unreal-notify Mailing List for UnrealIRCd (Page 6)
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
unreal-notify
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
|
Oct
(1) |
Nov
|
Dec
(1) |
| 2002 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2003 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2004 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
(2) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2005 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2006 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(2) |
Jul
(3) |
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(4) |
| 2016 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(2) |
Oct
(3) |
Nov
(2) |
Dec
(3) |
| 2017 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(1) |
Dec
(2) |
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
(3) |
| 2019 |
Jan
|
Feb
(2) |
Mar
(1) |
Apr
(2) |
May
(1) |
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(2) |
Oct
(1) |
Nov
(3) |
Dec
(1) |
| 2020 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
(2) |
| 2021 |
Jan
(1) |
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(3) |
| 2022 |
Jan
(4) |
Feb
|
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
(3) |
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
| 2023 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(3) |
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(4) |
Nov
|
Dec
(4) |
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(1) |
Oct
(3) |
Nov
(2) |
Dec
(1) |
| 2025 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Bram M. <sy...@un...> - 2016-10-09 12:18:29
|
Hi everyone,
Today we present 4.0.7 (stable). SSL/TLS security has been improved and an
issue on FreeBSD preventing SSL server linking from working correctly has been
resolved. Compared to 4.0.7-rc1 from a week ago the changes are minimal.
*Changes between version 4.0.6 and 4.0.7
*Improvements
* UnrealIRCd now ships with a default ciphersuite list to have more secure
SSL/TLS defaults (rather than relying on your OS/Distro). You can still
customize ciphersuites through set::ssl::ciphers. See also the wiki
article <https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols>.
* set::ssl::protocols allows you to specify which SSL/TLS protocols are
permitted. The default is (still): TLSv1,TLSv1.1,TLSv1.2.
* Windows: remote includes now support IPv6
Major issues fixed
* FreeBSD: unstable SSL links to other servers
Minor issues fixed
* It was impossible to set both +b ~r:xyz and +b ~R:xyz
*Removed the following rarely used build-time options*
* /CHROOTDIR/: Never worked in 4.0.x anyway. You should use AppArmor,
SELinux, FreeBSD jails, etc. as an alternative.
* /IRC_USER/IRC_GROUP/: Since this only applies to users installing
UnrealIRCd system-wide you should use your system services to do this as
well. Use systemd's User=xx or good ol' start-stop-daemon.
*Other changes*
* PCRE2 and c-ares libraries updated to latest versions
* PDF documentation removed from c-ares library to save 1 Mb
* Updated curl-ca-bundle to latest version
* Module coders: You can use modinfo now again in MOD_LOAD, just like in
MOD_INIT
*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2016-10-01 14:13:32
|
Hi everyone,
The first release candidate for 4.0.7 is now available for download: 4.0.7-rc1.
SSL/TLS security has been improved and an issue on FreeBSD preventing SSL
server linking from working correctly has been resolved.
*Changes between version 4.0.6 and 4.0.7-rc1
*Improvements
* UnrealIRCd now ships with a default ciphersuite list to have more secure
SSL/TLS defaults (rather than relying on your OS/Distro). You can still
customize ciphersuites through set::ssl::ciphers. See also the wiki
article <https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols>.
* set::ssl::protocols allows you to specify which SSL/TLS protocols are
permitted. The default is (still): TLSv1,TLSv1.1,TLSv1.2.
* Windows: remote includes now support IPv6
Major issues fixed
* FreeBSD: unstable SSL links to other servers
Minor issues fixed
* It was impossible to set both +b ~r:xyz and +b ~R:xyz
*Removed the following rarely used build-time options*
* /CHROOTDIR/: Never worked in 4.0.x anyway. You should use AppArmor,
SELinux, FreeBSD jails, etc. as an alternative.
* /IRC_USER/IRC_GROUP/: Since this only applies to users installing
UnrealIRCd system-wide you should use your system services to do this as
well. Use systemd's User=xx or good ol' start-stop-daemon.
*Other changes*
* PCRE2 and c-ares libraries updated to latest versions
*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2016-09-03 20:39:26
|
You can now use our *online SASL bug security check*, to see if your server is vulnerable. It can be found on https://www.unrealircd.org/check_sasl.php Just enter your server IP and it will show if your server is vulnerable or not. NOTE: This only works reliable on UnrealIRCd servers. Don't use it for other IRC server brands! Bram Matthys wrote on 3-9-2016 21:25: > > Hi everyone, > > A security issue was detected in a number of IRCd's, including UnrealIRCd, > regarding the way SASL is implemented. > If you use services _and_ have SASL enabled (you need to do this explicitly) > then you should patch or upgrade as soon as possible. > _While this only affects 2% of our userbase, for those networks which are > affected this is a very serious issue_. If you are affected you can upgrade > to one of the new UnrealIRCd releases or you can upgrade their existing > UnrealIRCd _without a restart_ (see below) > > Note that releases and this security announcement have been made in a hurry. > Details on this issue are already available online at other websites. > > *Issue details > *An attacker can send an SSL fingerprint of his choice to services when > doing SASL authentication. An attacker can compromise a services account if > the user has an SSL fingerprint stored in services. > > *How to check if you are affected (how do I know if I use SASL?)* > You are only affected if all of the following is true: > > 1. SASL is enabled in UnrealIRCd: *check if set::sasl-server is set* to a > valid server > 2. Your services support SASL (eg: anope) > 3. Your services support SSL fingerprint authentication (eg: anope) > > *How to get the fix/patch?* > > Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7. > > Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 *OR *you can choose to > patch UnrealIRCd on-the-fly without a restart. > Since the patch is usually the easiest and most user friendly solution, we > recommend it. > Run the following on the IRC shell: > wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher > > *Q&A* > *Have there been any reports of these bugs being abused by anyone? > *We don't know. It sounds likely, the issue is very easy to exploit. > > *Should I upgrade? > *If you use SASL authentication then yes you should definitely upgrade. If > you do not have SASL enabled then there is no need to upgrade at this time, > this is true for most of our users (98%). > * > ****Are there any workarounds so I don't have to upgrade?* > **As a very quick workaround you could disable SASL entirely by removing the > set::sasl-server setting and rehashing the IRCd. > You could also disable SASL at the services level. For anope you do this by > unloading the m_sasl module (in anope). > ***** > ***Can I upgrade without restarting the IRC server? > **On Windows no, but on Linux/BSD/.. yes you can. Run the following on the > shell: > wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher > * > ****How serious are these bugs? > *See the /Issue details/ above. If you are affected then all user accounts > with an SSL fingerprint for authentication can be compromised.* > * > *When were these issues reported?* > This issues was reported a few hours ago. Details of the exploit were > already available online before this fix and security announcement were > available, so everything has been written in a rush. > > *Updates to this advisory > *This release announcement/advisory can be found here > <https://forums.unrealircd.org/viewtopic.php?f=1&t=8588>. Small > corrections/updates will be posted there, if any.* > > * > ------------------------------------------------------------------------------ > * > What's new in UnrealIRCd 4 > *A short overview of the most important changes:* > * > > * <https://www.unrealircd.org/docs/Modules>You decide what to load > <https://www.unrealircd.org/docs/Modules>. We have moved as much > functionality as possible to 150+ individually loadable modules > (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user > modes <https://www.unrealircd.org/docs/User_modes>, channel modes > <https://www.unrealircd.org/docs/Channel_modes>, extbans > <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You > decide which features your UnrealIRCd should have. > * Fine-grained IRCOp privileges > <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp > privileges are granted has been redone entirely. This allows you to > configure oper privileges on a very detailed level. You don't want > OperOverride? You don't want opers to see secret channels? Or you want > an oper with a very minimal set of privileges? This is all possible. > * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All > documentation has been moved to a wiki > <https://www.unrealircd.org/docs/>. It's even better than before and > more accessible to people who are new to IRCd's. The wiki also allows > easy translation > <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by > community members. > * New directory structure > <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On > *NIX the IRCd is now always installed to a different directory than > where you compile from (~/unrealircd by default). No more mess. On both > *NIX and Windows configuration files go in conf/, modules go in > modules/, etc.. Configuration files can be identical on Windows and > *NIX. This new directory structure also allows easier packaging. > * New I/O system using kqueue & epoll. The IRCd can now handle thousands > of users more easily. > * Improved SSL/TLS support. SSL has always been a major feature in > UnrealIRCd but has been enhanced. UnrealIRCd is now always built with > SSL support (both on *NIX and Windows). SSL client certificate > fingerprints are visible in /WHOIS, a new certfp extban > <https://www.unrealircd.org/docs/Extended_bans> > (~S:certificatefingerprint), better defaults including 4096 bit keys and > Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, > etc. > * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> > (DNSBL/RBL). Great for combating drones and other abusers. > * Better and more helpful error messages. Especially regarding the > configuration file. > * More modern server-to-server protocol. > <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using > UID/SID's. Resulting in less desynch. issues. > * Lowering the bar for Spamfilter > <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can > now choose between 'regex' and 'simple' matching. Simple matching allows > using the usual '?' and '*' wildcards that everyone knows about. The > regex engine has been moved from TRE to PCRE (=about twice as fast). > * Configuration is more logical > <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of > the configuration blocks have been restructured. Don't worry, we include > an UnrealIRCd 3.2.x to 4.x configuration file converter. > * Easier 3rd party module management. On *NIX you now just put your 3rd > party modules in /src/modules/third/ and then each time you run 'make' > they will be compiled if needed. > * Easier upgrading. On *NIX, when upgrading to a new version, ./Config > will ask you to import settings from a previous installation, > remembering your installation directory and other settings. It will also > copy the 3rd party modules from the old to the new installation and > re-compile them. > * More secure. Even better secure defaults, more warnings about insecure > behavior, .. > * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. > > For developers: > > * Easier source navigation. Because we moved almost everything to modules, > it's now much easier to see all the code for a particular feature. > * Cleaner code. There have been a lot of source code cleanups. Code has > been restructured or rewritten. Old irrelevant code has been deleted. > * Development documentation can be found on the wiki > <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a > module in C and list all the details on the various Module API's such as > how to write commands, channel modes, plug-in by using Hooks, etc... > > *Upgrading from 3.2.x**to UnrealIRCd 4* > If you are upgrading from 3.2.x to 4.x then there are three important things > to know: > *1) New file locations* > In UnrealIRCd 4 the location of the configuration files and other files have > been changed. On *NIX the directory where you compile the IRCd from > (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as > the directory where the IRCd will be running from. > By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. > On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. > > The new directory structure is as follows (both on Windows and *NIX): > conf/ contains all configuration files > logs/ for log files > modules/ all modules (.so files on *NIX, .dll files on Windows) > > *2) Configuration file changes > *There have also been changes in various configuration blocks and settings. > Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files > to UnrealIRCd 4 format. There's no need to start from scratch. > Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more > information on the config file conversion. > > *3) Third party modules* > If you are using 3rd party modules (modules not developed by the UnrealIRCd > team) then they will require an update before they can run on UnrealIRCd 4. > Contact your developer for a new version or ask on our Modules forum > <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind > enough to convert the module for you if you ask nicely. Due to the many core > changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work > out-of-the-box on 4.x as well. > > *Running a mixed 3.2.x / 4.x network* > You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules > <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. > > *End of the 3.2.x series* > With the release of UnrealIRCd 4.0.0 we have deprecated the previous series. > All support for the 3.2.x series will stop after December 31, 2016. > See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated > > *Download* > As always, you can download UnrealIRCd from https://www.unrealircd.org/ > All releases are signed with our PGP key (short key id 0x108FF4A9 and long > id 0xA7A21B0A108FF4A9) > > Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ > -- > Bram Matthys > Software developer/IT con...@vu... > Website:www.vulnscan.org > PGP key:www.vulnscan.org/pubkey.asc > PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2016-09-03 19:38:22
|
Hi everyone,
A security issue was detected in a number of IRCd's, including UnrealIRCd,
regarding the way SASL is implemented.
If you use services _and_ have SASL enabled (you need to do this explicitly)
then you should patch or upgrade as soon as possible.
_While this only affects 2% of our userbase, for those networks which are
affected this is a very serious issue_. If you are affected you can upgrade to
one of the new UnrealIRCd releases or you can upgrade their existing
UnrealIRCd _without a restart_ (see below)
Note that releases and this security announcement have been made in a hurry.
Details on this issue are already available online at other websites.
*Issue details
*An attacker can send an SSL fingerprint of his choice to services when doing
SASL authentication. An attacker can compromise a services account if the user
has an SSL fingerprint stored in services.
*How to check if you are affected (how do I know if I use SASL?)*
You are only affected if all of the following is true:
1. SASL is enabled in UnrealIRCd: *check if set::sasl-server is set* to a
valid server
2. Your services support SASL (eg: anope)
3. Your services support SSL fingerprint authentication (eg: anope)
*How to get the fix/patch?*
Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7.
Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 *OR *you can choose to
patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we
recommend it.
Run the following on the IRC shell:
wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
*Q&A*
*Have there been any reports of these bugs being abused by anyone?
*We don't know. It sounds likely, the issue is very easy to exploit.
*Should I upgrade?
*If you use SASL authentication then yes you should definitely upgrade. If you
do not have SASL enabled then there is no need to upgrade at this time, this
is true for most of our users (98%).
*
****Are there any workarounds so I don't have to upgrade?*
**As a very quick workaround you could disable SASL entirely by removing the
set::sasl-server setting and rehashing the IRCd.
You could also disable SASL at the services level. For anope you do this by
unloading the m_sasl module (in anope).
*****
***Can I upgrade without restarting the IRC server?
**On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell:
wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
*
****How serious are these bugs?
*See the /Issue details/ above. If you are affected then all user accounts
with an SSL fingerprint for authentication can be compromised.*
*
*When were these issues reported?*
This issues was reported a few hours ago. Details of the exploit were already
available online before this fix and security announcement were available, so
everything has been written in a rush.
*Updates to this advisory
*This release announcement/advisory can be found here
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8588>. Small
corrections/updates will be posted there, if any.*
*
------------------------------------------------------------------------------
*
What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2016-07-28 18:43:33
|
Apologies. The initial 4.0.5 download was killing innocent users ("flood from
unknown connection") due to a silly mistake from me. The 4.0.5 download has
now been replaced and checksums etc. have been updated.
If you were among one of the 41 downloaders (28 unique ip's) who downloaded
UnrealIRCd 4.0.5 between initial release and this fix, then please re-download
4.0.5 from www.unrealircd.org <https://www.unrealircd.org/> and install the
fixed version.
I'm really sorry for the trouble. In case anyone wonders: automated testing
didn't catch this issue because the tests ran on localhost/LAN, resulting in
no recvq. And we couldn't push out any release candidate (which results in a
lot more testing) because this was a security release... :(
Anyway, please still do upgrade to UnrealIRCd 4.0.5 somewhere in the next few
days(now with this new fixed version). See the release announcement / security
advisory below.
Bram Matthys wrote on 28-7-2016 16:22:
>
> Hi everyone,
>
> UnrealIRCd 4.0.5 has been released today. *We **recommend everyone to
> upgrade* somewhere in the next few days. This release fixes the following
> serious issues:
>
> * Fix crash issue (read-after-free)
> * Prevent flood from unknown connection
> * Bans on IPv6 cloaked hosts had no effect
>
> These issues affect all 4.0.x versions until now.
>
> *Issue details
> *The crash is rare under normal circumstance. However, it is possible to
> trigger the crash remotely on-purpose if you know how.
> The crash issue has a CVSS score of 7.5 (High):
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RC:C
>
> The "unknown connection flood" issue allows an attacker to consume IRCd
> resources. We have an "unknown flood" protection mechanism which was
> supposed to kick in and kill the user, but it didn't always do this in time.
> The unknown connection flood issue has a CVSS score of 5.3 (Medium):
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RC:C
>
> Finally, the IPv6 ban bug is an obvious mistake. Bans on nick, ident, hosts,
> IPv4 real IP's, IPv6 real IPs, vhosts, etc.. all work.. but bans on IPv6
> cloaked hosts do not (/+b *!*@XXXXXXX:YYYYYYY:ZZZZZZZ/). If you ban a user
> with such a mask, they can still (re)join and speak. You can temporarily
> work around this bug by replacing the colons with questionmarks (/+b
> //*!*@XXXXXXX/*/?/*/YYYYYYY/*/?/*/ZZZZZZZ/).
>
> *Q&A*
> *Have there been any reports of these bugs being abused by anyone?
> *We have had no reports of the crash or flood bug being abused by anyone.
> However, we recommend everyone to upgrade somewhere in the next coupe of days.
>
> *Should I upgrade?
> *Yes.
> *
> ****Are there any workarounds so I don't have to upgrade?*
> **For the IPv6 ban bug on cloaked hosts there's a workaround, see /Issue
> details/ above. For the other bugs there is no workaround available.****
> *
> ***Can I upgrade without restarting the IRC server?
> **No. Although a lot of UnrealIRCd is modularized. These bugs are located in
> the "core", which cannot be upgraded without a restart.*
> ****
> ****How serious are these bugs?
> *See the /Issue details/ above. These include CVSS scores.*
> *
> *When where these issues reported?*
> The IPv6 ban issue was reported yesterday. The crash issue was reported
> before but the cause of it was very hard to trace. It was finally traced and
> fixed today. The flood issue was found recently during our own tests. We
> decided to bundle it with the other two fixes.*
> *
> *Updates to this advisory
> *This release announcement/advisory can be found here
> <https://forums.unrealircd.org/viewtopic.php?f=1&t=8568>. Small
> corrections/updates will be posted there, if any.*
>
> What's new in UnrealIRCd 4
> *A short overview of the most important changes:*
> *
>
> * <https://www.unrealircd.org/docs/Modules>You decide what to load
> <https://www.unrealircd.org/docs/Modules>. We have moved as much
> functionality as possible to 150+ individually loadable modules
> (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user
> modes <https://www.unrealircd.org/docs/User_modes>, channel modes
> <https://www.unrealircd.org/docs/Channel_modes>, extbans
> <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You
> decide which features your UnrealIRCd should have.
> * Fine-grained IRCOp privileges
> <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
> privileges are granted has been redone entirely. This allows you to
> configure oper privileges on a very detailed level. You don't want
> OperOverride? You don't want opers to see secret channels? Or you want
> an oper with a very minimal set of privileges? This is all possible.
> * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
> documentation has been moved to a wiki
> <https://www.unrealircd.org/docs/>. It's even better than before and
> more accessible to people who are new to IRCd's. The wiki also allows
> easy translation
> <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
> community members.
> * New directory structure
> <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
> *NIX the IRCd is now always installed to a different directory than
> where you compile from (~/unrealircd by default). No more mess. On both
> *NIX and Windows configuration files go in conf/, modules go in
> modules/, etc.. Configuration files can be identical on Windows and
> *NIX. This new directory structure also allows easier packaging.
> * New I/O system using kqueue & epoll. The IRCd can now handle thousands
> of users more easily.
> * Improved SSL/TLS support. SSL has always been a major feature in
> UnrealIRCd but has been enhanced. UnrealIRCd is now always built with
> SSL support (both on *NIX and Windows). SSL client certificate
> fingerprints are visible in /WHOIS, a new certfp extban
> <https://www.unrealircd.org/docs/Extended_bans>
> (~S:certificatefingerprint), better defaults including 4096 bit keys and
> Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>,
> etc.
> * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
> (DNSBL/RBL). Great for combating drones and other abusers.
> * Better and more helpful error messages. Especially regarding the
> configuration file.
> * More modern server-to-server protocol.
> <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
> UID/SID's. Resulting in less desynch. issues.
> * Lowering the bar for Spamfilter
> <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
> now choose between 'regex' and 'simple' matching. Simple matching allows
> using the usual '?' and '*' wildcards that everyone knows about. The
> regex engine has been moved from TRE to PCRE (=about twice as fast).
> * Configuration is more logical
> <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of
> the configuration blocks have been restructured. Don't worry, we include
> an UnrealIRCd 3.2.x to 4.x configuration file converter.
> * Easier 3rd party module management. On *NIX you now just put your 3rd
> party modules in /src/modules/third/ and then each time you run 'make'
> they will be compiled if needed.
> * Easier upgrading. On *NIX, when upgrading to a new version, ./Config
> will ask you to import settings from a previous installation,
> remembering your installation directory and other settings. It will also
> copy the 3rd party modules from the old to the new installation and
> re-compile them.
> * More secure. Even better secure defaults, more warnings about insecure
> behavior, ..
> * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
>
> For developers:
>
> * Easier source navigation. Because we moved almost everything to modules,
> it's now much easier to see all the code for a particular feature.
> * Cleaner code. There have been a lot of source code cleanups. Code has
> been restructured or rewritten. Old irrelevant code has been deleted.
> * Development documentation can be found on the wiki
> <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
> module in C and list all the details on the various Module API's such as
> how to write commands, channel modes, plug-in by using Hooks, etc...
>
> *Upgrading from 3.2.x**to UnrealIRCd 4*
> If you are upgrading from 3.2.x to 4.x then there are three important things
> to know:
> *1) New file locations*
> In UnrealIRCd 4 the location of the configuration files and other files have
> been changed. On *NIX the directory where you compile the IRCd from
> (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
> the directory where the IRCd will be running from.
> By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
> On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
>
> The new directory structure is as follows (both on Windows and *NIX):
> conf/ contains all configuration files
> logs/ for log files
> modules/ all modules (.so files on *NIX, .dll files on Windows)
>
> *2) Configuration file changes
> *There have also been changes in various configuration blocks and settings.
> Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files
> to UnrealIRCd 4 format. There's no need to start from scratch.
> Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
> information on the config file conversion.
>
> *3) Third party modules*
> If you are using 3rd party modules (modules not developed by the UnrealIRCd
> team) then they will require an update before they can run on UnrealIRCd 4.
> Contact your developer for a new version or ask on our Modules forum
> <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
> enough to convert the module for you if you ask nicely. Due to the many core
> changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
> out-of-the-box on 4.x as well.
>
> *Running a mixed 3.2.x / 4.x network*
> You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
> <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
>
> *End of the 3.2.x series*
> With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
> All support for the 3.2.x series will stop after December 31, 2016.
> See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
>
> *Download*
> As always, you can download UnrealIRCd from https://www.unrealircd.org/
> All releases are signed with our PGP key (short key id 0x108FF4A9 and long
> id 0xA7A21B0A108FF4A9)
>
> Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
> --
> Bram Matthys
> Software developer/IT con...@vu...
> Website:www.vulnscan.org
> PGP key:www.vulnscan.org/pubkey.asc
> PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
--
Bram Matthys
Software developer/IT consultant sy...@vu...
Website: www.vulnscan.org
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2016-07-28 14:22:35
|
Hi everyone, UnrealIRCd 4.0.5 has been released today. *We **recommend everyone to upgrade* somewhere in the next few days. This release fixes the following serious issues: * Fix crash issue (read-after-free) * Prevent flood from unknown connection * Bans on IPv6 cloaked hosts had no effect These issues affect all 4.0.x versions until now. *Issue details *The crash is rare under normal circumstance. However, it is possible to trigger the crash remotely on-purpose if you know how. The crash issue has a CVSS score of 7.5 (High): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RC:C The "unknown connection flood" issue allows an attacker to consume IRCd resources. We have an "unknown flood" protection mechanism which was supposed to kick in and kill the user, but it didn't always do this in time. The unknown connection flood issue has a CVSS score of 5.3 (Medium): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RC:C Finally, the IPv6 ban bug is an obvious mistake. Bans on nick, ident, hosts, IPv4 real IP's, IPv6 real IPs, vhosts, etc.. all work.. but bans on IPv6 cloaked hosts do not (/+b *!*@XXXXXXX:YYYYYYY:ZZZZZZZ/). If you ban a user with such a mask, they can still (re)join and speak. You can temporarily work around this bug by replacing the colons with questionmarks (/+b //*!*@XXXXXXX/*/?/*/YYYYYYY/*/?/*/ZZZZZZZ/). *Q&A* *Have there been any reports of these bugs being abused by anyone? *We have had no reports of the crash or flood bug being abused by anyone. However, we recommend everyone to upgrade somewhere in the next coupe of days. *Should I upgrade? *Yes. * ****Are there any workarounds so I don't have to upgrade?* **For the IPv6 ban bug on cloaked hosts there's a workaround, see /Issue details/ above. For the other bugs there is no workaround available.**** * ***Can I upgrade without restarting the IRC server? **No. Although a lot of UnrealIRCd is modularized. These bugs are located in the "core", which cannot be upgraded without a restart.* **** ****How serious are these bugs? *See the /Issue details/ above. These include CVSS scores.* * *When where these issues reported?* The IPv6 ban issue was reported yesterday. The crash issue was reported before but the cause of it was very hard to trace. It was finally traced and fixed today. The flood issue was found recently during our own tests. We decided to bundle it with the other two fixes.* * *Updates to this advisory *This release announcement/advisory can be found here <https://forums.unrealircd.org/viewtopic.php?f=1&t=8568>. Small corrections/updates will be posted there, if any.* What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *Running a mixed 3.2.x / 4.x network* You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. *End of the 3.2.x series* With the release of UnrealIRCd 4.0.0 we have deprecated the previous series. All support for the 3.2.x series will stop after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2016-06-26 18:44:03
|
Hi everyone,
As you may have found out by now we have a new release policy where we try to
push out a new 4.0.x release at least every 2 months, even if there are only
minor changes. This makes sure that new installations benefit from recent
fixes and enhancements. We always try to make clear what changed in each
version so you can decide yourself if you find it worthwhile to upgrade an
existing server or not.
This UnrealIRCd 4.0.4 release addresses a small GLINE/KLINE bug, two rare
crashes and a few minor issues. See below.
*Changes between version 4.0.4 and 4.0.3
*New
* Italian /HELPOP translation (help.it.conf)
* Ability to turn off SSL-related connection info
(set::options::no-connect-ssl-info)
Major issues fixed
* GLINE/KLINE on usermask@ did not have any effect
* Crash if you have a listen block with port 0
* Infinite loop if you have an invalid operclass::parent reference in your
configuration file
Minor issues fixed
* files { } block only worked with absolute paths
* delayjoin: hidden users were not always joined on +vhoaq
* A small memory leak
* Duplicate replies on /VERSION
* When doing /VERSION on IRC as an IRCOp it showed the compile-time rather
than runtime OpenSSL/LibreSSL version
*Other changes*
* Documentation updates
* Prevent installation in the same directory as the source
*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2016-05-03 17:09:22
|
*OpenSSL/LibreSSL security issues* *Summary: if you have SSL enabled in UnrealIRCd then please upgrade your OpenSSL/LibreSSL libraries (*NIX) or download the new installer (Windows).* Two high impact vulnerabilities were found in OpenSSL and LibreSSL. *CVE-2016-2107* is described as follows: /A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI/. Note that to exploit this an attacker needs to be able to intercept & modify packets between the client and server. See the OpenSSL security advisory <https://www.openssl.org/news/secadv/20160503.txt> for technical details (note that CVE-2016-2107 is the 2nd issue in the advisory). When UnrealIRCd is compiled with SSL/TLS support it uses the OpenSSL/LibreSSL library and is therefore affected by this issue. This affects 50% of the UnrealIRCd installations out there. Details on another vulnerability, *CVE-2016-2108*, were also published. That issue allows one to crash the server and may potentially allow remote code execution. However, the issue was already fixed a year ago in OpenSSL 1.0.2c. It was simply unknown to the OpenSSL folks at the time that the fix they made fixed a serious security issue. Again, see the OpenSSL security advisory <https://www.openssl.org/news/secadv/20160503.txt> for details. Specifically for UnrealIRCd it means that for this latter issue (CVE-2016-2108) Windows SSL versions of 3.2.10.5 and before are affected. The 3.2.10.6 Windows SSL version is not affected (it used OpenSSL 1.0.2e), but you probably still want to upgrade anyway because it's still vulnerable to the first issue (CVE-2016-2107). *Linux/*BSD/OS X *You are only _unaffected_ if you are using UnrealIRCd 3.2.x and you did not compile with SSL support. This question is asked during ./Config: /Do you want to support SSL (Secure Sockets Layer) connections?/ If you answered /No/ then you are unaffected. If you answered /Yes/ then you are affected. UnrealIRCd 4.0.x always uses SSL/TLS so is always affected. UnrealIRCd itself does not ship with OpenSSL/LibreSSL. Please use your distro tools to upgrade your SSL libraries (yum, apt-get, etc.). After upgrading the libraries you will have to restart UnrealIRCd. The same is true for other daemons using OpenSSL/LibreSSL by the way: apache, exim, etc. *Windows *UnrealIRCd 4.0.x (all versions) and UnrealIRCd 3.2.x (SSL versions) ship with vulnerable OpenSSL/LibreSSL. The downloads have therefore been replaced: * New versions of UnrealIRCd 4.0.3: The installer identifies itself as *4.0.3-SSL-sslfix*. Other than that UnrealIRCd is exactly the same and the IRCd reports as *4.0.3* on IRC. * New versions of UnrealIRCd 3.2.10.6: The installer will identify itself as *3.2.10.6-sslfix*. Other than that UnrealIRCd is exactly the same and the IRCd reports as *3.2.10.6* on IRC. Note that this means that a regular user on IRC cannot judge from the UnrealIRCd version number (shown on IRC) if a server is vulnerable or not. This is exactly the same as on *NIX. See also next. *How to check which OpenSSL/LibreSSL version is in use *_Important_: Checking the SSL library version on *NIX isn't really useful. The reported library version is often an older OpenSSL version while in fact the libraries have been upgraded and you are safe. So just upgrade your OpenSSL or LibreSSL package as per your distro's advice, restart the IRCd and assume the upgrade succeeded. As an IRCOp you can issue the //VERSION/ command (or //QUOTE VERSION/). This should output something like this: /UnrealIRCd-4.0.3. irc.server.net FhinW6OoErM [Microsoft Windows 7 Service Pack 1 (build 7601)=4000]// //-irc.server.net- *LibreSSL 2.3.4*// //-irc.server.net- libcurl/7.48.0 LibreSSL/2.0.0 c-ares/1.11.0/ The text marked in bold is what you should be looking for. Ignore any lines containing libcurl. Fixed versions are: *OpenSSL 1.0.2h* and *LibreSSL 2.3.4* Be sure to run this command as an IRC Operator, otherwise the SSL library version number is not shown. Are you sure you run as an IRC Operator and you see the UnrealIRCd version but not the OpenSSL/LibreSSL lines? Then SSL is not enabled on your server and you are unaffected (this is only possible on 3.2.x). TIP: You can also use //VERSION remote.server.name/ to query remote servers. Again, you have to be an IRC Operator to get meaningful results. *Final words* A copy of this advisory is posted on the forums <https://forums.unrealircd.org/viewtopic.php?f=1&t=8530>. As always, you can download UnrealIRCd from www.unrealircd.org <https://www.unrealircd.org/>. -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2016-04-16 10:41:26
|
On UnrealIRCd 4.0.x an IRCOp could crash a server via the RPING command. This
command has now been removed since it's rarely used anyway. Note that regular
users cannot trigger this crash.
We classify this issue as *low impact* because IRC Operators usually have the
power to kill many if not all users on a server. Many IRCOps can shutdown or
make the server unusable for users through other commands or means.
If you use UnrealIRCd 4.0.x and want to fix the RPING crash but don't want to
upgrade to 4.0.3 yet then you can unload the module by editing
conf/modules.default.conf. You should remove this line:
/loadmodule "m_rping";/
Then, rehash the IRCd (no restart needed).
If you now type '/RPING' or '/QUOTE RPING' on IRC you should see 'RPING
Unknown command'.
There are more changes in this 4.0.3 release. On Windows we changed the build
process and are now using LibreSSL. Two crash bugs related to invalid link
blocks were fixed. For more details see below.
*Changes between version 4.0.2 and 4.0.3
*Major issues fixed
* Crash on RPING command (IRCOp-only!)
* Crash on Windows on failed outgoing server connect
* Crash if you had a link { } block with invalid syntax
Minor issues fixed
* Windows: remote includes did not support https
* Compile problem with LibreSSL
*Other*
* Windows version compiled with Visual Studio 2012 rather than a mix of 2012
and 2010
* Windows version now using LibreSSL
* Crash reporter produces more useful reports (very important for us)
* PCRE2 Regex engine upgraded to 10.21
*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT consultant sy...@vu...
Website: www.vulnscan.org
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@vu...> - 2016-03-14 12:42:43
|
UnrealIRCd 4.0.2 addresses a number of minor issues and comes with two small enhancements. *Changes between version 4.0.1 and 4.0.2 *Enhancements * Ability to hide quit messages from *LINEd users (set::hide-ban-reason) * Blacklist <https://www.unrealircd.org/docs/Blacklist_block> hits are now sent to new snomask +b rather than all ircops <https://www.unrealircd.org/docs/Cron_job> Major issues fixed * None Minor issues fixed * prefix-quit was not working * Incorrect server description in /LINKS * Logging to syslog was broken * FreeBSD: fix kevent bug flood in error log * OS X: Update ./Config to use Homebrew OpenSSL by default * Don't show UID to client in case of a SVSMODE *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will require an update before they can run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *Running a mixed 3.2.x / 4.x network* You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. *End of the 3.2.x series* With the release of UnrealIRCd 4.0.0 we have deprecated the previous series. All support for the 3.2.x series will stop after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Full summary of changes* We did our best to "summarize" the 1100+ changesets in about 120 bullet points but it's still a long read. The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS / DEVELOPERS. ==[ NEW ]== * We moved a lot of functionality, including most channel modes, user modes and all extended bans into 138 separate modules. This makes it... A) possible to fully customize what exact functionality you want to load. You could even strip down UnrealIRCd to get something close to the basic RFC1459 features from the 1990s. (No idea why you would want that, but it's possible) B) easier for coders to see all source code related to a specific feature C) possible to fix bugs and just reload rather than restart the IRCd. Have a look at modules.default.conf which contains the "default" set of modules that you can load if you just want to load all functionality. If you want to customize the list of modules to load then simply make a copy of that file, give it a different name, and include that one instead. Since the file is fully documented, you can just comment out or delete the loadmodule lines of things you don't want to load. * Oper permissions have changed completely: [A4+] * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..) * oper::flags has been removed. Instead you must specify an operclass in oper::operclass (for example, 'operclass netadmin'). * In operclass block(s) you define the privileges. You can now control exactly what an IRCOp can and cannot do. Have a look at operclass.default.conf which ships with UnrealIRCd, it contains a number of default operclass blocks suitable for the most common situations. See also the operclass block documentation: https://www.unrealircd.org/docs/Operclass_block * If you ask UnrealIRCd to convert your 3.2.x configuration file then it will try to select a suitable operclass for the oper. This will not always 100% match your current oper block rights, though. * Channel Mode +A (Admin Only) has been removed. You can use the new extended ban ~O:<operclass>. This allows you to, for example, create an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin* * set::hosts has been removed, use oper::vhost instead. * Since oper levels have been removed you no longer see things like "OperX is a Network Administrator" in /WHOIS by default. If you want that, then you can set oper::swhois to "is a Network Administrator" (or any other text). * Entirely rewritten I/O and event loop. This allows the IRCd to scale more easily to tens of thousands of clients by using kernel-evented I/O mechanisms such as epoll and kqueue. * Memory pooling has been added to improve memory allocation efficiency and performance. * On-connect DNSBL/RBL checking via the new blacklist block. [B1] * The Windows version now has IPv6 support too. [B3] * On all OS's we compile with IPv6 support enabled. You can still disable IPv6 at runtime by setting set::options::disable-ipv6. [B3] * The local nickname length can be modified without recompiling the IRCd * Channel Mode +d: This will hide joins/parts for users who don't say anything in a channel. Whenever a user speaks for the first time they will appear to join. Chanops will still see everyone joining normally as if there was no +d set. * If you connect with SSL/TLS with a client certificate then your SSL Fingerprint (SHA256 hash) can be seen by yourself and others through /WHOIS. The fingerprint is also shared with all servers on the network. * ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This can be used like +iI ~S:000000000etc. * bcrypt has been added as a password hashing algorithm and is now the preferred algorithm [A3] * './unreal mkpasswd' will now prompt you for the password to hash [A3] * Protection against SSL renegotiation attacks [A3] * When you link two servers the current timestamp is exchanged. If the time differs more than 60 seconds then servers won't link and it will show a message that you should fix your clock(s). This requires version alpha3 (or later) on both ends of the link [A3] * Configuration file converter that will upgrade your 3.2.x conf to 4.x. On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and after the config errors screen UnrealIRCd offers the conversion. [A3] * The IRCd can now better handle unknown channel modes which expect a parameter. This can be useful in a scenario where you are slowly upgrading all your servers. * If you want to unset a vhost but keep cloaked then use /MODE yournick -t * A "crash reporter" was added. When UnrealIRCd is started it will check if a previous UnrealIRCd instance crashed and (after booting a new instance) it will spit out a report and ask if you want to submit it to the UnrealIRCd developers. Doing so will help us a lot as many bugs are often not reported. Note that UnrealIRCd will always ask before sending any information and never do so automatically. [B3] * SSL: Support for ECDHE has been added to provide "forward secrecy". [B4] ==[ CHANGED ]== * Numerics have been removed. Instead we now use SIDs (Server ID's) and UIDs (User ID's). SIDs work very similar to server numerics and UIDs help us to fix a number of lag-related race conditions / bugs. * The module commands.so / commands.dll has been removed. All commands (those that are modular) are now in their own module. * Self-signed certificates are now generated using 4096 bits, a SHA256 hash and validity of 10 years. [A2] * Building with SSL (OpenSSL) is now mandatory [A2] * The link { } block has been restructured, see https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3] * Better yet, check out our secure server linking tutorial: https://www.unrealircd.org/docs/Tutorial:_Linking_servers * If you have no set::throttle block you now get a default of 3:60 [A3] * password entries in the conf no longer require specifying an auth-type like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3] * You will now see a warning when you link to a non-SSL server. [A3] * Previously we used POSIX Regular expressions in spamfilters and at some other places. We have now moved to PCRE Regular expressions. They look very similar, but PCRE is a lot faster. For backwards-compatibility we still compile with both regex engines. [A3] * Spamfilter command syntax has been changed, it now has an extra option to indicate the matching method: /SPAMFILTER [add|del|remove|+|-] [method] [type] .... Where 'method' can be one of: * -regex: this is the new fast PCRE2 regex engine * -simple: supports just strings and ? and * wildcards (super fast) * -posix: the old regex engine for compatibility with 3.2.x. [A3] * If you have both 3.2.x and 4.x servers on your network then the 4.x server will only send spamfilters of type 'posix' to the 3.2.x servers because 3.2.x servers don't support the other two types. So in a mixed network you probably want to keep using 'posix' for a while until all your servers are running UnrealIRCd 4. [A3] * set::oper-only-stats now defaults to "*" * oper::from::userhost and vhost::from::userhost are now called oper::mask and vhost::mask. The usermask@ part is now optional and it supports two syntaxes. For one entry you can use: mask 1.2.3.*; For multiple entries the syntax is: mask { 192.168.*; 10.*; }; * Because having both allow::ip and allow::hostname in the same allow block was highly confusing (it was an OR-match) you must now choose between either allow::ip OR allow::hostname. [A3] * cgiirc block is renamed to webirc and the syntax has changed [A4] * set::pingpong-warning is removed, warning always off now [A4] * More helpful configuration file parse error messages [A4] * You can use '/OPER username' without password if you use SSL certificate (fingerprint) authentication. The same is true for '/VHOST username'. [A4] * You must now always use 'make install' on *NIX [A4] * Changed (default) directory structure entirely, see the section titled 'CONFIGURATION CHANGES' about 100 lines up. [A4] * badword quit { } is removed, we use badword channel for it. [A4] * badwords.*.conf is now just one badwords.conf * To load all default modules you now include modules.default.conf. This file was called modules.conf in earlier alpha's. The file has been split up in sections and a lot of comments have been added to aid the user in deciding whether to load or not to load each module. [A4] * Snomask +s is now (always) IRCOp-only. [A4] * Previously there was little logic behind what modes halfops could set. Now the idea is as follows: halfops should be able to help out in case of a flood but not be able to change any 'policy decission modes' such as +G, +S, +c, +s. Due to this change halfops can now set modes +beiklmntIMKNCR (was: +beikmntI). [A4] * If no link::hub or link::leaf is specified then assume hub "*". [B1] * SWHOIS (Special whois title) has been extended in a number of ways: * We now "track" who or what set an swhois. This allows us to remove the swhois received via oper/vhost on de-oper/de-vhost. * You can now have multiple swhois lines * Multiple oper::swhois and vhost::swhois items are supported. [B1] * When trying to link two servers without link::outgoing::options::ssl (which is not recommended) we try to use STARTTLS in order to 'upgrade' the connection to use SSL/TLS anyway. This can be disabled via link::outgoing::options::insecure. [B2] * SSLv3 has now been disabled for security. This also means you can only link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4] ==[ REMOVED / DROPPED ]== * Numeric server IDs, see above. [A1] * PROTOCTL TOKEN and SJB64 are no longer implemented. [A1] * Ziplinks have been removed. [A1] * WebTV support. [A3] * Channel Mode +j was removed and replaced by the configuration setting set::anti-flood::join-flood (default: 3 per 90 seconds). [B1] * /CHATOPS: use /GLOBOPS instead which does the same /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore Your opers should actually be in an #opers channel. If you also want special classes of oper channels like #admins then use +iI ~O:*admin* * User modes: * +N (Network Administrator): see 'Oper permissions' under NEW as for why * +a (Services Administrator): same * +A (Server Administrator: same * +C (Co Administrator): same * +O (Local IRC Operator): same * +h (HelpOp): all this did was add a line "is available for help" in WHOIS. You can use a vhost block with vhost::swhois as a replacement or for opers just add an oper::swhois item. * +g (failops): we already have snomasks and the +o usermode for this * +v (receive infected DCC SEND rejection notices): moved to snomask +D ==[ MODULE CODERS / DEVELOPERS ]== * A lot of technical documentation for module coders has been added at https://www.unrealircd.org/docs/ describing things like how to write a module from scratch, the User & Channel Mode System, Commands, Command Overrides, Hooks, attaching custom-data to users/channels, and more. [A2+] * For commands: do not read from parv[0] anymore, doing so will lead to a crash. Use sptr->name instead. This change is necessary as the "name" in parv[0] could possibly point to a UID/SID rather than a nick name. Thus, if you would send parv[0] to a non-UID or non-SID capable server this would lead to serious issues (not found errors). * Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades) but disallows unloading of a module [A3] * There have been *a lot* of source code cleanups (ALL) * We now use the information from PROTOCTL CHANMODES= for parameter skipping if the channel mode is unknown. Also, when channel modes are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1] * The server protocol docs have been removed. The protocol is now documented at https://www.unrealircd.org/docs/Server_protocol See also https://www.unrealircd.org/docs/Server_protocol:Changes for a list of changes between the 3.2 and 4.0 server protocol. * GCC typechecking has been added to make sure your HookAdd... calls are adding hook functions with the correct parameter (types). *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@vu...> - 2016-01-15 17:34:33
|
It's time for an update to the UnrealIRCd 4 series. In UnrealIRCd 4.0.1 we fix two crash issues & more, see below. Thanks to everyone who provided feedback and suggestions! *Changes between version 4.0.0 and 4.0.1 *Enhancements * The blacklist module <https://www.unrealircd.org/docs/Blacklist_block> now supports %ip (=banned IP) in blacklist::reason. * *NIX: You can use cron again, see https://www.unrealircd.org/docs/Cron_job * /MODULE now lists only 3rd party modules by default so you don't get flooded. * *NIX: Added './unrealircd reloadtls' to reload TLS certificate and keys. Major issues fixed * Possible crash on-link if a user was in the process of connecting during linking * Crash if you removed a listen { } block with active clients on that port * MODEs set by a server (not by a user) were not always propagated correctly across the network. In practice this only affected /SAMODE and possibly some services that don't send MODEs from ChanServ/BotServ. Minor issues fixed * When doing /LIST under mIRC it would hide empty +P channels. * Servers wouldn't link if link::outgoing::hostname was a CNAME. * SSL Certificate fingerprint not communicated properly to servers/services. * *NIX: ./unrealircd [stop|rehash] failed if not installed to ~/unrealircd. * Windows: IRCd could crash after showing the config error screen on startup. * Possibly some interoperability issues with services. *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will need an update to run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *Running a mixed 3.2.x / 4.x network* You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. *End of the 3.2.x series* With the release of UnrealIRCd 4.0.0 we have deprecating the previous series. All support for the 3.2.x series will stop after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Full summary of changes* We did our best to "summarize" the 1100+ changesets in about 120 bullet points but it's still a long read. The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS / DEVELOPERS. ==[ NEW ]== * We moved a lot of functionality, including most channel modes, user modes and all extended bans into 138 separate modules. This makes it... A) possible to fully customize what exact functionality you want to load. You could even strip down UnrealIRCd to get something close to the basic RFC1459 features from the 1990s. (No idea why you would want that, but it's possible) B) easier for coders to see all source code related to a specific feature C) possible to fix bugs and just reload rather than restart the IRCd. Have a look at modules.default.conf which contains the "default" set of modules that you can load if you just want to load all functionality. If you want to customize the list of modules to load then simply make a copy of that file, give it a different name, and include that one instead. Since the file is fully documented, you can just comment out or delete the loadmodule lines of things you don't want to load. * Oper permissions have changed completely: [A4+] * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..) * oper::flags has been removed. Instead you must specify an operclass in oper::operclass (for example, 'operclass netadmin'). * In operclass block(s) you define the privileges. You can now control exactly what an IRCOp can and cannot do. Have a look at operclass.default.conf which ships with UnrealIRCd, it contains a number of default operclass blocks suitable for the most common situations. See also the operclass block documentation: https://www.unrealircd.org/docs/Operclass_block * If you ask UnrealIRCd to convert your 3.2.x configuration file then it will try to select a suitable operclass for the oper. This will not always 100% match your current oper block rights, though. * Channel Mode +A (Admin Only) has been removed. You can use the new extended ban ~O:<operclass>. This allows you to, for example, create an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin* * set::hosts has been removed, use oper::vhost instead. * Since oper levels have been removed you no longer see things like "OperX is a Network Administrator" in /WHOIS by default. If you want that, then you can set oper::swhois to "is a Network Administrator" (or any other text). * Entirely rewritten I/O and event loop. This allows the IRCd to scale more easily to tens of thousands of clients by using kernel-evented I/O mechanisms such as epoll and kqueue. * Memory pooling has been added to improve memory allocation efficiency and performance. * On-connect DNSBL/RBL checking via the new blacklist block. [B1] * The Windows version now has IPv6 support too. [B3] * On all OS's we compile with IPv6 support enabled. You can still disable IPv6 at runtime by setting set::options::disable-ipv6. [B3] * The local nickname length can be modified without recompiling the IRCd * Channel Mode +d: This will hide joins/parts for users who don't say anything in a channel. Whenever a user speaks for the first time they will appear to join. Chanops will still see everyone joining normally as if there was no +d set. * If you connect with SSL/TLS with a client certificate then your SSL Fingerprint (SHA256 hash) can be seen by yourself and others through /WHOIS. The fingerprint is also shared with all servers on the network. * ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This can be used like +iI ~S:000000000etc. * bcrypt has been added as a password hashing algorithm and is now the preferred algorithm [A3] * './unreal mkpasswd' will now prompt you for the password to hash [A3] * Protection against SSL renegotiation attacks [A3] * When you link two servers the current timestamp is exchanged. If the time differs more than 60 seconds then servers won't link and it will show a message that you should fix your clock(s). This requires version alpha3 (or later) on both ends of the link [A3] * Configuration file converter that will upgrade your 3.2.x conf to 4.x. On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and after the config errors screen UnrealIRCd offers the conversion. [A3] * The IRCd can now better handle unknown channel modes which expect a parameter. This can be useful in a scenario where you are slowly upgrading all your servers. * If you want to unset a vhost but keep cloaked then use /MODE yournick -t * A "crash reporter" was added. When UnrealIRCd is started it will check if a previous UnrealIRCd instance crashed and (after booting a new instance) it will spit out a report and ask if you want to submit it to the UnrealIRCd developers. Doing so will help us a lot as many bugs are often not reported. Note that UnrealIRCd will always ask before sending any information and never do so automatically. [B3] * SSL: Support for ECDHE has been added to provide "forward secrecy". [B4] ==[ CHANGED ]== * Numerics have been removed. Instead we now use SIDs (Server ID's) and UIDs (User ID's). SIDs work very similar to server numerics and UIDs help us to fix a number of lag-related race conditions / bugs. * The module commands.so / commands.dll has been removed. All commands (those that are modular) are now in their own module. * Self-signed certificates are now generated using 4096 bits, a SHA256 hash and validity of 10 years. [A2] * Building with SSL (OpenSSL) is now mandatory [A2] * The link { } block has been restructured, see https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3] * Better yet, check out our secure server linking tutorial: https://www.unrealircd.org/docs/Tutorial:_Linking_servers * If you have no set::throttle block you now get a default of 3:60 [A3] * password entries in the conf no longer require specifying an auth-type like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3] * You will now see a warning when you link to a non-SSL server. [A3] * Previously we used POSIX Regular expressions in spamfilters and at some other places. We have now moved to PCRE Regular expressions. They look very similar, but PCRE is a lot faster. For backwards-compatibility we still compile with both regex engines. [A3] * Spamfilter command syntax has been changed, it now has an extra option to indicate the matching method: /SPAMFILTER [add|del|remove|+|-] [method] [type] .... Where 'method' can be one of: * -regex: this is the new fast PCRE2 regex engine * -simple: supports just strings and ? and * wildcards (super fast) * -posix: the old regex engine for compatibility with 3.2.x. [A3] * If you have both 3.2.x and 4.x servers on your network then the 4.x server will only send spamfilters of type 'posix' to the 3.2.x servers because 3.2.x servers don't support the other two types. So in a mixed network you probably want to keep using 'posix' for a while until all your servers are running UnrealIRCd 4. [A3] * set::oper-only-stats now defaults to "*" * oper::from::userhost and vhost::from::userhost are now called oper::mask and vhost::mask. The usermask@ part is now optional and it supports two syntaxes. For one entry you can use: mask 1.2.3.*; For multiple entries the syntax is: mask { 192.168.*; 10.*; }; * Because having both allow::ip and allow::hostname in the same allow block was highly confusing (it was an OR-match) you must now choose between either allow::ip OR allow::hostname. [A3] * cgiirc block is renamed to webirc and the syntax has changed [A4] * set::pingpong-warning is removed, warning always off now [A4] * More helpful configuration file parse error messages [A4] * You can use '/OPER username' without password if you use SSL certificate (fingerprint) authentication. The same is true for '/VHOST username'. [A4] * You must now always use 'make install' on *NIX [A4] * Changed (default) directory structure entirely, see the section titled 'CONFIGURATION CHANGES' about 100 lines up. [A4] * badword quit { } is removed, we use badword channel for it. [A4] * badwords.*.conf is now just one badwords.conf * To load all default modules you now include modules.default.conf. This file was called modules.conf in earlier alpha's. The file has been split up in sections and a lot of comments have been added to aid the user in deciding whether to load or not to load each module. [A4] * Snomask +s is now (always) IRCOp-only. [A4] * Previously there was little logic behind what modes halfops could set. Now the idea is as follows: halfops should be able to help out in case of a flood but not be able to change any 'policy decission modes' such as +G, +S, +c, +s. Due to this change halfops can now set modes +beiklmntIMKNCR (was: +beikmntI). [A4] * If no link::hub or link::leaf is specified then assume hub "*". [B1] * SWHOIS (Special whois title) has been extended in a number of ways: * We now "track" who or what set an swhois. This allows us to remove the swhois received via oper/vhost on de-oper/de-vhost. * You can now have multiple swhois lines * Multiple oper::swhois and vhost::swhois items are supported. [B1] * When trying to link two servers without link::outgoing::options::ssl (which is not recommended) we try to use STARTTLS in order to 'upgrade' the connection to use SSL/TLS anyway. This can be disabled via link::outgoing::options::insecure. [B2] * SSLv3 has now been disabled for security. This also means you can only link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4] ==[ REMOVED / DROPPED ]== * Numeric server IDs, see above. [A1] * PROTOCTL TOKEN and SJB64 are no longer implemented. [A1] * Ziplinks have been removed. [A1] * WebTV support. [A3] * Channel Mode +j was removed and replaced by the configuration setting set::anti-flood::join-flood (default: 3 per 90 seconds). [B1] * /CHATOPS: use /GLOBOPS instead which does the same /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore Your opers should actually be in an #opers channel. If you also want special classes of oper channels like #admins then use +iI ~O:*admin* * User modes: * +N (Network Administrator): see 'Oper permissions' under NEW as for why * +a (Services Administrator): same * +A (Server Administrator: same * +C (Co Administrator): same * +O (Local IRC Operator): same * +h (HelpOp): all this did was add a line "is available for help" in WHOIS. You can use a vhost block with vhost::swhois as a replacement or for opers just add an oper::swhois item. * +g (failops): we already have snomasks and the +o usermode for this * +v (receive infected DCC SEND rejection notices): moved to snomask +D ==[ MODULE CODERS / DEVELOPERS ]== * A lot of technical documentation for module coders has been added at https://www.unrealircd.org/docs/ describing things like how to write a module from scratch, the User & Channel Mode System, Commands, Command Overrides, Hooks, attaching custom-data to users/channels, and more. [A2+] * For commands: do not read from parv[0] anymore, doing so will lead to a crash. Use sptr->name instead. This change is necessary as the "name" in parv[0] could possibly point to a UID/SID rather than a nick name. Thus, if you would send parv[0] to a non-UID or non-SID capable server this would lead to serious issues (not found errors). * Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades) but disallows unloading of a module [A3] * There have been *a lot* of source code cleanups (ALL) * We now use the information from PROTOCTL CHANMODES= for parameter skipping if the channel mode is unknown. Also, when channel modes are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1] * The server protocol docs have been removed. The protocol is now documented at https://www.unrealircd.org/docs/Server_protocol See also https://www.unrealircd.org/docs/Server_protocol:Changes for a list of changes between the 3.2 and 4.0 server protocol. * GCC typechecking has been added to make sure your HookAdd... calls are adding hook functions with the correct parameter (types). *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@vu...> - 2015-12-24 18:32:40
|
UnrealIRCd 4 is here! We have been working hard over the past few years to replace the successful but aging 3.2.x series with a more modern code base. At the same time we have implemented suggestions from our bug tracker, ideas from ourselves and many good suggestions that came up during the UnrealIRCd survey in Q4 2013. After 4 alpha versions, 4 betas and 6 release candidates we are proud to finally present you the first stable release of UnrealIRCd 4. Thanks to everyone who has supported us in our efforts in whatever way: through donations <https://www.unrealircd.org/index/donations>, bug reports <https://bugs.unrealircd.org/>, testing releases, translating docs, providing support, telling others about IRC (and UnrealIRCd in particular), or simply by running UnrealIRCd. *What's new in UnrealIRCd 4 *A short overview of the most important changes:* * * <https://www.unrealircd.org/docs/Modules>You decide what to load <https://www.unrealircd.org/docs/Modules>. We have moved as much functionality as possible to 150+ individually loadable modules (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes <https://www.unrealircd.org/docs/User_modes>, channel modes <https://www.unrealircd.org/docs/Channel_modes>, extbans <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide which features your UnrealIRCd should have. * Fine-grained IRCOp privileges <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp privileges are granted has been redone entirely. This allows you to configure oper privileges on a very detailed level. You don't want OperOverride? You don't want opers to see secret channels? Or you want an oper with a very minimal set of privileges? This is all possible. * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All documentation has been moved to a wiki <https://www.unrealircd.org/docs/>. It's even better than before and more accessible to people who are new to IRCd's. The wiki also allows easy translation <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by community members. * New directory structure <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On *NIX the IRCd is now always installed to a different directory than where you compile from (~/unrealircd by default). No more mess. On both *NIX and Windows configuration files go in conf/, modules go in modules/, etc.. Configuration files can be identical on Windows and *NIX. This new directory structure also allows easier packaging. * New I/O system using kqueue & epoll. The IRCd can now handle thousands of users more easily. * Improved SSL/TLS support. SSL has always been a major feature in UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL support (both on *NIX and Windows). SSL client certificate fingerprints are visible in /WHOIS, a new certfp extban <https://www.unrealircd.org/docs/Extended_bans> (~S:certificatefingerprint), better defaults including 4096 bit keys and Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc. * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> (DNSBL/RBL). Great for combating drones and other abusers. * Better and more helpful error messages. Especially regarding the configuration file. * More modern server-to-server protocol. <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using UID/SID's. Resulting in less desynch. issues. * Lowering the bar for Spamfilter <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can now choose between 'regex' and 'simple' matching. Simple matching allows using the usual '?' and '*' wildcards that everyone knows about. The regex engine has been moved from TRE to PCRE (=about twice as fast). * Configuration is more logical <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the configuration blocks have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to 4.x configuration file converter. * Easier 3rd party module management. On *NIX you now just put your 3rd party modules in /src/modules/third/ and then each time you run 'make' they will be compiled if needed. * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will ask you to import settings from a previous installation, remembering your installation directory and other settings. It will also copy the 3rd party modules from the old to the new installation and re-compile them. * More secure. Even better secure defaults, more warnings about insecure behavior, .. * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. For developers: * Easier source navigation. Because we moved almost everything to modules, it's now much easier to see all the code for a particular feature. * Cleaner code. There have been a lot of source code cleanups. Code has been restructured or rewritten. Old irrelevant code has been deleted. * Development documentation can be found on the wiki <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a module in C and list all the details on the various Module API's such as how to write commands, channel modes, plug-in by using Hooks, etc... *Upgrading from 3.2.x**to UnrealIRCd 4* If you are upgrading from 3.2.x to 4.x then there are three important things to know: *1) New file locations* In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) *2) Configuration file changes *There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more information on the config file conversion. *3) Third party modules* If you are using 3rd party modules (modules not developed by the UnrealIRCd team) then they will need an update to run on UnrealIRCd 4. Contact your developer for a new version or ask on our Modules forum <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind enough to convert the module for you if you ask nicely. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x as well. *Running a mixed 3.2.x / 4.x network* You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. *End of the 3.2.x series* With the release of UnrealIRCd 4.0.0 we are deprecating the previous series. All support for the 3.2.x series will stop after December 31, 2016 (=12 months from now). See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated *Full summary of changes* We did our best to "summarize" the 1100+ changesets in about 120 bullet points but it's still a long read. The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS / DEVELOPERS. ==[ NEW ]== * We moved a lot of functionality, including most channel modes, user modes and all extended bans into 138 separate modules. This makes it... A) possible to fully customize what exact functionality you want to load. You could even strip down UnrealIRCd to get something close to the basic RFC1459 features from the 1990s. (No idea why you would want that, but it's possible) B) easier for coders to see all source code related to a specific feature C) possible to fix bugs and just reload rather than restart the IRCd. Have a look at modules.default.conf which contains the "default" set of modules that you can load if you just want to load all functionality. If you want to customize the list of modules to load then simply make a copy of that file, give it a different name, and include that one instead. Since the file is fully documented, you can just comment out or delete the loadmodule lines of things you don't want to load. * Oper permissions have changed completely: [A4+] * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..) * oper::flags has been removed. Instead you must specify an operclass in oper::operclass (for example, 'operclass netadmin'). * In operclass block(s) you define the privileges. You can now control exactly what an IRCOp can and cannot do. Have a look at operclass.default.conf which ships with UnrealIRCd, it contains a number of default operclass blocks suitable for the most common situations. See also the operclass block documentation: https://www.unrealircd.org/docs/Operclass_block * If you ask UnrealIRCd to convert your 3.2.x configuration file then it will try to select a suitable operclass for the oper. This will not always 100% match your current oper block rights, though. * Channel Mode +A (Admin Only) has been removed. You can use the new extended ban ~O:<operclass>. This allows you to, for example, create an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin* * set::hosts has been removed, use oper::vhost instead. * Since oper levels have been removed you no longer see things like "OperX is a Network Administrator" in /WHOIS by default. If you want that, then you can set oper::swhois to "is a Network Administrator" (or any other text). * Entirely rewritten I/O and event loop. This allows the IRCd to scale more easily to tens of thousands of clients by using kernel-evented I/O mechanisms such as epoll and kqueue. * Memory pooling has been added to improve memory allocation efficiency and performance. * On-connect DNSBL/RBL checking via the new blacklist block. [B1] * The Windows version now has IPv6 support too. [B3] * On all OS's we compile with IPv6 support enabled. You can still disable IPv6 at runtime by setting set::options::disable-ipv6. [B3] * The local nickname length can be modified without recompiling the IRCd * Channel Mode +d: This will hide joins/parts for users who don't say anything in a channel. Whenever a user speaks for the first time they will appear to join. Chanops will still see everyone joining normally as if there was no +d set. * If you connect with SSL/TLS with a client certificate then your SSL Fingerprint (SHA256 hash) can be seen by yourself and others through /WHOIS. The fingerprint is also shared with all servers on the network. * ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This can be used like +iI ~S:000000000etc. * bcrypt has been added as a password hashing algorithm and is now the preferred algorithm [A3] * './unreal mkpasswd' will now prompt you for the password to hash [A3] * Protection against SSL renegotiation attacks [A3] * When you link two servers the current timestamp is exchanged. If the time differs more than 60 seconds then servers won't link and it will show a message that you should fix your clock(s). This requires version alpha3 (or later) on both ends of the link [A3] * Configuration file converter that will upgrade your 3.2.x conf to 4.x. On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and after the config errors screen UnrealIRCd offers the conversion. [A3] * The IRCd can now better handle unknown channel modes which expect a parameter. This can be useful in a scenario where you are slowly upgrading all your servers. * If you want to unset a vhost but keep cloaked then use /MODE yournick -t * A "crash reporter" was added. When UnrealIRCd is started it will check if a previous UnrealIRCd instance crashed and (after booting a new instance) it will spit out a report and ask if you want to submit it to the UnrealIRCd developers. Doing so will help us a lot as many bugs are often not reported. Note that UnrealIRCd will always ask before sending any information and never do so automatically. [B3] * SSL: Support for ECDHE has been added to provide "forward secrecy". [B4] ==[ CHANGED ]== * Numerics have been removed. Instead we now use SIDs (Server ID's) and UIDs (User ID's). SIDs work very similar to server numerics and UIDs help us to fix a number of lag-related race conditions / bugs. * The module commands.so / commands.dll has been removed. All commands (those that are modular) are now in their own module. * Self-signed certificates are now generated using 4096 bits, a SHA256 hash and validity of 10 years. [A2] * Building with SSL (OpenSSL) is now mandatory [A2] * The link { } block has been restructured, see https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3] * Better yet, check out our secure server linking tutorial: https://www.unrealircd.org/docs/Tutorial:_Linking_servers * If you have no set::throttle block you now get a default of 3:60 [A3] * password entries in the conf no longer require specifying an auth-type like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3] * You will now see a warning when you link to a non-SSL server. [A3] * Previously we used POSIX Regular expressions in spamfilters and at some other places. We have now moved to PCRE Regular expressions. They look very similar, but PCRE is a lot faster. For backwards-compatibility we still compile with both regex engines. [A3] * Spamfilter command syntax has been changed, it now has an extra option to indicate the matching method: /SPAMFILTER [add|del|remove|+|-] [method] [type] .... Where 'method' can be one of: * -regex: this is the new fast PCRE2 regex engine * -simple: supports just strings and ? and * wildcards (super fast) * -posix: the old regex engine for compatibility with 3.2.x. [A3] * If you have both 3.2.x and 4.x servers on your network then the 4.x server will only send spamfilters of type 'posix' to the 3.2.x servers because 3.2.x servers don't support the other two types. So in a mixed network you probably want to keep using 'posix' for a while until all your servers are running UnrealIRCd 4. [A3] * set::oper-only-stats now defaults to "*" * oper::from::userhost and vhost::from::userhost are now called oper::mask and vhost::mask. The usermask@ part is now optional and it supports two syntaxes. For one entry you can use: mask 1.2.3.*; For multiple entries the syntax is: mask { 192.168.*; 10.*; }; * Because having both allow::ip and allow::hostname in the same allow block was highly confusing (it was an OR-match) you must now choose between either allow::ip OR allow::hostname. [A3] * cgiirc block is renamed to webirc and the syntax has changed [A4] * set::pingpong-warning is removed, warning always off now [A4] * More helpful configuration file parse error messages [A4] * You can use '/OPER username' without password if you use SSL certificate (fingerprint) authentication. The same is true for '/VHOST username'. [A4] * You must now always use 'make install' on *NIX [A4] * Changed (default) directory structure entirely, see the section titled 'CONFIGURATION CHANGES' about 100 lines up. [A4] * badword quit { } is removed, we use badword channel for it. [A4] * badwords.*.conf is now just one badwords.conf * To load all default modules you now include modules.default.conf. This file was called modules.conf in earlier alpha's. The file has been split up in sections and a lot of comments have been added to aid the user in deciding whether to load or not to load each module. [A4] * Snomask +s is now (always) IRCOp-only. [A4] * Previously there was little logic behind what modes halfops could set. Now the idea is as follows: halfops should be able to help out in case of a flood but not be able to change any 'policy decission modes' such as +G, +S, +c, +s. Due to this change halfops can now set modes +beiklmntIMKNCR (was: +beikmntI). [A4] * If no link::hub or link::leaf is specified then assume hub "*". [B1] * SWHOIS (Special whois title) has been extended in a number of ways: * We now "track" who or what set an swhois. This allows us to remove the swhois received via oper/vhost on de-oper/de-vhost. * You can now have multiple swhois lines * Multiple oper::swhois and vhost::swhois items are supported. [B1] * When trying to link two servers without link::outgoing::options::ssl (which is not recommended) we try to use STARTTLS in order to 'upgrade' the connection to use SSL/TLS anyway. This can be disabled via link::outgoing::options::insecure. [B2] * SSLv3 has now been disabled for security. This also means you can only link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4] ==[ REMOVED / DROPPED ]== * Numeric server IDs, see above. [A1] * PROTOCTL TOKEN and SJB64 are no longer implemented. [A1] * Ziplinks have been removed. [A1] * WebTV support. [A3] * Channel Mode +j was removed and replaced by the configuration setting set::anti-flood::join-flood (default: 3 per 90 seconds). [B1] * /CHATOPS: use /GLOBOPS instead which does the same /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore Your opers should actually be in an #opers channel. If you also want special classes of oper channels like #admins then use +iI ~O:*admin* * User modes: * +N (Network Administrator): see 'Oper permissions' under NEW as for why * +a (Services Administrator): same * +A (Server Administrator: same * +C (Co Administrator): same * +O (Local IRC Operator): same * +h (HelpOp): all this did was add a line "is available for help" in WHOIS. You can use a vhost block with vhost::swhois as a replacement or for opers just add an oper::swhois item. * +g (failops): we already have snomasks and the +o usermode for this * +v (receive infected DCC SEND rejection notices): moved to snomask +D ==[ MODULE CODERS / DEVELOPERS ]== * A lot of technical documentation for module coders has been added at https://www.unrealircd.org/docs/ describing things like how to write a module from scratch, the User & Channel Mode System, Commands, Command Overrides, Hooks, attaching custom-data to users/channels, and more. [A2+] * For commands: do not read from parv[0] anymore, doing so will lead to a crash. Use sptr->name instead. This change is necessary as the "name" in parv[0] could possibly point to a UID/SID rather than a nick name. Thus, if you would send parv[0] to a non-UID or non-SID capable server this would lead to serious issues (not found errors). * Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades) but disallows unloading of a module [A3] * There have been *a lot* of source code cleanups (ALL) * We now use the information from PROTOCTL CHANMODES= for parameter skipping if the channel mode is unknown. Also, when channel modes are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1] * The server protocol docs have been removed. The protocol is now documented at https://www.unrealircd.org/docs/Server_protocol See also https://www.unrealircd.org/docs/Server_protocol:Changes for a list of changes between the 3.2 and 4.0 server protocol. * GCC typechecking has been added to make sure your HookAdd... calls are adding hook functions with the correct parameter (types). *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2015-12-16 12:56:05
|
The sixth - and possibly last - release candidate for UnrealIRCd 4 is now available for download <https://www.unrealircd.org/download>. *Notable fixes between 4.0.0-rc5 and 4.0.0-rc6* * User could get an empty hostname * Some small memory leaks * CAP REQ did not work with multiple arguments For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>. *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report bugs on https://bugs.unrealircd.org/ This announcement can also be read on the forums <https://forums.unrealircd.org/viewtopic.php?t=8439>. -- Bram Matthys Software developer/IT con...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2015-12-11 10:54:00
|
*UnrealIRCd 3.2.10.6 released*
This release comes with the following changes:
* Build Windows version with latest OpenSSL to fix possibly user-triggerable
crash issue (CVE-2015-3194 <https://www.openssl.org/news/secadv/20151203.txt>)
* Don't show vcredist dialog if installed (Windows installer)
* Add notes regarding deprecation of 3.2.x series
It is recommended that all Windows SSL users upgrade. For other users there's
no need to upgrade UnrealIRCd but we recommend 3.2.10.6 for new installations.
*UnrealIRCd 3.2.x phase-out
*With the upcoming release of UnrealIRCd 4 later this month we are deprecating
the UnrealIRCd 3.2.x series.
The 3.2.x series will receive security fixes *for 12 months*, but after
December 31, 2016 there will be no more fixes.
Users are suggested to upgrade to UnrealIRCd 4 in the course of 2016.
For more information see our policy on the wiki
<https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>.<https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can
safely ignore this warning.
As always, please report bugs on https://bugs.unrealircd.org/
This announcement can also be read on the forums
<https://forums.unrealircd.org/viewtopic.php?t=8436>.
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@un...> - 2015-12-09 19:52:12
|
The fifth release candidate for UnrealIRCd 4 is now available for download <https://www.unrealircd.org/download>. *Notable fixes between 4.0.0-rc4 and 4.0.0-rc5* * Windows: crash on connect reported by 1 user * Added workaround for rare "Cannot accept connections" flood * OperOverride did not work (INVITE+JOIN) * LIST didn't show more than 64 channels * JOIN error message not shown if IRCOp * SAJOIN ignored set::level-on-join For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>. *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report bugs on https://bugs.unrealircd.org/ This announcement can also be read on the forums <https://forums.unrealircd.org/viewtopic.php?t=8435>. -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@vu...> - 2015-11-25 19:08:50
|
The fourth release candidate for UnrealIRCd 4 is now available for download <https://www.unrealircd.org/download>. Notable fixes between 4.0.0-rc3 and 4.0.0-rc4: * Crash on linking attempt * Crash on boot if mode +f was present in set::modes-on-join * Channels with channel mode +P were not always synched correctly For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>. *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) *UnrealIRCd is not malware* You may see a "malware detected" prompt when downloading UnrealIRCd. You can safely ignore this warning. Please report bugs on https://bugs.unrealircd.org/ This announcement can also be read on the forums <https://forums.unrealircd.org/viewtopic.php?t=8430>. -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2015-11-08 10:08:12
|
The third release candidate for UnrealIRCd 4 is now available for download <https://www.unrealircd.org/download>. Notable fixes between 4.0.0-rc2 and 4.0.0-rc3: * Crash in invite notify * Strange behavior and possible crash in /WHOIS * Empty host bug * set::allowed-nickchars 'latin1' was broken * Files in the tld { } block were read from the wrong location (tld::motd, ..) * 'quarantine' didn't work in link::options * /MAP was hiding ulines and showing flat-map even for IRCOps For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>. UnrealIRCd 3.2.x users may be interested in Upgrading from 3.2.x <https://www.unrealircd.org/docs/Upgrading_from_3.2.x> and the Running a mixed UnrealIRCd 3.2 and UnrealIRCd 4 network <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network> article. *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) *UnrealIRCd is not malware* You may see a "malware detected" prompt when downloading UnrealIRCd. You can safely ignore this warning. Google has been repeatedly blacklisting some of our downloads and unfortunately does not seem to be responding to removal or even information requests (any help with this would be appreciated). Please report bugs on https://bugs.unrealircd.org/ This announcement can also be read on the forums <https://forums.unrealircd.org/viewtopic.php?t=8427>. -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2015-10-26 14:23:07
|
The second release candidate for UnrealIRCd 4 is now available for download <https://www.unrealircd.org/download>. Thanks everyone who is helping out by testing and reporting bugs. Much appreciated! Notable fixes between 4.0.0-rc1 and 4.0.0-rc2: * Crash in invite notify * OS X and *BSD: Serious I/O engine problems with kqueue * IPv6 compile problem (rare) * Channel mode +P not working if set::modes-on-join is set * /NOTICE $* did not work * Problem if you use remote includes and add a new listen { } block at runtime For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>. UnrealIRCd 3.2.x users may also be interested in Upgrading from 3.2.x <https://www.unrealircd.org/docs/Upgrading_from_3.2.x> and the new Running a mixed UnrealIRCd 3.2 and UnrealIRCd 4 network <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network> article. *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) *UnrealIRCd is not malware* You may see a "malware detected" prompt when downloading UnrealIRCd. You can safely ignore this warning. Google has been repeatedly blacklisting some of our downloads and unfortunately does not seem to be responding to removal or even information requests (any help with this would be appreciated). Please report bugs on https://bugs.unrealircd.org/ This announcement can also be read on the forums <https://forums.unrealircd.org/viewtopic.php?t=8423>. Regards, Bram. -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@un...> - 2015-10-12 18:08:10
|
Hi everyone, The first release candidate for UnrealIRCd 4 is now available for download. This -rc1 release fixes a number of crash and linking issues. We're aiming for an UnrealIRCd 4.0.0 stable release before the end of the year (2015). *Why UnrealIRCd _4_?* When the development version was still in alpha/beta stage it was called 3.4.x. It has been renamed to UnrealIRCd 4 to indicate the significant changes to the codebase and changes to end-users. See also What's new in UnrealIRCd 4 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>. *Release Candiate* We run daily tests against UnrealIRCd 4 without any issues and each release it's getting more stable. However because this version is a "Release Candidate" this means that it may still crash occasionally or have other issues. It's not yet of "release quality". *Download* As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) *UnrealIRCd is not malware* You may see a "malware detected" prompt when downloading UnrealIRCd. You can safely ignore this warning. Google has been repeatedly blacklisting some of our downloads and unfortunately does not seem to be responding to removal or even information requests (any help with this would be appreciated). Please report bugs on https://bugs.unrealircd.org/ This announcement can also be read on the forums <https://forums.unrealircd.org/viewtopic.php?t=8407>. Regards, Bram. -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@vu...> - 2015-09-07 12:32:17
|
More 3.4.x beta releases. We're happy to see more and more people testing our beta's! *3.4-beta3* was released 3 weeks ago but was snowed under by the SASL security announcement <https://forums.unrealircd.org/viewtopic.php?f=1&t=8401>. Major new features: * Always build with IPv6 support enabled. More important: IPv6 support is now available on Windows too (finally!) * Added a "crash reporter" which asks you to report a crash issue if UnrealIRCd crashed for some reason. Don't worry, it will always _ask_ and not do so automatically. Crash reports are not public and can only seen by UnrealIRCd developers. We already fixed 3 major crash bugs thanks to this, so it really helps! Today I'm releasing *3.4-**beta4*, which fixes a number of major bugs and adds a few security enhancements. Several of these bugs were introduced by the changes in beta3. Major bugs fixed: * Crash on outgoing server link attempt. * Crash on boot with bind/listen errors. * GLINE/KLINE/.. were refusing perfectly OK bans. * Possible freeze when SSL client is connecting. * Remote includes were broken. * Compile problems on OpenBSD. Enhancements: * SSLv3 is now disabled for security <http://disablessl3.com/>. Pretty much all clients supports TLS so this shouldn't be a problem. * Support for ECDHE has been added to provide forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy> Important notes: * If you are linking a 3.2.x with a 3.4.x server, with SSL enabled, then you need at least version 3.2.10.3 on the 3.2.x side. Earlier versions used an incorrect OpenSSL API call and therefore supported SSLv3 only. Yeah, silly, we know. We fixed it in May 2014 but some people may still be using old versions. * If upgrading from previous beta's then you'll have to run './unrealircd upgrade-conf' or change your listen blocks manually. This because we changed the listen block syntax <https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Listen_block> to get rid of the strange [] brackets in IPv6 listen blocks. As always, you can download UnrealIRCd from https://www.unrealircd.org/ All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 0xA7A21B0A108FF4A9) Please report bugs on https://bugs.unrealircd.org/ This announcement can also be read on the forums <https://forums.unrealircd.org/viewtopic.php?t=8405>. -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@vu...> - 2015-08-16 13:18:37
|
UNREALIRCD SECURITY ADVISORY
=============================
Summary: If SASL support is enabled in UnrealIRCd (this is not the default)
and is also enabled in your services package then a malicious user with
a services account can cause UnrealIRCd to crash.
Most people have not enabled SASL, and those who do can easily fix
this potential crash issue without a server restart. See below.
Index:
* Who is affected
* Solutions
* Workaround
* Patch / hotfix
* New versions
* Bug details
* Timeline
* References
==[ WHO IS AFFECTED ]==
For a user to be able to crash UnrealIRCd *ALL* of the following conditions
must be true:
1) Must be running UnrealIRCd version 3.2.10 or higher (including 3.2.10.4).
The 3.4.x series are also affected (including 3.4-beta2).
2) In your configuration file (unrealircd.conf or included files) you have
configured a SASL server via set::sasl-server
3) You are using a services package (such as anope) and the server is linked
4) SASL support is enabled in your services
5) The malicious user has (or can) register an account at services (usually
via NickServ).
If one of the points above is not true for your installation then a remote
user cannot crash your server via this bug. In particular, if you are not
using SASL then no patch or upgrade is needed and you can stop reading here.
If you are unsure if you have enabled SASL then search for sasl-server
in your configuration files. If this word is not found then SASL is
disabled. This will actually be the case for the majority of installations.
When SASL is enabled in the configuration file it will look like this:
set {
sasl-server "services.something.net";
};
==[ SOLUTIONS ]==
For UnrealIRCd 3.2.10.x we present 3 possible solutions in case you are
affected by this bug:
1) A workaround (NO restart needed)
2) A patch (NO restart needed) (*NIX only)
3) A new UnrealIRCd version (for new installations)
For the UnrealIRCd 3.4 beta series we suggest you to upgrade to 3.4-beta3.
==[ WORKAROUND ]==
If you remove the sasl-server directive from your configuration file
and rehash the IRCd then SASL support will be disabled.
This is an easy workaround but for most people who have SASL enabled this
won't be an acceptable solution.
==[ PATCH / HOTFIX ]==
If you are on *NIX then it's possible to fix the crash issue by patching
the source, recompiling UnrealIRCd, and then rehashing the server.
This will fix your IRC server without requiring a server restart.
Execute the following commands on the shell from your UnrealIRCd directory,
for example from /home/irc/Unreal3.2.10.4:
wget http://www.unrealircd.org/downloads/sasl.patch
patch -p0 <sasl.patch
make && make install
After doing the above you must rehash the IRCd. Either online as an IRCOp
by using the /REHASH command, or via ./unreal rehash on the command line.
==[ NEW VERSIONS ]==
New versions of UnrealIRCd are available which include a fix for this issue.
They are 3.2.10.5 (stable) and 3.4-beta3 (development version).
The new versions are meant for Windows users and new installations.
For *NIX users with existing installations we suggest to use the patch or
workaround instead because doing so incurs no downtime.
==[ BUG DETAILS ]==
Type of bug: Crash due to NULL pointer dereference
CVSS v2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVSS Base Score: 6.8
CVSS Temporal Score: 5.6
==[ TIMELINE ]==
Times are in UTC+2
2015-08-13 00:20 Bug reported privately to UnrealIRCd team
2015-08-13 07:55 First response
2015-08-13 16:05 Bug confirmed by developer
2015-08-15 16:15 Patched
2015-08-16 09:00 Source and binary releases ready
2015-08-16 15:05 Security advisory sent out
==[ REFERENCES ]==
This advisory (and updates to it, if any) is available from:
https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt
Forum thread:
https://forums.unrealircd.org/viewtopic.php?t=8401
--
Bram Matthys
Software developer/IT consultant sy...@vu...
Website: www.vulnscan.org
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@vu...> - 2015-07-23 14:29:48
|
After more than 2 years of development I'm happy to announce that UnrealIRCd
3.4.x is now in BETA. This ends the 3.4 /alpha/ stage. Most of the features
we have planned for UnrealIRCd 3.4.x are now done and we are shifting our
focus towards getting a stable IRCd. This also means we are on schedule to
deliver an UnrealIRCd 3.4 stable release by Q4 this year.
Let me take this opportunity to introduce UnrealIRCd 3.4 to everyone who
hasn't been tracking it since the early alpha versions:
* You decide what to load. We have moved as much functionality as possible
to 150+ individually loadable modules (commands, user modes, channel
modes, extbans, snomasks, ..). You decide which features your UnrealIRCd
should have.
* Fine-grained IRCOp privileges. The way IRCOp privileges are granted has
been redone entirely. This allows you to configure oper privileges on a
very detailed level. You don't want OperOverride? You don't want opers
to see secret channels? Or you want an oper with a very minimal set of
privileges? This is all possible.
* Wiki. Documentation has been moved to a wiki
<https://www.unrealircd.org/docs/>. It's even better than before and
more accessible to people who are new to IRCd's. The wiki also allows
easy translation by community members.
* New directory structure. On *NIX the IRCd is now always installed to a
different directory than where you compile from (~/unrealircd by
default). No more mess. On both *NIX and Windows configuration files go
in conf/, modules go in modules/, etc.. Configuration files can be
identical on Windows and *NIX. This new directory structure also allows
more easy packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands
of users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. SSL client certificate fingerprints
are visible in /WHOIS, a certfp extban (~S:certificatefingerprint) has
been added, better defaults, etc.
* DNS Blacklist support (DNSBL/RBL). Great for combating drones and other
abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol. Such as using UID/SID's.
Resulting in less desynch. issues.
* Lowering the bar for Spamfilter. You can now choose between 'regex' and
'simple' matching. Simple matching allows using the usual '?' and '*'
wildcards that everyone knows about. The regex engine has been moved
from TRE to PCRE (=about twice as fast).
* Configuration is more logical. Around 30% of the configuration blocks
have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to
3.4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in src/modules/third and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config
will ask you to import settings from a previous installation,
remembering your installation directory and other settings. It will also
copy the 3rd party modules from the old to the new installation and
re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has
been restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
Since this is such an early beta, we do not recommend running it on a
production network yet.
Release notes are available here.
<https://www.unrealircd.org/txt/unreal3_4_beta2_release_notes.txt> Be sure
to read the release notes if you are trying out UnrealIRCd 3.4 and are
currently on 3.2. It contains important information on the new location of
files, configuration format, and how to automatically convert your
unrealircd.conf to 3.4.x format.
As always, you can download UnrealIRCd from https://www.unrealircd.org/
Just a small note to people who verify PGP signatures of releases: please
note that we use a new PGP release key as previously announced on July 2nd
on this mailing list. The new PGP key has short key id 0x108FF4A9 and long
id 0xA7A21B0A108FF4A9. All releases on the site are (re-) signed with this
key, including 3.2.10.4 (just the signature, the 3.2.10.4 files themselves
are unchanged, of course).
Have fun!
Bram.
PS: I actually sent in the announcement on 3.4-beta1 a week ago, however due
to Sourceforge infrastructure problems outside my control problems it was
never actually sent out. Today I released 3.4-beta2, so this is the first
announcement on a 3.4 beta.
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
|
From: Bram M. <sy...@vu...> - 2015-07-02 14:26:30
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Just a quick message to all people who use PGP to verify the authenticity of UnrealIRCd software downloads: I've created a new rel...@un... signing key. The key has id 0x108FF4A9 and is a 4096 bit RSA key. The previous releases key (rel...@un...) was a 1024 bit DSA key. Also note the move from .com to .org in the new key. I have signed the new key (0x108FF4A9) both with sy...@vu... / sy...@un... (0x7FE199A6) and also with the old release key (0x9FF03937). 3.4-alpha4 is still signed with the old key. The new key will be used for the releases after that, so 3.4-alpha5 / 3.4-beta1, any next 3.2.x release, etc. etc. Regards, Bram. - -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlWVShcACgkQbmdtRX/hmabsmwD6AuNYSfS7jxfD+xEK9zJwT29l 3BO1ddaWkmtmvcRpHEMBAIMCDW6Zzzty4huPTSUxtp0eq8RqwP1bCyukDEhvSkzR =5aFE -----END PGP SIGNATURE----- |
|
From: Bram M. <sy...@vu...> - 2015-07-02 14:18:19
|
Hi all, A few days ago we released 3.4-alpha4. This will be (almost?) the last alpha release for UnrealIRCd 3.4.x. After that we will move to beta. The oper privilege system received a complete makeover in this release, allowing you to grant/restrict oper privileges in a very fine manner. More work is on the way but it looks nice already. More things (user modes, all extended bans, ..) have been moved to modules. Have a look at the new improved modules.default.conf to see what modules you can enable/disable. There are 150 modules now! (Note: if you upgrade from 3.4-alpha3 to 3.4-alpha4 then be sure to use 'modules.default.conf' and not alpha3's old 'modules.conf') Another major change is the new directory structure. On *NIX you no longer put your configuration files (and other files) in your just-compiled-Unreal3.4 directory. Instead UnrealIRCd installs to /home/yourusername/unrealircd by default. This allows for a clear 'source' and 'installed' directory separation. On all OS's we then enforce the following directory structure: conf/ for configuration files logs/ for log files etc. etc. Similarly, on *NIX you now have to start UnrealIRCd from the installed directory via the 'unrealircd' script: cd /home/yourusername/unrealircd ./unrealircd start (NOTE: the script is called 'unrealircd' now, previously it was 'unreal') Finally, the UnrealIRCd 3.4.x documentation is now online at: https://www.unrealircd.org/docs/UnrealIRCd_3.4.x_documentation https://www.unrealircd.org/docs/FAQ As you can see we use a wiki now for all (3.4.x) documentation. The wiki is available for translation as well. At this point about half of the pages are open for translation, but more is on the way: https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages The old unreal32docs.*html files have been removed from 3.4.x. Full release notes below: Unreal3.4-alpha4 Release Notes =============================== This is the fourth 'alpha' version of UnrealIRCd 3.4. We plan to move to 'beta' stage in a month to have a stable 3.4.x release later in 2015. IMPORTANT REMARKS as long as UnrealIRCd 3.4.x is in alpha stage: * Because this is an alpha version it is far more likely to crash or hang. * Security issues are handled as regular issues (no security advisories!) * Linking with 3.2.x servers is supported but highly untested. * Things are likely to change between alpha versions. Including but not limited to: configuration, command syntax, location of files, etc. Therefore: * You should never run 3.4-alpha4 as a production server * You should not link 3.4-alpha4 with a production 3.2.x network Please do: * Install 3.4-alpha4 to play around, show to your friends, have fun with the latest features and improvements, test things. * Report any problems, bugs, issues and other feedback on https://bugs.unrealircd.org/ so we can improve 3.4.x! Finally: * If you are moving from 3.2.x then be sure to read 'CONFIGURATION CHANGES' which explains the new directory structure and how to make UnrealIRCd convert your existing 3.2.x configuration file to the 3.4.x format. ==[ DOCUMENTATION ]== UnrealIRCd 3.4.x documentation is now located in a wiki online at: * https://www.unrealircd.org/docs/ The old unreal32docs.*html files have been removed. ==[ CONFIGURATION CHANGES ]== Starting with 3.4-alpha4 we use a new directory structure. *NIX: If you are not on Windows then this means you must now choose a target directory to install UnrealIRCd to. ./Config will ask this and it's ~/unrealircd by default (eg: /home/nerd/unrealircd). You also need to run 'make install' after 'make' now. After compiling, you should leave your Unreal3.4-alphaX directory and change to ~/unrealircd as everything takes place there. For example to start UnrealIRCd you run './unrealircd start' (again, from the /home/xxxx/unrealircd directory). The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) tmp/ temporary files data/ persistent data such as ircd.tune cache/ cached remote includes It is possible to use your existing 3.2.x configuration file, but it needs to be 'upgraded' to the new 3.4.x syntax. UnrealIRCd can do this for you. Simply place your unrealircd.conf (and any other .conf's you use) in the conf/ directory and then: * On *NIX run './unrealircd upgrade-conf' (from /home/xxxx/unrealircd) * On Windows simply try to boot and watch all the errors, click OK and you will be asked if UnrealIRCd should upgrade your configuration file. On either OS, after running the step from above, simply start UnrealIRCd again and it should boot up fine with your converted configuration file(s). Note: UnrealIRCd can only convert *working* 3.2.x configuration files! If your 3.2.x configuration contains mistakes or errors then the upgrade process will likely fail or the resulting config file will fail to load. You may still be interested in the configuration changes, they are listed on: https://www.unrealircd.org/docs/Upgrading_from_3.2.x ==[ GENERAL INFORMATION ]== * Below you will see a summary of all changes. Changes may be tagged when a change was made in a specific version, e.g. "(A3)" means 3.4-alpha3. For a complete list of changes (600+) use 'git log' or have a look at https://github.com/unrealircd/unrealircd/commits/unreal34 ==[ NEW ]== * We moved a lot of functionality, including most channel modes, user modes and all extended bans into 145 separate modules. This makes it... A) possible to fully customize what exact functionality you want to load. You could even strip down UnrealIRCd to get something close to the basic RFC1459 features from the 1990s. (No idea why you would want that, but it's possible) B) easier for coders to see all source code related to a specific feature C) possible to fix bugs and just reload rather than restart the IRCd. Have a look at modules.default.conf which contains the "default" set of modules that you can load if you just want to load all functionality. If you want to customize the list of modules to load then simply make a copy of that file, give it a different name, and include that one instead. Since the file is fully documented, you can just comment out or delete the loadmodule lines of things you don't want to load. * Oper permissions have changed completely: (A4) * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..) * oper::flags has been removed. Instead you must specify an operclass in oper::operclass (for example, 'operclass netadmin'). * In operclass block(s) you define the privileges. You can now control exactly what an IRCOp can and cannot do. (This process is on-going) Have a look at operclass.default.conf which ships with UnrealIRCd, it contains a number of default operclass blocks suitable for the most common situations. See also the operclass block documentation: https://www.unrealircd.org/docs/Operclass_block * If you ask UnrealIRCd to convert your 3.2.x configuration file then it will try to select a suitable operclass for the oper. This will not always 100% match your current oper block rights, though. * Channel Mode +A (Admin Only) has been removed. You can use the new extended ban ~O:<operclass>. This allows you to, for example, create an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin* * set::hosts has been removed, use oper::vhost instead. * Since oper levels have been removed you no longer see things like "OperX is a Network Administrator" in /WHOIS by default. If you want that, then you can set oper::swhois to "is a Network Administrator" (or any other text). * Entirely rewritten I/O and event loop. This allows the IRCd to scale more easily to tens of thousands of clients by using kernel-evented I/O mechanisms such as epoll and kqueue. * Memory pooling has been added to improve memory allocation efficiency and performance. * The local nickname length can be modified without recompiling the IRCd * Channel Mode +d: This will hide joins/parts for users who don't say anything in a channel. Whenever a user speaks for the first time they will appear to join. Chanops will still see everyone joining normally as if there was no +d set. * If you connect with SSL/TLS then your SSL Fingerprint (SHA256 hash) can be seen by yourself and others through /WHOIS. The fingerprint is also shared (broadcasted) with all servers on the network. In alpha3 we will add more features that will use SSL fingerprints. (A2) * bcrypt has been added as a password hashing algorithm and is now the preferred algorithm (A3) * './unreal mkpasswd' will now prompt you for the password to hash (A3) * Protection against SSL renegotiation attacks (A3) * When you link two servers the current timestamp is exchanged. If the time differs more than 60 seconds then servers won't link and it will show a message that you should fix your clock(s). This requires version 3.4-alpha3 (or later) on both ends of the link (A3) * Configuration file converter that will upgrade your 3.2.x conf to 3.4.x. On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and after the config errors screen UnrealIRCd offers the conversion. (A3) ==[ CHANGED ]== * Numerics have been removed. Instead we now use SIDs (Server ID's) and UIDs (User ID's). SIDs work very similar to server numerics and UIDs help us to fix a number of lag-related race conditions / bugs. * The module commands.so / commands.dll has been removed. All commands (those that are modular) are now in their own module. * Self-signed certificates are now generated using 4096 bits, a SHA256 hash and validity of 10 years. (A2) * Building with SSL (OpenSSL) is now mandatory (A2) * The link { } block has been restructured, see https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block (A3) * Better yet, check out our secure server linking tutorial: https://www.unrealircd.org/docs/Tutorial:_Linking_servers * If you have no set::throttle block you now get a default of 3:60 (A3) * password entries in the conf no longer require specifying an auth-type like password "..." { md5; };. UnrealIRCd will now auto-detect. (A3) * You will now see a warning when you link to a non-SSL server. (A3) * Previously we used POSIX Regular expressions in spamfilters and at some other places. We have now moved to PCRE Regular expressions. They look very similar, but PCRE is a lot faster. For backwards-compatibility we still compile with both regex engines. (A3) * Spamfilter command syntax has been changed, it now has an extra option to indicate the matching method: /SPAMFILTER [add|del|remove|+|-] [method] [type] .... Where 'method' can be one of: * -regex: this is the new fast PCRE2 regex engine * -simple: supports just strings and ? and * wildcards (super fast) * -posix: the old regex engine for compatibility with 3.2.x. (A3) * If you have both 3.2.x and 3.4.x servers on your network then the 3.4.x server will only send spamfilters of type 'posix' to the 3.2.x servers because 3.2.x servers don't support the other two types. So in a mixed network you probably want to keep using 'posix' for a while until all your UnrealIRCd servers are on 3.4.x. (A3) * set::oper-only-stats now defaults to "*" * oper::from::userhost and vhost::from::userhost are now called oper::mask and vhost::mask. The usermask@ part is now optional and it supports two syntaxes. For one entry you can use: mask 1.2.3.*; For multiple entries the syntax is: mask { 192.168.*; 10.*; }; * Because having both allow::ip and allow::hostname in the same allow block was highly confusing (it was an OR-match) you must now choose between either allow::ip OR allow::hostname. (A3) * cgiirc block is renamed to webirc and the syntax has changed (A4) * set::pingpong-warning is removed, warning always off now (A4) * More helpful configuration file parse error messages (A4) * You can use '/OPER username' without password if you use SSL certificate (fingerprint) authentication. The same is true for '/VHOST username'. (A4) * You must now always use 'make install' on *NIX (A4) * Changed (default) directory structure entirely, see the section titled 'CONFIGURATION CHANGES' about 100 lines up. (A4) * badword quit { } is removed, we use badword channel for it. (A4) * badwords.*.conf is now just one badwords.conf * To load all default modules you now include modules.default.conf. This file was called modules.conf in earlier alpha's. The file has been split up in sections and a lot of comments have been added to aid the user in deciding whether to load or not to load each module. (A4) * Snomask +s is now (always) IRCOp-only. (A4) * There's now actually an idea behind HalfOp permissions. The idea is that halfops should be able to help out in case of a flood but not be able to * Previously there was little logic behind what modes halfops could set. Now the idea is as follows: halfops should be able to help out in case of a flood but not be able to change any 'policy decission modes' such as +G, +S, +c, +s. Due to this change halfops can now set modes +beiklmntIMKNCR (was: +beikmntI). ==[ MODULE CODERS / DEVELOPERS ]== * A lot of technical documentation for module coders has been added at https://www.unrealircd.org/docs/ describing things like how to write a module from scratch, the User & Channel Mode System, Commands, Command Overrides, Hooks, attaching custom-data to users/channels, and more. (A2+) * Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades) but disallows unloading of a module (A3) * There have been *a lot* of source code cleanups (ALL) ==[ MAJOR BUGS FIXED ]== * Crash bug on-boot in alpha1 (A2) * IRCOp commands such as /GLINE were not always working (A2) * link::outgoing::options::autoconnect did not work (A4) * This is still an alpha release, so likely contains major issues * If the IRCd could not bind to any ports it started anyway (A4) * alpha3 did not compile on x86 (32 bit) systems (A4) ==[ MINOR BUGS FIXED ]== * Errors in example configuration files (A2) * Some fixes in delayjoin (Channel mode +d) (A2) * Deal with services who allow you to log in by account name (A3) * Detect "IRCd not running" situations better (A4) * './unrealircd restart' will now always try to start UnrealIRCd, so also if it wasn't running previously. (A4) ==[ REMOVED / DROPPED ]== * Numeric server IDs, see above. (A1) * PROTOCTL TOKEN and SJB64 are no longer implemented. (A1) * Ziplinks have been removed. (A1) * WebTV support. (A3) * User mode +h (helpop). This user mode only added a line in /WHOIS saying the user "is available for help". You can use a vhost block with a vhost::swhois as a replacement. Or oper::swhois. (A4) Have fun with the development release! Bram -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
|
From: Bram M. <sy...@vu...> - 2015-06-11 16:31:33
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
SECURITY ADVISORY
==================
The OpenSSL project team sent out a security advisory today regarding
several security issues that were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd when you compiled with SSL
support.
Most of the reported bugs result in a server crash or hang: the attacker
sends some bad data and the IRC daemon will crash or hang.
One other issue is a possible 'SSL downgrade' attack called "Logjam" which
could make SSL/TLS connections easier to crack (decrypt), but only if the
attacker has access to the network path between the client and the server.
The OpenSSL development team says there is NO risk for remote code
execution.
Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')
==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries
until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1 (Windows)
* Unreal3.4-alpha2 (Windows)
* Unreal3.4-alpha3 (Windows)
* Older Windows SSL versions are (very) likely affected as well
Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix2 (version shown by installer)
* Unreal3.4-alpha3-fix (version shown by installer)
==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system
installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install).
~ This is often not needed, but is sometimes necessary.
~ If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it
==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
- -server.test.net- OpenSSL 1.0.2b 11 Jun 2015
Version 1.0.2b means you're good.
If you see 1.0.0 with a version lower than 1.0.1s,
or 1.0.1 with a version lower than 1.0.1n,
or 1.0.2 with a version lower than 1.0.2b,
then you are possibly vulnerable, see next version.
If you see no such line at all, and again.. you are sure you are IRCOp,
then it means the server does not have SSL support (no OpenSSL in use).
You're safe.
TIP: You can also check remote servers, again only if you are IRCOp,
~ by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'
==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix2.exe' and
'Unreal3.4-alpha3-fix.exe'
After installation, you see no change in UnrealIRCd version number.
This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block
'HOW TO CHECK IF YOU ARE VULNERABLE'.
On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version
in use? Even after you restarted UnrealIRCd? On several Linux distro's
this is pretty common as vendors routinely backport security fixes
without bumping the version number. So if you are on Linux, then after you
followed the 4 steps mentioned in '*NIX USERS' then you more or less have
to trust your vendor (and yourself).
NOTE: At the time this security advisory was sent, the OpenSSL security
advisory has only been out for an hour or so, so your distro may not
have a new OpenSSL version available yet!
==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and
the OpenSSL version is vulnerable. Then if at least one port is reachable
for the attacker it can be attacked. It doesn't matter if this is an SSL
or non-SSL port and whether you have restrictive allow { } blocks or not.
In other words: yes, also upgrade your hub(s).
==[ TIMELINE ]==
Times are in UTC
2015-06-11 14:45 OpenSSL security announcement
2015-06-11 15:33 Downloads replaced
2015-06-11 16:05 Security announcement
==[ LINKS ]==
This advisory (and updates to it, if any) is posted to:
https://www.unrealircd.org/txt/unrealsecadvisory.20150611.txt
The OpenSSL security advisory can be found on:
https://www.openssl.org/news/secadv_20150611.txt
- --
Bram Matthys
Software developer/IT consultant sy...@vu...
Website: www.vulnscan.org
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlV5sjwACgkQbmdtRX/hmaYKWAD/UzyHHNQ0YOTy/HoTgnGi15R7
4njo1AIGdsy4BCNYObQA/izj0Bw8z80XNUOmZMjY+x+Qs99GXbzEgbRLlobQ7RVW
=SAfX
-----END PGP SIGNATURE-----
|
1 message has been excluded from this view by a project administrator.
