a few clients support it as of writing. * Support for Server Name Indication (SNI) via the new sni { } block <https://www.unrealircd.org/docs/Sni_block> * Add conf/modules.optional.conf. This loads all additional modules that are not in modules.default.conf (m_ircops, m_staff, nocodes, textban, hideserver, antirandom and websocket) Major issues fixed * 'simple' spamfilters ended up being 'posix' after server linking. * User mode +Z (secureonly) not working properly across server links. * REHASH from WebSocket connection would cause a crash (requires ircop privileges) Minor issues fixed * Prevent /OPER for oper blocks with non-existant operclass * Bump MAXCONNECTIONS for Windows, allowing you to hold more clients. * The 'ban too broad' checking was broken. This permitted glines such as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower. To disable this safety measure you can (still) use: set { options { allow-insane-bans; }; }; *Other changes * * The websocket module now no longer sends \r\n in the websocket data and no longer requires it on incoming messages (but you can still send it if you like). Also version bumped to 1.0.0. * Mark all shipped modules as official (non-3rd-party) * Verify certificate when submitting crash reports * Support --without-privatelibdir for packagers *For module coders* * CAP API changes: o The cap->visible(void) callback is now cap->visible(aClient *) o There is a new cap->parameter(aClient *) callback function, see the cap/sts module for how it can be used. o Various updates to subfunctions to pass 'sptr' (due to the above), including clicap_find(sptr, ...) o New CLICAP_FLAGS_ADVERTISE_ONLY flag (CAP cannot be REQ'd, such as with draft/sts) *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9) *Bug reports and feature enhancements *Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ Our GitHub repository is available on https://github.com/unrealircd/unrealircd/ -- Bram Matthys Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-05-12 16:21:08
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, UnrealIRCd 4.0.12 is now available for download. It fixes a number of bugs and adds a new user mode +Z which SSL/TLS users may find useful. Also, an important note to anyone using *3rd party modules*: They are a great way to extend UnrealIRCd's functionality. However, a (small) mistake in a module can easily cause UnrealIRCd to crash. Currently *more than 95% of the crashes* reported to us are due to faulty 3rd party modules and not due to any bug in UnrealIRCd itself. Third party modules are modules coded by authors other than the UnrealIRCd team. We do not investigate such bug reports. These bugs are caused by and should be resolved by the module author(s). Keep this in mind if your server crashes: try unloading all (recently) installed 3rd party modules and see if the crash issue disappears. Also, be sure to check for updates of 3rd party modules, your crash issue may very well be fixed already. *Changes between version 4.0.11 and 4.0.12 *Improvements * New user mode +Z: Only allow SSL/TLS users to private message you. * Ability to hide all channels in /LIST that you cannot join due to deny channel blocks: /set { hide-list { deny-channel }; };/ * The optional 'nocodes' module makes +S/+c also block/strip bold, underline and italic text. (The latter is new) * Add support for 'mask' in allow channel { } and deny channel { } and add some support for negative 'mask'. Probably not very useful on most networks with services, since bans/AKICK do the same, but you can now do like this: /deny channel { channel "#help*"; };// //allow channel { channel "#help-nolan"; mask !192.168.*; };// //allow channel { channel "#help-lan"; mask 192.168.*; };/ Major issues fixed * Crash issue if a module using ModData was unloading (not reloading) * Vhosts were not always correctly synched across servers. * The maximum number of clients that a server could accept was decreased by one on every linking attempt if it was both: 1) an outgoing SSL/TLS linking attempt; AND 2) the error was "Connection refused". Minor issues fixed * Adjustments to channel mode +f were not always effective. * If you have a vhost set and wish to remove it and change to a cloaked host you can now safely use '/MODE yournick -t'. This feature was rarely used so far and it previously had a bug which caused it to still expose the real host/IP to others. This has been resolved. * Channel mode +D (delayjoin): when people are de-oped we now part 'hidden' users to avoid a client desynch. * Bump lag for remote MOTD requests to avoid flooding. *Other * * More than 95% of the crashes reported to us are due to 3rd party modules (and thus not bugs in our code). We now ask users to unload any recently installed 3rd party modules first, see if the crash issue persists, and only then submit a crash report to us. * UnrealIRCd will now refuse to run as root. https://www.unrealircd.org/docs/Do_not_run_as_root *For module coders* * Added two functions to search for user modes: /has_user_mode(acptr, 'i') // returns 1 / 0// //find_user_mode('i') // returns the user mode (as 'long')/ *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *End of the 3.2.x series* UnrealIRCd 3.2.x is End Of Life since December 2015. All support for it has been stopped after 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Security res...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-02-10 15:19:49
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, UnrealIRCd versions 4.0.8 - 4.0.10 on *NIX can be crashed by a remote user. This is due to a buffer overflow issue. The issue is actually present in all UnrealIRCd versions but because the data overflows into unused variables after the buffer the issue previously went undetected and caused no harm. UnrealIRCd 4.0.8 and later on *NIX have additional protection enabled. These versions detect the overflow and stop execution (UnrealIRCd crashes). The Windows version does not crash. We have released UnrealIRCd 4.0.11 which addresses this issue (among some other less serious issues, see end of e-mail). There is also a "hot fix" available so you can patch your server _without requiring an UnrealIRCd restart_. See below. *We recommend *NIX users to apply the "hot fix" as soon as possible (see below). Windows users are unaffected.* *How to get the fix/patch?* On Windows there is no need to upgrade, but you can install UnrealIRCd 4.0.11. Linux/BSD/.. users can also install 4.0.11 *OR *you can choose to patch UnrealIRCd on-the-fly _without a restart_. Since the patch is usually the easiest and most user friendly solution, we recommend it. Run the following on the IRC shell: wget http://www.unrealircd.org/patch/isonpatcher && sh isonpatcher *Q&A* *Have there been any reports of these bugs being abused by anyone? *Not yet. But the issue is easy to trigger, so don't wait for it. *Should I upgrade? *Yes. If you are affected (see /Affected versions/ above) then you should upgrade or install the hot-fix as soon as possible. * ****Are there any workarounds so I don't have to upgrade?* **On *NIX, use the hot fix / patch so you don't need to restart UnrealIRCd. ***** ***Can I upgrade without restarting the IRC server? **On Linux/BSD/.. yes. Run the following on the shell: wget http://www.unrealircd.org/patch/isonpatcher && sh isonpatcher * ****I don't like the patch script. How I can fix this by hand? *If, for whatever reason, you don't want to use the simple patchscript from above then you can download the .tar.gz here <https://www.unrealircd.org/patch/isonfix.tar.gz> instead. Extract it somewhere and look at the contents. Among other things it contains /isonfix.patch./ Apply that patch, recompile and rehash your UnrealIRCd.* *This is exactly the same as the patch script would do.* How serious is this bug? *Any connected user can crash the IRCd. Only if the user cannot get on the IRCd (eg: password protect hub) then he can not trigger the crash. * * *When were these issues reported?* This issue was reported 36 hours ago. The issue was confirmed less than 24 hours ago and a fix was created today. *Updates to this advisory *This release announcement/advisory can be found here <https://forums.unrealircd.org/viewtopic.php?f=1&t=8671>. Small corrections/updates will be posted there, if any.* * *About the UnrealIRCd 4.0.11 release* Changes between 4.0.10 and 4.0.11: Major issues fixed: * Fix crash issue which can be triggered by regular users * Fix crash if TOPIC_NICK_IS_NUHOST is enabled (rarely enabled) * Fix crash if services send an incorrect raw command (only an issue when using faulty services or ircops playing with RAW commands) Minor issues fixed: * Now properly support 'z' when used in set::modes-on-join Other changes: * Show a warning if you don't have any SSL listeners -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: 2ABD 57FA 7783 5ADD C5EC 8ED7 DE93 B8B4 7E74 5EB3 |
|
From: Bram M. <sy...@un...> - 2017-02-02 08:24:17
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) LibreSSL, the library we use for SSL/TLS on Windows, has released an update. There seemed to be a security issue in the way they implemented ECDSA. This is only an issue if you use /elliptic curve certificates/, not if you use /RSA /certificates (=the default). We have replaced the Windows download of UnrealIRCd 4.0.10 on our website (new filename: /unrealircd-4.0.10-sslfix.exe/). If you use UnrealIRCd on Windows with an elliptic curve certificate then you should upgrade to this version. For reference, the exact text from the LibreSSL folks is as follows: * Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing. This is due to BN_mod_inverse() being used without the constant time flag being set. Reported by Cesar Pereida Garcia and Billy Brumley (Tampere University of Technology). The fix was developed by Cesar Pereida Garcia. You can use /VERSION on IRC as an IRCOp(!) to figure out which LibreSSL version is in use. If you see this then it's the *old *version with the ECDSA bug: [08:18:08] -irc.test.net- LibreSSL 2.4.4 After upgrading you should see this, which confirms you are using the *new *version: [08:30:24] -irc.test.net- LibreSSL 2.4.5 As always, you can download UnrealIRCd from www.unrealircd.org. -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: 2ABD 57FA 7783 5ADD C5EC 8ED7 DE93 B8B4 7E74 5EB3 |
|
From: Bram M. <sy...@un...> - 2017-01-13 09:28:26
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, UnrealIRCd 4.0.10 is now available for download. Nine modules have been added to UnrealIRCd. One of them brings support for WebSockets so you can access IRC directly from your web browser. A very crude UnrealIRCd + WebSocket example is available here <https://www.unrealircd.org/files/dev/ws/websocket_unrealircd.html> and should work on most browsers, including mobile. I've also created a forum thread <https://forums.unrealircd.org/viewtopic.php?f=46&t=8643> to discuss the new WebSocket support. A number of bugs have been fixed as well. In particular a bug in all 4.0.x versions where occasionally incorrect bans would be added during server linking, such as "a!b" (note the lack of "@"), and it was then impossible to remove these bans. In 4.0.10 code has been changed so these bans are always rejected and the source of the problem has been fixed as well. In the interest of full disclosure: one bug fixed in this release is a buffer overflow. However, on all tested Windows, Linux and FreeBSD installations it was not possible to cause remote code execution or elevation of privileges. Main reason being that there are very big buffers behind the buffer being overflowed and you can only overflow a limited number of bytes. UnrealIRCd doesn't even crash. Additionally, if this would not have been the case, UnrealIRCd 4.0.8 and later would have provided protection against remote code execution due to the included hardening. Therefore I'm releasing this version as a regular stable release with no "you must upgrade ASAP" kind of comment. UnrealIRCd 4.0.10 adds some interesting features, however, and fixes some major bugs, so I still encourage anyone to upgrade at a suitable time. *Changes between version 4.0.9 and 4.0.10 *Improvements * Added "websocket" module. This provides support for WebSocket (RFC6455), allowing JavaScript (internet browsers) to connect directly to IRC without the need of a 'gateway'. This module is experimental and not loaded by default. See https://www.unrealircd.org/docs/WebSocket_support for more information. This module was sponsored by Aberrant Software Inc. * UnrealIRCd already has the ability to configure global SSL settings via the set::ssl block. Now you can also override these settings for a link block and listen block. One possible use for this would be having a long-lived self-signed certificate for server linking on a serversonly port, and a short-lived certificate for your users on the other ports (such as a certificate from Let's Encrypt). Another example would be to force TLSv1.2 for server linking but not for users. Documentation: global settings are in set::ssl <https://www.unrealircd.org/docs/Set_block#set::ssl::certificate>, port-specfic settings go in listen::ssl-options <https://www.unrealircd.org/docs/Listen_block> and server link specific settings go in link::outgoing::ssl-options <https://www.unrealircd.org/docs/Link_block>. * You can now exempt IP's from (DNSBL) blacklist checking via: /except blacklist { mask 1.2.3.4; };/ * All free modules from vulnscan.org are now included in UnrealIRCd itself. The first two modules are loaded by default (privdeaf and jumpserver). The other ones you have to load explicitly by adding /loadmodule "modulename";/ to your unrealircd.conf. o usermodes/privdeaf - Do not permit PM's from others (User Mode +D) o jumpserver - Redirect users to another server during maintenance (/JUMPSERVER command <https://www.unrealircd.org/docs/User_%26_Oper_commands#JUMPSERVER>) o extbans/textban <https://www.unrealircd.org/docs/Extended_Bans> - Channel specific word filtering (+b ~T:censor:*badword* and +b ~T:block:*blockthis*) o antirandom <https://www.unrealircd.org/docs/Set_block#set::antirandom> - Detect drones with random nicks / ident / etc. o m_ircops - Show which ircops are online (/IRCOPS command) o m_staff - Show custom file (/STAFF command) o nocodes - If this module is loaded it makes chanmode +S/+c also strip/block bold and underline codes o hideserver - Hide servers in /MAP and /LINKS (note that this does not truly enhance security) Major issues fixed * Incorrect bans being added during server linking, these were then impossible to remove * Compile fixes for Ubuntu 16 LTS / gcc 5.4.x * Crash if you had an invalid crypt password in your unrealircd.conf * Crash if you did not load the chanmodes/nocolor module or changed the order in which modules were loaded Minor issues fixed * Delayjoin (channel mode +D) sending QUITs for hidden users & similar bugs * You no longer need to place all your /class/ blocks before your /allow/ blocks * Some error messages were not throttled * WHO now supports multi-prefix * Date in Windows log file for the first few messages was always 1970. *For services and module coders * * Services coders: "SVSMODE Nick +d" will now mark a client as deaf. Don't confuse this with "SVSMODE Nick +d <svid>". The parameter makes all the difference. Use "SVSMODE Nick +d 0" to reset/empty the stored services id. * Module coders: changed return value handling of HOOKTYPE_RAWPACKET_IN: -1 now indicates don't parse and stop reading from the socket (return) and 0 indicates don't parse but proceed to next packet (if any). If you kill a client in this hook then be sure to return -1. *Other * * We've always printed big warnings when running UnrealIRCd as root. In this version we still do, but in future versions we will simply refuse to boot. https://www.unrealircd.org/docs/Do_not_run_as_root *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *End of the 3.2.x series* UnrealIRCd 3.2.x is End Of Life since December 2015. All support for it has been stopped after 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2017-01-06 15:00:28
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, UnrealIRCd 4.0.10-rc2 is now available for download. This is the second release candidate for 4.0.10. It fixes problems with incorrect bans being set when servers are linked. The plan is to get a stable 4.0.10 out by Friday 13th. In 4.0.10 nine modules have been added to UnrealIRCd. One of them brings support for WebSockets so you can access IRC directly from your web browser. A very crude UnrealIRCd + WebSocket example is available here <https://www.unrealircd.org/files/dev/ws/websocket_unrealircd.html> and should work on most browsers, including mobile. I've also created a forum thread <https://forums.unrealircd.org/viewtopic.php?f=46&t=8643> to discuss the new WebSocket support. *Changes between version 4.0.9 and 4.0.10-rc2 *Improvements * Added "websocket" module. This provides support for WebSocket (RFC6455), allowing JavaScript (internet browsers) to connect directly to IRC without the need of a 'gateway'. This module is experimental and not loaded by default. See https://www.unrealircd.org/docs/WebSocket_support for more information. This module was sponsored by Aberrant Software Inc. * UnrealIRCd already has the ability to configure global SSL settings via the set::ssl block. Now you can also override these settings for a link block and listen block. One possible use for this would be having a long-lived self-signed certificate for server linking on a serversonly port, and a short-lived certificate for your users on the other ports (such as a certificate from Let's Encrypt). Another example would be to force TLSv1.2 for server linking but not for users. Documentation: global settings are in set::ssl <https://www.unrealircd.org/docs/Set_block#set::ssl::certificate>, port-specfic settings go in listen::ssl-options <https://www.unrealircd.org/docs/Listen_block> and server link specific settings go in link::outgoing::ssl-options <https://www.unrealircd.org/docs/Link_block>. * You can now exempt IP's from (DNSBL) blacklist checking via: /except blacklist { mask 1.2.3.4; };/ * All free modules from vulnscan.org are now included in UnrealIRCd itself. The first two modules are loaded by default (privdeaf and jumpserver). The other ones you have to load explicitly by adding /loadmodule "modulename";/ to your unrealircd.conf. o usermodes/privdeaf - Do not permit PM's from others (User Mode +D) o jumpserver - Redirect users to another server during maintenance (/JUMPSERVER command <https://www.unrealircd.org/docs/User_%26_Oper_commands#JUMPSERVER>) o extbans/textban <https://www.unrealircd.org/docs/Extended_Bans> - Channel specific word filtering (+b ~T:censor:*badword* and +b ~T:block:*blockthis*) o antirandom <https://www.unrealircd.org/docs/Set_block#set::antirandom> - Detect drones with random nicks / ident / etc. o m_ircops - Show which ircops are online (/IRCOPS command) o m_staff - Show custom file (/STAFF command) o nocodes - If this module is loaded it makes chanmode +S/+c also strip/block bold and underline codes o hideserver - Hide servers in /MAP and /LINKS (note that this does not truly enhance security) Major issues fixed * Compile fixes for Ubuntu 16 LTS / gcc 5.4.x * Crash if you had an invalid crypt password in your unrealircd.conf * Crash if you did not load the chanmodes/nocolor module or changed the order in which modules were loaded * Incorrect bans being added during server linking Minor issues fixed * Delayjoin (channel mode +D) sending QUITs for hidden users & similar bugs * WHO now supports multi-prefix * You no longer need to place all your /class/ blocks before your /allow/ blocks * Date in Windows log file for the first few messages was always 1970. *For services and module coders * * Services coders: "SVSMODE Nick +d" will now mark a client as deaf. Don't confuse this with "SVSMODE Nick +d <svid>". The parameter makes all the difference. Use "SVSMODE Nick +d 0" to reset/empty the stored services id. * Module coders: changed return value handling of HOOKTYPE_RAWPACKET_IN: -1 now indicates don't parse and stop reading from the socket (return) and 0 indicates don't parse but proceed to next packet (if any). If you kill a client in this hook then be sure to return -1. *Other * * We've always printed big warnings when running UnrealIRCd as root. In this version we still do, but in future versions we will simply refuse to boot. https://www.unrealircd.org/docs/Do_not_run_as_root *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *End of the 3.2.x series* UnrealIRCd 3.2.x is End Of Life since December 2015. All support for it will stop after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2016-12-31 09:56:36
|
Hi everyone,
UnrealIRCd 4.0.10-rc1 is now available for download. This is a release
candidate for 4.0.10. If you have some spare time to test this release it
would be welcomed. This helps us get a 4.0.10 stable out.
Nine modules have been added to UnrealIRCd. One of them brings support for
websockets.
*Changes between version 4.0.9 and 4.0.10-rc1
*Improvements
* Added "websocket" module. This provides support for WebSocket (RFC6455),
allowing JavaScript (internet browsers) to connect directly to IRC without
the need of a 'gateway'. This module is experimental and not loaded by
default. See https://www.unrealircd.org/docs/WebSocket_support for more
information. This module was sponsored by Aberrant Software Inc.
* UnrealIRCd already has the ability to configure global SSL settings via
the set::ssl block. Now you can also override these settings for a link
block and listen block. One possible use for this would be having a
long-lived self-signed certificate for server linking on a serversonly
port, and a short-lived certificate for your users on the other ports
(such as a certificate from Let's Encrypt). Another example would be to
force TLSv1.2 for server linking but not for users.
Documentation: global settings are in set::ssl
<https://www.unrealircd.org/docs/Set_block#set::ssl::certificate>,
port-specfic settings go in listen::ssl-options
<https://www.unrealircd.org/docs/Listen_block> and server link specific
settings go in link::outgoing::ssl-options
<https://www.unrealircd.org/docs/Link_block>.
* You can now exempt IP's from (DNSBL) blacklist checking via: /except
blacklist { mask 1.2.3.4; };/
* All free modules from vulnscan.org are now included in UnrealIRCd itself.
The first two modules are loaded by default (privdeaf and jumpserver). The
other ones you have to load explicitly by adding /loadmodule
"modulename";/ to your unrealircd.conf.
o usermodes/privdeaf - Do not permit PM's from others (User Mode +D)
o jumpserver - Redirect users to another server during maintenance
(/JUMPSERVER command
<https://www.unrealircd.org/docs/User_%26_Oper_commands#JUMPSERVER>)
o extbans/textban <https://www.unrealircd.org/docs/Extended_Bans> -
Channel specific word filtering (+b ~T:censor:*badword* and +b
~T:block:*blockthis*)
o antirandom <https://www.unrealircd.org/docs/Set_block#set::antirandom>
- Detect drones with random nicks / ident / etc.
o m_ircops - Show which ircops are online (/IRCOPS command)
o m_staff - Show custom file (/STAFF command)
o nocodes - If this module is loaded it makes chanmode +S/+c also
strip/block bold and underline codes
o hideserver - Hide servers in /MAP and /LINKS (note that this does not
truly enhance security)
Major issues fixed
* Compile fixes for Ubuntu 16 LTS / gcc 5.4.x
* Crash if you had an invalid crypt password in your unrealircd.conf
* Crash if you did not load the chanmodes/nocolor module or changed the
order in which modules were loaded
Minor issues fixed
* Delayjoin (channel mode +D) sending QUITs for hidden users & similar bugs
* WHO now supports multi-prefix
* You no longer need to place all your /class/ blocks before your /allow/ blocks
* Date in Windows log file for the first few messages was always 1970.
*For services and module coders
*
* Services coders: "SVSMODE Nick +d" will now mark a client as deaf. Don't
confuse this with "SVSMODE Nick +d <svid>". The parameter makes all the
difference. Use "SVSMODE Nick +d 0" to reset/empty the stored services id.
* Module coders: changed return value handling of HOOKTYPE_RAWPACKET_IN: -1
now indicates don't parse and stop reading from the socket (return) and 0
indicates don't parse but proceed to next packet (if any). If you kill a
client in this hook then be sure to return -1.
*Other
*
* We've always printed big warnings when running UnrealIRCd as root. In this
version we still do, but in future versions we will simply refuse to boot.
https://www.unrealircd.org/docs/Do_not_run_as_root
*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*End of the 3.2.x series*
UnrealIRCd 3.2.x is End Of Life since December 2015. All support for it will
stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2016-12-11 08:25:29
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) If you are still running UnrealIRCd 3.2.x then this is a friendly reminder to upgrade to UnrealIRCd 4 before the end of the year. As announced a year ago, all support for UnrealIRCd 3.2.x will stop after December 31, 2016. This also means no more security updates. UnrealIRCd 4 is in use by many networks and has proven to be stable and reliable. Many third party modules have been converted as well. Upgrading from 3.2.x to 4.x should be relatively easy. Your configuration file can be updated to the new format automatically. For more information see the section /Upgrading from 3.2.x to UnrealIRCd 4/ below. *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core enhancements in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *Running a mixed 3.2.x / 4.x network* You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. *End of the 3.2.x series* When UnrealIRCd 4.0.0 was released a year ago, on December 24 2015, we also announced the end of the 3.2.x series. All support - including security updates - for the 3.2.x series will stop after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@vu...> - 2016-12-03 11:51:01
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, An issue was discovered in the UnrealIRCd 4.0.x series which allows you to create a "ghost" user. This requires a minimum of two linked UnrealIRCd 4.0.x servers. A "ghost" is a user which does not really exist. As with most ghost user bugs in the IRC protocol it will cause some confusion/annoyances to users but does not lead to any privilege escalation. In this case, however, it can also result in UnrealIRCd failing to free resources for the user. The result is a memory leak of 400 to 4000 bytes per user. The memory is only freed after UnrealIRCd is terminated or restarted. When the bug is abused it is quite noticeable as for each successful attempt IRCOps would see a KILL message. To put things in perspective: about 25,000 connects are required to consume 100 MB of memory. Ultimately, an attacker may cause UnrealIRCd to consume so much memory that the IRCd will terminate. We have released UnrealIRCd 4.0.9 which addresses this issue. There is also a "hot fix" available so you can patch your server _without requiring an UnrealIRCd restart_. See below. We recommend you to apply the "hot fix" or upgrade somewhere this weekend. It's better to do a peaceful planned upgrade now than having to rush an upgrade later while people are abusing this bug. *Affected versions* All UnrealIRCd 4.0.x versions before 4.0.9 *How to get the fix/patch?* Windows users should download and install UnrealIRCd 4.0.9. Linux/BSD/.. users can also install 4.0.9 *OR *you can choose to patch UnrealIRCd on-the-fly _without a restart_. Since the patch is usually the easiest and most user friendly solution, we recommend it. Run the following on the IRC shell: wget http://www.unrealircd.org/patch/ghostpatcher && sh ghostpatcher *Q&A* *Have there been any reports of these bugs being abused by anyone? *Not yet. *Should I upgrade? *The attack is very detectable, but we do recommend an upgrade/hot-fix. It's better to do a peaceful planned upgrade than having to rush an upgrade later while people are abusing this bug. * ****Are there any workarounds so I don't have to upgrade?* **On *NIX, use the hot fix / patch so you don't need to restart UnrealIRCd. ***** ***Can I upgrade without restarting the IRC server? **On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell: wget http://www.unrealircd.org/patch/ghostpatcher && sh ghostpatcher * ****I don't like the patch script. How I can fix this by hand? *Open src/modules/m_nick.c in an editor. Around line 478 change: (void)strlcpy(sptr->name, nick, NICKLEN); To: (void)strlcpy(sptr->name, nick, NICKLEN+1); Then save, recompile and rehash your UnrealIRCd.* *This is exactly the same as the patch script would do.* How serious is this bug? *The bug leads to resource consumption and some user confusion. For a full explanation see the beginning of this announcement. Then, make your own decision.* * *When were these issues reported?* This issue was reported less than 24 hours before the fix release. *Updates to this advisory *This release announcement/advisory can be found here <https://forums.unrealircd.org/viewtopic.php?f=1&t=8625>. Small corrections/updates will be posted there, if any.* * -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: 2ABD 57FA 7783 5ADD C5EC 8ED7 DE93 B8B4 7E74 5EB3 |
|
From: Bram M. <sy...@un...> - 2016-11-18 15:23:04
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, There have been a number of point releases since 4.0.8. Current version *4.0.8.4* should address all *NIX compile problems that 4.0.8 introduced on a number of OS's/distro's. The Windows version is still at *4.0.8* since there have been no Windows changes. If you already successfully built UnrealIRCd 4.0.8 then there is no reason to upgrade to 4.0.8.4 as it contains build fixes only. We are now using Travis CI and another autobuild to make sure that commits/releases are automatically tested on a number of operating systems with various different settings. This should reduce the chance of build problems significantly. *Changes between version 4.0.7 and 4.0.8 *Improvements * *NIX: As part of defense-in-depth UnrealIRCd now compiles with several hardening options by default. This makes several type of exploits more difficult and in some cases even impossible. Tech: this enables full RELRO (GOT and PLT being read-only), everything compiled as PIE making ASLR possible, stack protector canaries are added, etc. * Windows: releases are now signed. If you download the UnrealIRCd installer the publisher will now show as "Open Source Developer, Bram Matthys" rather than "Unknown publisher". Similarly all the EXE and DLL files have been signed which should make it easy for anti virus software to see if something is an official UnrealIRCd release file or not. Major issues fixed * Possible crash if you have several blacklist blocks Minor issues fixed * User mode +d (deaf) did not work *Other changes* * We've always printed big warnings when running UnrealIRCd as root. In this version we still do, but in future versions we will simply refuse to boot. https://www.unrealircd.org/docs/Do_not_run_as_root * System c-ares is preferred over our own shipped c-ares * System cURL is preferred over ~/curl (if it has AsynchDNS) * Our shipped libraries are no longer built as static * Now that shipped libraries are dynamic they need to be installed somewhere (if used). The default location is ~/unrealircd/lib and can be changed via --with-privatelibdir. (Although, if you are a package builder then you will probably use --with-system-xxx and then private libraries are not used at all) *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *Running a mixed 3.2.x / 4.x network* You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. *End of the 3.2.x series* With the release of UnrealIRCd 4.0.0 we have deprecated the previous series. All support for the 3.2.x series will stop after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2016-11-11 10:04:08
|
Hi everyone,
UnrealIRCd 4.0.8 is out. On *NIX this version brings security enhancements. On
Windows releases are now signed. It also fixes one major and one minor issue.
*Changes between version 4.0.7 and 4.0.8
*Improvements
* *NIX: As part of defense-in-depth UnrealIRCd now compiles with several
hardening options by default. This makes several type of exploits more
difficult and in some cases even impossible. Tech: this enables full RELRO
(GOT and PLT being read-only), everything compiled as PIE making ASLR
possible, stack protector canaries are added, etc.
* Windows: releases are now signed. If you download the UnrealIRCd installer
the publisher will now show as "Open Source Developer, Bram Matthys"
rather than "Unknown publisher". Similarly all the EXE and DLL files have
been signed which should make it easy for anti virus software to see if
something is an official UnrealIRCd release file or not.
Major issues fixed
* Possible crash if you have several blacklist blocks
Minor issues fixed
* User mode +d (deaf) did not work
*Other changes*
* We've always printed big warnings when running UnrealIRCd as root. In this
version we still do, but in future versions we will simply refuse to boot.
https://www.unrealircd.org/docs/Do_not_run_as_root
* System c-ares is preferred over our own shipped c-ares
* System cURL is preferred over ~/curl (if it has AsynchDNS)
* Our shipped libraries are no longer built as static
* Now that shipped libraries are dynamic they need to be installed somewhere
(if used). The default location is ~/unrealircd/lib and can be changed via
--with-privatelibdir. (Although, if you are a package builder then you
will probably use --with-system-xxx and then private libraries are not
used at all)
*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2016-10-30 13:41:59
|
Hi everyone, UnrealIRCd 4.0.8-rc1 is now available for download. This first Release Candidate for 4.0.8 is released early because there were a number of build system changes that warrant further testing. Please report any issues on bugs.unrealircd.org <https://bugs.unrealircd.org/>. *Changes between version 4.0.7 and 4.0.8-rc1 *Improvements * *NIX: As part of defense-in-depth UnrealIRCd now compiles with several hardening options by default. This makes several type of exploits more difficult and in some cases even impossible. Tech: this enables full RELRO (GOT and PLT being read-only), everything compiled as PIE making ASLR possible, stack protector canaries are added, etc. * Windows: releases are now signed. If you download the UnrealIRCd installer the publisher will now show as "Open Source Developer, Bram Matthys" rather than "Unknown publisher". Similarly all the EXE and DLL files have been signed which should make it easy for anti virus software to see if something is an official UnrealIRCd release file or not. Major issues fixed * Possible crash if you have several blacklist blocks Minor issues fixed * None *Other changes* * System c-ares is preferred over our own shipped c-ares * System cURL is preferred over ~/curl (if it has AsynchDNS) * Our shipped libraries are no longer built as static * Now that shipped libraries are dynamic they need to be installed somewhere (if used). The default location is ~/unrealircd/lib and can be changed via --with-privatelibdir. (Although, if you are a package builder then you will probably use --with-system-xxx and then private libraries are not used at all) *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *Running a mixed 3.2.x / 4.x network* You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. *End of the 3.2.x series* With the release of UnrealIRCd 4.0.0 we have deprecated the previous series. All support for the 3.2.x series will stop after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
1 message has been excluded from this view by a project administrator.
