unreal-notify

UnrealIRCd 4.0.10-rc1 available for testing

[Bram M. <sy...@un...>]

Hi everyone,

UnrealIRCd 4.0.10-rc1 is now available for download. This is a release 
candidate for 4.0.10. If you have some spare time to test this release it 
would be welcomed. This helps us get a 4.0.10 stable out.

Nine modules have been added to UnrealIRCd. One of them brings support for 
websockets.

*Changes between version 4.0.9 and 4.0.10-rc1
*Improvements

  * Added "websocket" module. This provides support for WebSocket (RFC6455),
    allowing JavaScript (internet browsers) to connect directly to IRC without
    the need of a 'gateway'. This module is experimental and not loaded by
    default. See https://www.unrealircd.org/docs/WebSocket_support for more
    information. This module was sponsored by Aberrant Software Inc.
  * UnrealIRCd already has the ability to configure global SSL settings via
    the set::ssl block. Now you can also override these settings for a link
    block and listen block. One possible use for this would be having a
    long-lived self-signed certificate for server linking on a serversonly
    port, and a short-lived certificate for your users on the other ports
    (such as a certificate from Let's Encrypt). Another example would be to
    force TLSv1.2 for server linking but not for users.
    Documentation: global settings are in set::ssl
    <https://www.unrealircd.org/docs/Set_block#set::ssl::certificate>,
    port-specfic settings go in listen::ssl-options
    <https://www.unrealircd.org/docs/Listen_block> and server link specific
    settings go in link::outgoing::ssl-options
    <https://www.unrealircd.org/docs/Link_block>.
  * You can now exempt IP's from (DNSBL) blacklist checking via: /except
    blacklist { mask 1.2.3.4; };/
  * All free modules from vulnscan.org are now included in UnrealIRCd itself.
    The first two modules are loaded by default (privdeaf and jumpserver). The
    other ones you have to load explicitly by adding /loadmodule
    "modulename";/ to your unrealircd.conf.
      o usermodes/privdeaf - Do not permit PM's from others (User Mode +D)
      o jumpserver - Redirect users to another server during maintenance
        (/JUMPSERVER command
        <https://www.unrealircd.org/docs/User_%26_Oper_commands#JUMPSERVER>)
      o extbans/textban <https://www.unrealircd.org/docs/Extended_Bans> -
        Channel specific word filtering (+b ~T:censor:*badword* and +b
        ~T:block:*blockthis*)
      o antirandom <https://www.unrealircd.org/docs/Set_block#set::antirandom>
        - Detect drones with random nicks / ident / etc.
      o m_ircops - Show which ircops are online (/IRCOPS command)
      o m_staff - Show custom file (/STAFF command)
      o nocodes - If this module is loaded it makes chanmode +S/+c also
        strip/block bold and underline codes
      o hideserver - Hide servers in /MAP and /LINKS (note that this does not
        truly enhance security)

Major issues fixed

  * Compile fixes for Ubuntu 16 LTS / gcc 5.4.x
  * Crash if you had an invalid crypt password in your unrealircd.conf
  * Crash if you did not load the chanmodes/nocolor module or changed the
    order in which modules were loaded

Minor issues fixed

  * Delayjoin (channel mode +D) sending QUITs for hidden users & similar bugs
  * WHO now supports multi-prefix
  * You no longer need to place all your /class/ blocks before your /allow/ blocks
  * Date in Windows log file for the first few messages was always 1970.

*For services and module coders
*

  * Services coders: "SVSMODE Nick +d" will now mark a client as deaf. Don't
    confuse this with "SVSMODE Nick +d <svid>". The parameter makes all the
    difference. Use "SVSMODE Nick +d 0" to reset/empty the stored services id.
  * Module coders: changed return value handling of HOOKTYPE_RAWPACKET_IN: -1
    now indicates don't parse and stop reading from the socket (return) and 0
    indicates don't parse but proceed to next packet (if any). If you kill a
    client in this hook then be sure to return -1.

*Other
*

  * We've always printed big warnings when running UnrealIRCd as root. In this
    version we still do, but in future versions we will simply refuse to boot.
    https://www.unrealircd.org/docs/Do_not_run_as_root

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*End of the 3.2.x series*
UnrealIRCd 3.2.x is End Of Life since December 2015. All support for it will 
stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Reminder: UnrealIRCd 3.2.x End Of Life after 2016

[Bram M. <sy...@un...>]

(You can unsubscribe here 
<https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of 
the page)

If you are still running UnrealIRCd 3.2.x then this is a friendly reminder to 
upgrade to UnrealIRCd 4 before the end of the year.
As announced a year ago, all support for UnrealIRCd 3.2.x will stop after 
December 31, 2016. This also means no more security updates.
UnrealIRCd 4 is in use by many networks and has proven to be stable and 
reliable. Many third party modules have been converted as well.
Upgrading from 3.2.x to 4.x should be relatively easy. Your configuration file 
can be updated to the new format automatically. For more information see the 
section /Upgrading from 3.2.x to UnrealIRCd 4/ below.

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
enhancements in UnrealIRCd 4 it was simply impossible to make 3.2.x modules 
work out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
When UnrealIRCd 4.0.0 was released a year ago, on December 24 2015, we also 
announced the end of the 3.2.x series.
All support - including security updates - for the 3.2.x series will stop 
after December 31, 2016. See 
https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.9 released (fixes ghost user and memory leak)

[Bram M. <sy...@vu...>]

(You can unsubscribe here 
<https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of 
the page)

Hi everyone,

An issue was discovered in the UnrealIRCd 4.0.x series which allows you to 
create a "ghost" user. This requires a minimum of two linked UnrealIRCd 4.0.x 
servers. A "ghost" is a user which does not really exist. As with most ghost 
user bugs in the IRC protocol it will cause some confusion/annoyances to users 
but does not lead to any privilege escalation. In this case, however, it can 
also result in UnrealIRCd failing to free resources for the user. The result 
is a memory leak of 400 to 4000 bytes per user. The memory is only freed after 
UnrealIRCd is terminated or restarted. When the bug is abused it is quite 
noticeable as for each successful attempt IRCOps would see a KILL message. To 
put things in perspective: about 25,000 connects are required to consume 100 
MB of memory. Ultimately, an attacker may cause UnrealIRCd to consume so much 
memory that the IRCd will terminate.

We have released UnrealIRCd 4.0.9 which addresses this issue. There is also a 
"hot fix" available so you can patch your server _without requiring an 
UnrealIRCd restart_. See below.

We recommend you to apply the "hot fix" or upgrade somewhere this weekend. 
It's better to do a peaceful planned upgrade now than having to rush an 
upgrade later while people are abusing this bug.

*Affected versions*
All UnrealIRCd 4.0.x versions before 4.0.9

*How to get the fix/patch?*

Windows users should download and install UnrealIRCd 4.0.9.

Linux/BSD/.. users can also install 4.0.9 *OR *you can choose to patch 
UnrealIRCd on-the-fly _without a restart_.
Since the patch is usually the easiest and most user friendly solution, we 
recommend it.
Run the following on the IRC shell:
wget http://www.unrealircd.org/patch/ghostpatcher && sh ghostpatcher

*Q&A*
*Have there been any reports of these bugs being abused by anyone?
*Not yet.

*Should I upgrade?
*The attack is very detectable, but we do recommend an upgrade/hot-fix. It's 
better to do a peaceful planned upgrade than having to rush an upgrade later 
while people are abusing this bug.
*
****Are there any workarounds so I don't have to upgrade?*
**On *NIX, use the hot fix / patch so you don't need to restart UnrealIRCd.
*****
***Can I upgrade without restarting the IRC server?
**On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell:
wget http://www.unrealircd.org/patch/ghostpatcher && sh ghostpatcher
*
****I don't like the patch script. How I can fix this by hand?
*Open src/modules/m_nick.c in an editor. Around line 478 change:
     (void)strlcpy(sptr->name, nick, NICKLEN);
To:
     (void)strlcpy(sptr->name, nick, NICKLEN+1);
Then save, recompile and rehash your UnrealIRCd.*
*This is exactly the same as the patch script would do.*

How serious is this bug?
*The bug leads to resource consumption and some user confusion. For a full 
explanation see the beginning of this announcement. Then, make your own decision.*
*
*When were these issues reported?*
This issue was reported less than 24 hours before the fix release.

*Updates to this advisory
*This release announcement/advisory can be found here 
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8625>. Small 
corrections/updates will be posted there, if any.*
*

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: 2ABD 57FA 7783 5ADD C5EC  8ED7 DE93 B8B4 7E74 5EB3

UnrealIRCd 4.0.8.4 released

[Bram M. <sy...@un...>]

(You can unsubscribe here 
<https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of 
the page)

Hi everyone,

There have been a number of point releases since 4.0.8. Current version 
*4.0.8.4* should address all *NIX compile problems that 4.0.8 introduced on a 
number of OS's/distro's. The Windows version is still at *4.0.8* since there 
have been no Windows changes.
If you already successfully built UnrealIRCd 4.0.8 then there is no reason to 
upgrade to 4.0.8.4 as it contains build fixes only.

We are now using Travis CI and another autobuild to make sure that 
commits/releases are automatically tested on a number of operating systems 
with various different settings. This should reduce the chance of build 
problems significantly.

*Changes between version 4.0.7 and 4.0.8
*Improvements

  * *NIX: As part of defense-in-depth UnrealIRCd now compiles with several
    hardening options by default. This makes several type of exploits more
    difficult and in some cases even impossible. Tech: this enables full RELRO
    (GOT and PLT being read-only), everything compiled as PIE making ASLR
    possible, stack protector canaries are added, etc.
  * Windows: releases are now signed. If you download the UnrealIRCd installer
    the publisher will now show as "Open Source Developer, Bram Matthys"
    rather than "Unknown publisher". Similarly all the EXE and DLL files have
    been signed which should make it easy for anti virus software to see if
    something is an official UnrealIRCd release file or not.

Major issues fixed

  * Possible crash if you have several blacklist blocks

Minor issues fixed

  * User mode +d (deaf) did not work

*Other changes*

  * We've always printed big warnings when running UnrealIRCd as root. In this
    version we still do, but in future versions we will simply refuse to boot.
    https://www.unrealircd.org/docs/Do_not_run_as_root
  * System c-ares is preferred over our own shipped c-ares
  * System cURL is preferred over ~/curl (if it has AsynchDNS)
  * Our shipped libraries are no longer built as static
  * Now that shipped libraries are dynamic they need to be installed somewhere
    (if used). The default location is ~/unrealircd/lib and can be changed via
    --with-privatelibdir. (Although, if you are a package builder then you
    will probably use --with-system-xxx and then private libraries are not
    used at all)

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.8 released

[Bram M. <sy...@un...>]

Hi everyone,

UnrealIRCd 4.0.8 is out. On *NIX this version brings security enhancements. On 
Windows releases are now signed. It also fixes one major and one minor issue.

*Changes between version 4.0.7 and 4.0.8
*Improvements

  * *NIX: As part of defense-in-depth UnrealIRCd now compiles with several
    hardening options by default. This makes several type of exploits more
    difficult and in some cases even impossible. Tech: this enables full RELRO
    (GOT and PLT being read-only), everything compiled as PIE making ASLR
    possible, stack protector canaries are added, etc.
  * Windows: releases are now signed. If you download the UnrealIRCd installer
    the publisher will now show as "Open Source Developer, Bram Matthys"
    rather than "Unknown publisher". Similarly all the EXE and DLL files have
    been signed which should make it easy for anti virus software to see if
    something is an official UnrealIRCd release file or not.

Major issues fixed

  * Possible crash if you have several blacklist blocks

Minor issues fixed

  * User mode +d (deaf) did not work

*Other changes*

  * We've always printed big warnings when running UnrealIRCd as root. In this
    version we still do, but in future versions we will simply refuse to boot.
    https://www.unrealircd.org/docs/Do_not_run_as_root
  * System c-ares is preferred over our own shipped c-ares
  * System cURL is preferred over ~/curl (if it has AsynchDNS)
  * Our shipped libraries are no longer built as static
  * Now that shipped libraries are dynamic they need to be installed somewhere
    (if used). The default location is ~/unrealircd/lib and can be changed via
    --with-privatelibdir. (Although, if you are a package builder then you
    will probably use --with-system-xxx and then private libraries are not
    used at all)

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.8-rc1 available for download

[Bram M. <sy...@un...>]

Hi everyone,

UnrealIRCd 4.0.8-rc1 is now available for download. This first Release 
Candidate for 4.0.8 is released early because there were a number of build 
system changes that warrant further testing. Please report any issues on 
bugs.unrealircd.org <https://bugs.unrealircd.org/>.

*Changes between version 4.0.7 and 4.0.8-rc1
*Improvements

  * *NIX: As part of defense-in-depth UnrealIRCd now compiles with several
    hardening options by default. This makes several type of exploits more
    difficult and in some cases even impossible. Tech: this enables full RELRO
    (GOT and PLT being read-only), everything compiled as PIE making ASLR
    possible, stack protector canaries are added, etc.
  * Windows: releases are now signed. If you download the UnrealIRCd installer
    the publisher will now show as "Open Source Developer, Bram Matthys"
    rather than "Unknown publisher". Similarly all the EXE and DLL files have
    been signed which should make it easy for anti virus software to see if
    something is an official UnrealIRCd release file or not.

Major issues fixed

  * Possible crash if you have several blacklist blocks

Minor issues fixed

  * None

*Other changes*

  * System c-ares is preferred over our own shipped c-ares
  * System cURL is preferred over ~/curl (if it has AsynchDNS)
  * Our shipped libraries are no longer built as static
  * Now that shipped libraries are dynamic they need to be installed somewhere
    (if used). The default location is ~/unrealircd/lib and can be changed via
    --with-privatelibdir. (Although, if you are a package builder then you
    will probably use --with-system-xxx and then private libraries are not
    used at all)

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.7 released

[Bram M. <sy...@un...>]

Hi everyone,

Today we present 4.0.7 (stable). SSL/TLS security has been improved and an 
issue on FreeBSD preventing SSL server linking from working correctly has been 
resolved. Compared to 4.0.7-rc1 from a week ago the changes are minimal.

*Changes between version 4.0.6 and 4.0.7
*Improvements

  * UnrealIRCd now ships with a default ciphersuite list to have more secure
    SSL/TLS defaults (rather than relying on your OS/Distro). You can still
    customize ciphersuites through set::ssl::ciphers. See also the wiki
    article <https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols>.
  * set::ssl::protocols allows you to specify which SSL/TLS protocols are
    permitted. The default is (still): TLSv1,TLSv1.1,TLSv1.2.
  * Windows: remote includes now support IPv6

Major issues fixed

  * FreeBSD: unstable SSL links to other servers

Minor issues fixed

  * It was impossible to set both +b ~r:xyz and +b ~R:xyz

*Removed the following rarely used build-time options*

  * /CHROOTDIR/: Never worked in 4.0.x anyway. You should use AppArmor,
    SELinux, FreeBSD jails, etc. as an alternative.
  * /IRC_USER/IRC_GROUP/: Since this only applies to users installing
    UnrealIRCd system-wide you should use your system services to do this as
    well. Use systemd's User=xx or good ol' start-stop-daemon.

*Other changes*

  * PCRE2 and c-ares libraries updated to latest versions
  * PDF documentation removed from c-ares library to save 1 Mb
  * Updated curl-ca-bundle to latest version
  * Module coders: You can use modinfo now again in MOD_LOAD, just like in
    MOD_INIT

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.7-rc1 available for download

[Bram M. <sy...@un...>]

Hi everyone,

The first release candidate for 4.0.7 is now available for download: 4.0.7-rc1.
SSL/TLS security has been improved and an issue on FreeBSD preventing SSL 
server linking from working correctly has been resolved.

*Changes between version 4.0.6 and 4.0.7-rc1
*Improvements

  * UnrealIRCd now ships with a default ciphersuite list to have more secure
    SSL/TLS defaults (rather than relying on your OS/Distro). You can still
    customize ciphersuites through set::ssl::ciphers. See also the wiki
    article <https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols>.
  * set::ssl::protocols allows you to specify which SSL/TLS protocols are
    permitted. The default is (still): TLSv1,TLSv1.1,TLSv1.2.
  * Windows: remote includes now support IPv6

Major issues fixed

  * FreeBSD: unstable SSL links to other servers

Minor issues fixed

  * It was impossible to set both +b ~r:xyz and +b ~R:xyz

*Removed the following rarely used build-time options*

  * /CHROOTDIR/: Never worked in 4.0.x anyway. You should use AppArmor,
    SELinux, FreeBSD jails, etc. as an alternative.
  * /IRC_USER/IRC_GROUP/: Since this only applies to users installing
    UnrealIRCd system-wide you should use your system services to do this as
    well. Use systemd's User=xx or good ol' start-stop-daemon.

*Other changes*

  * PCRE2 and c-ares libraries updated to latest versions

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Re: Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)

[Bram M. <sy...@un...>]

You can now use our *online SASL bug security check*, to see if your server is 
vulnerable.
It can be found on https://www.unrealircd.org/check_sasl.php
Just enter your server IP and it will show if your server is vulnerable or not.

NOTE: This only works reliable on UnrealIRCd servers. Don't use it for other 
IRC server brands!

Bram Matthys wrote on 3-9-2016 21:25:
>
> Hi everyone,
>
> A security issue was detected in a number of IRCd's, including UnrealIRCd, 
> regarding the way SASL is implemented.
> If you use services _and_ have SASL enabled (you need to do this explicitly) 
> then you should patch or upgrade as soon as possible.
> _While this only affects 2% of our userbase, for those networks which are 
> affected this is a very serious issue_. If you are affected you can upgrade 
> to one of the new UnrealIRCd releases or you can upgrade their existing 
> UnrealIRCd _without a restart_ (see below)
>
> Note that releases and this security announcement have been made in a hurry. 
> Details on this issue are already available online at other websites.
>
> *Issue details
> *An attacker can send an SSL fingerprint of his choice to services when 
> doing SASL authentication. An attacker can compromise a services account if 
> the user has an SSL fingerprint stored in services.
>
> *How to check if you are affected (how do I know if I use SASL?)*
> You are only affected if all of the following is true:
>
>  1. SASL is enabled in UnrealIRCd: *check if set::sasl-server is set* to a
>     valid server
>  2. Your services support SASL (eg: anope)
>  3. Your services support SSL fingerprint authentication (eg: anope)
>
> *How to get the fix/patch?*
>
> Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7.
>
> Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 *OR *you can choose to 
> patch UnrealIRCd on-the-fly without a restart.
> Since the patch is usually the easiest and most user friendly solution, we 
> recommend it.
> Run the following on the IRC shell:
> wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
>
> *Q&A*
> *Have there been any reports of these bugs being abused by anyone?
> *We don't know. It sounds likely, the issue is very easy to exploit.
>
> *Should I upgrade?
> *If you use SASL authentication then yes you should definitely upgrade. If 
> you do not have SASL enabled then there is no need to upgrade at this time, 
> this is true for most of our users (98%).
> *
> ****Are there any workarounds so I don't have to upgrade?*
> **As a very quick workaround you could disable SASL entirely by removing the 
> set::sasl-server setting and rehashing the IRCd.
> You could also disable SASL at the services level. For anope you do this by 
> unloading the m_sasl module (in anope).
> *****
> ***Can I upgrade without restarting the IRC server?
> **On Windows no, but on Linux/BSD/.. yes you can. Run the following on the 
> shell:
> wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
> *
> ****How serious are these bugs?
> *See the /Issue details/ above. If you are affected then all user accounts 
> with an SSL fingerprint for authentication can be compromised.*
> *
> *When were these issues reported?*
> This issues was reported a few hours ago. Details of the exploit were 
> already available online before this fix and security announcement were 
> available, so everything has been written in a rush.
>
> *Updates to this advisory
> *This release announcement/advisory can be found here 
> <https://forums.unrealircd.org/viewtopic.php?f=1&t=8588>. Small 
> corrections/updates will be posted there, if any.*
>
> *
> ------------------------------------------------------------------------------
> *
> What's new in UnrealIRCd 4
> *A short overview of the most important changes:*
> *
>
>   * <https://www.unrealircd.org/docs/Modules>You decide what to load
>     <https://www.unrealircd.org/docs/Modules>. We have moved as much
>     functionality as possible to 150+ individually loadable modules
>     (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user
>     modes <https://www.unrealircd.org/docs/User_modes>, channel modes
>     <https://www.unrealircd.org/docs/Channel_modes>, extbans
>     <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You
>     decide which features your UnrealIRCd should have.
>   * Fine-grained IRCOp privileges
>     <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
>     privileges are granted has been redone entirely. This allows you to
>     configure oper privileges on a very detailed level. You don't want
>     OperOverride? You don't want opers to see secret channels? Or you want
>     an oper with a very minimal set of privileges? This is all possible.
>   * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
>     documentation has been moved to a wiki
>     <https://www.unrealircd.org/docs/>. It's even better than before and
>     more accessible to people who are new to IRCd's. The wiki also allows
>     easy translation
>     <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
>     community members.
>   * New directory structure
>     <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
>     *NIX the IRCd is now always installed to a different directory than
>     where you compile from (~/unrealircd by default). No more mess. On both
>     *NIX and Windows configuration files go in conf/, modules go in
>     modules/, etc.. Configuration files can be identical on Windows and
>     *NIX. This new directory structure also allows easier packaging.
>   * New I/O system using kqueue & epoll. The IRCd can now handle thousands
>     of users more easily.
>   * Improved SSL/TLS support. SSL has always been a major feature in
>     UnrealIRCd but has been enhanced. UnrealIRCd is now always built with
>     SSL support (both on *NIX and Windows). SSL client certificate
>     fingerprints are visible in /WHOIS, a new certfp extban
>     <https://www.unrealircd.org/docs/Extended_bans>
>     (~S:certificatefingerprint), better defaults including 4096 bit keys and
>     Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>,
>     etc.
>   * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
>     (DNSBL/RBL). Great for combating drones and other abusers.
>   * Better and more helpful error messages. Especially regarding the
>     configuration file.
>   * More modern server-to-server protocol.
>     <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
>     UID/SID's. Resulting in less desynch. issues.
>   * Lowering the bar for Spamfilter
>     <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
>     now choose between 'regex' and 'simple' matching. Simple matching allows
>     using the usual '?' and '*' wildcards that everyone knows about. The
>     regex engine has been moved from TRE to PCRE (=about twice as fast).
>   * Configuration is more logical
>     <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of
>     the configuration blocks have been restructured. Don't worry, we include
>     an UnrealIRCd 3.2.x to 4.x configuration file converter.
>   * Easier 3rd party module management. On *NIX you now just put your 3rd
>     party modules in /src/modules/third/ and then each time you run 'make'
>     they will be compiled if needed.
>   * Easier upgrading. On *NIX, when upgrading to a new version, ./Config
>     will ask you to import settings from a previous installation,
>     remembering your installation directory and other settings. It will also
>     copy the 3rd party modules from the old to the new installation and
>     re-compile them.
>   * More secure. Even better secure defaults, more warnings about insecure
>     behavior, ..
>   * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
>
> For developers:
>
>   * Easier source navigation. Because we moved almost everything to modules,
>     it's now much easier to see all the code for a particular feature.
>   * Cleaner code. There have been a lot of source code cleanups. Code has
>     been restructured or rewritten. Old irrelevant code has been deleted.
>   * Development documentation can be found on the wiki
>     <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
>     module in C and list all the details on the various Module API's such as
>     how to write commands, channel modes, plug-in by using Hooks, etc...
>
> *Upgrading from 3.2.x**to UnrealIRCd 4*
> If you are upgrading from 3.2.x to 4.x then there are three important things 
> to know:
> *1) New file locations*
> In UnrealIRCd 4 the location of the configuration files and other files have 
> been changed. On *NIX the directory where you compile the IRCd from 
> (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
> the directory where the IRCd will be running from.
> By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
> On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
>
> The new directory structure is as follows (both on Windows and *NIX):
> conf/           contains all configuration files
> logs/           for log files
> modules/   all modules (.so files on *NIX, .dll files on Windows)
>
> *2) Configuration file changes
> *There have also been changes in various configuration blocks and settings. 
> Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files 
> to UnrealIRCd 4 format. There's no need to start from scratch.
> Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
> information on the config file conversion.
>
> *3) Third party modules*
> If you are using 3rd party modules (modules not developed by the UnrealIRCd 
> team) then they will require an update before they can run on UnrealIRCd 4. 
> Contact your developer for a new version or ask on our Modules forum 
> <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
> enough to convert the module for you if you ask nicely. Due to the many core 
> changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
> out-of-the-box on 4.x as well.
>
> *Running a mixed 3.2.x / 4.x network*
> You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
> <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
>
> *End of the 3.2.x series*
> With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
> All support for the 3.2.x series will stop after December 31, 2016.
> See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
>
> *Download*
> As always, you can download UnrealIRCd from https://www.unrealircd.org/
> All releases are signed with our PGP key (short key id 0x108FF4A9 and long 
> id 0xA7A21B0A108FF4A9)
>
> Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
> -- 
> Bram Matthys
> Software developer/IT con...@vu...
> Website:www.vulnscan.org
> PGP key:www.vulnscan.org/pubkey.asc
> PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6



-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)

[Bram M. <sy...@un...>]

Hi everyone,

A security issue was detected in a number of IRCd's, including UnrealIRCd, 
regarding the way SASL is implemented.
If you use services _and_ have SASL enabled (you need to do this explicitly) 
then you should patch or upgrade as soon as possible.
_While this only affects 2% of our userbase, for those networks which are 
affected this is a very serious issue_. If you are affected you can upgrade to 
one of the new UnrealIRCd releases or you can upgrade their existing 
UnrealIRCd _without a restart_ (see below)

Note that releases and this security announcement have been made in a hurry. 
Details on this issue are already available online at other websites.

*Issue details
*An attacker can send an SSL fingerprint of his choice to services when doing 
SASL authentication. An attacker can compromise a services account if the user 
has an SSL fingerprint stored in services.

*How to check if you are affected (how do I know if I use SASL?)*
You are only affected if all of the following is true:

 1. SASL is enabled in UnrealIRCd: *check if set::sasl-server is set* to a
    valid server
 2. Your services support SASL (eg: anope)
 3. Your services support SSL fingerprint authentication (eg: anope)

*How to get the fix/patch?*

Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7.

Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 *OR *you can choose to 
patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we 
recommend it.
Run the following on the IRC shell:
wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher

*Q&A*
*Have there been any reports of these bugs being abused by anyone?
*We don't know. It sounds likely, the issue is very easy to exploit.

*Should I upgrade?
*If you use SASL authentication then yes you should definitely upgrade. If you 
do not have SASL enabled then there is no need to upgrade at this time, this 
is true for most of our users (98%).
*
****Are there any workarounds so I don't have to upgrade?*
**As a very quick workaround you could disable SASL entirely by removing the 
set::sasl-server setting and rehashing the IRCd.
You could also disable SASL at the services level. For anope you do this by 
unloading the m_sasl module (in anope).
*****
***Can I upgrade without restarting the IRC server?
**On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell:
wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
*
****How serious are these bugs?
*See the /Issue details/ above. If you are affected then all user accounts 
with an SSL fingerprint for authentication can be compromised.*
*
*When were these issues reported?*
This issues was reported a few hours ago. Details of the exploit were already 
available online before this fix and security announcement were available, so 
everything has been written in a rush.

*Updates to this advisory
*This release announcement/advisory can be found here 
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8588>. Small 
corrections/updates will be posted there, if any.*

*
------------------------------------------------------------------------------
*
What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Re: UnrealIRCd 4.0.5 released (Security fixes)

[Bram M. <sy...@un...>]

Apologies. The initial 4.0.5 download was killing innocent users ("flood from 
unknown connection") due to a silly mistake from me. The 4.0.5 download has 
now been replaced and checksums etc. have been updated.
If you were among one of the 41 downloaders (28 unique ip's) who downloaded 
UnrealIRCd 4.0.5 between initial release and this fix, then please re-download 
4.0.5 from www.unrealircd.org <https://www.unrealircd.org/> and install the 
fixed version.
I'm really sorry for the trouble. In case anyone wonders: automated testing 
didn't catch this issue because the tests ran on localhost/LAN, resulting in 
no recvq. And we couldn't push out any release candidate (which results in a 
lot more testing) because this was a security release... :(

Anyway, please still do upgrade to UnrealIRCd 4.0.5 somewhere in the next few 
days(now with this new fixed version). See the release announcement / security 
advisory below.

Bram Matthys wrote on 28-7-2016 16:22:
>
> Hi everyone,
>
> UnrealIRCd 4.0.5 has been released today. *We **recommend everyone to 
> upgrade* somewhere in the next few days. This release fixes the following 
> serious issues:
>
>   * Fix crash issue (read-after-free)
>   * Prevent flood from unknown connection
>   * Bans on IPv6 cloaked hosts had no effect
>
> These issues affect all 4.0.x versions until now.
>
> *Issue details
> *The crash is rare under normal circumstance. However, it is possible to 
> trigger the crash remotely on-purpose if you know how.
> The crash issue has a CVSS score of 7.5 (High): 
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RC:C
>
> The "unknown connection flood" issue allows an attacker to consume IRCd 
> resources. We have an "unknown flood" protection mechanism which was 
> supposed to kick in and kill the user, but it didn't always do this in time.
> The unknown connection flood issue has a CVSS score of 5.3 (Medium): 
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RC:C
>
> Finally, the IPv6 ban bug is an obvious mistake. Bans on nick, ident, hosts, 
> IPv4 real IP's, IPv6 real IPs, vhosts, etc.. all work.. but bans on IPv6 
> cloaked hosts do not (/+b *!*@XXXXXXX:YYYYYYY:ZZZZZZZ/). If you ban a user 
> with such a mask, they can still (re)join and speak. You can temporarily 
> work around this bug by replacing the colons with questionmarks (/+b 
> //*!*@XXXXXXX/*/?/*/YYYYYYY/*/?/*/ZZZZZZZ/).
>
> *Q&A*
> *Have there been any reports of these bugs being abused by anyone?
> *We have had no reports of the crash or flood bug being abused by anyone. 
> However, we recommend everyone to upgrade somewhere in the next coupe of days.
>
> *Should I upgrade?
> *Yes.
> *
> ****Are there any workarounds so I don't have to upgrade?*
> **For the IPv6 ban bug on cloaked hosts there's a workaround, see /Issue 
> details/ above. For the other bugs there is no workaround available.****
> *
> ***Can I upgrade without restarting the IRC server?
> **No. Although a lot of UnrealIRCd is modularized. These bugs are located in 
> the "core", which cannot be upgraded without a restart.*
> ****
> ****How serious are these bugs?
> *See the /Issue details/ above. These include CVSS scores.*
> *
> *When where these issues reported?*
> The IPv6 ban issue was reported yesterday. The crash issue was reported 
> before but the cause of it was very hard to trace. It was finally traced and 
> fixed today. The flood issue was found recently during our own tests. We 
> decided to bundle it with the other two fixes.*
> *
> *Updates to this advisory
> *This release announcement/advisory can be found here 
> <https://forums.unrealircd.org/viewtopic.php?f=1&t=8568>. Small 
> corrections/updates will be posted there, if any.*
>
> What's new in UnrealIRCd 4
> *A short overview of the most important changes:*
> *
>
>   * <https://www.unrealircd.org/docs/Modules>You decide what to load
>     <https://www.unrealircd.org/docs/Modules>. We have moved as much
>     functionality as possible to 150+ individually loadable modules
>     (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user
>     modes <https://www.unrealircd.org/docs/User_modes>, channel modes
>     <https://www.unrealircd.org/docs/Channel_modes>, extbans
>     <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You
>     decide which features your UnrealIRCd should have.
>   * Fine-grained IRCOp privileges
>     <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
>     privileges are granted has been redone entirely. This allows you to
>     configure oper privileges on a very detailed level. You don't want
>     OperOverride? You don't want opers to see secret channels? Or you want
>     an oper with a very minimal set of privileges? This is all possible.
>   * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
>     documentation has been moved to a wiki
>     <https://www.unrealircd.org/docs/>. It's even better than before and
>     more accessible to people who are new to IRCd's. The wiki also allows
>     easy translation
>     <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
>     community members.
>   * New directory structure
>     <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
>     *NIX the IRCd is now always installed to a different directory than
>     where you compile from (~/unrealircd by default). No more mess. On both
>     *NIX and Windows configuration files go in conf/, modules go in
>     modules/, etc.. Configuration files can be identical on Windows and
>     *NIX. This new directory structure also allows easier packaging.
>   * New I/O system using kqueue & epoll. The IRCd can now handle thousands
>     of users more easily.
>   * Improved SSL/TLS support. SSL has always been a major feature in
>     UnrealIRCd but has been enhanced. UnrealIRCd is now always built with
>     SSL support (both on *NIX and Windows). SSL client certificate
>     fingerprints are visible in /WHOIS, a new certfp extban
>     <https://www.unrealircd.org/docs/Extended_bans>
>     (~S:certificatefingerprint), better defaults including 4096 bit keys and
>     Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>,
>     etc.
>   * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
>     (DNSBL/RBL). Great for combating drones and other abusers.
>   * Better and more helpful error messages. Especially regarding the
>     configuration file.
>   * More modern server-to-server protocol.
>     <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
>     UID/SID's. Resulting in less desynch. issues.
>   * Lowering the bar for Spamfilter
>     <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
>     now choose between 'regex' and 'simple' matching. Simple matching allows
>     using the usual '?' and '*' wildcards that everyone knows about. The
>     regex engine has been moved from TRE to PCRE (=about twice as fast).
>   * Configuration is more logical
>     <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of
>     the configuration blocks have been restructured. Don't worry, we include
>     an UnrealIRCd 3.2.x to 4.x configuration file converter.
>   * Easier 3rd party module management. On *NIX you now just put your 3rd
>     party modules in /src/modules/third/ and then each time you run 'make'
>     they will be compiled if needed.
>   * Easier upgrading. On *NIX, when upgrading to a new version, ./Config
>     will ask you to import settings from a previous installation,
>     remembering your installation directory and other settings. It will also
>     copy the 3rd party modules from the old to the new installation and
>     re-compile them.
>   * More secure. Even better secure defaults, more warnings about insecure
>     behavior, ..
>   * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
>
> For developers:
>
>   * Easier source navigation. Because we moved almost everything to modules,
>     it's now much easier to see all the code for a particular feature.
>   * Cleaner code. There have been a lot of source code cleanups. Code has
>     been restructured or rewritten. Old irrelevant code has been deleted.
>   * Development documentation can be found on the wiki
>     <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
>     module in C and list all the details on the various Module API's such as
>     how to write commands, channel modes, plug-in by using Hooks, etc...
>
> *Upgrading from 3.2.x**to UnrealIRCd 4*
> If you are upgrading from 3.2.x to 4.x then there are three important things 
> to know:
> *1) New file locations*
> In UnrealIRCd 4 the location of the configuration files and other files have 
> been changed. On *NIX the directory where you compile the IRCd from 
> (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
> the directory where the IRCd will be running from.
> By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
> On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
>
> The new directory structure is as follows (both on Windows and *NIX):
> conf/           contains all configuration files
> logs/           for log files
> modules/   all modules (.so files on *NIX, .dll files on Windows)
>
> *2) Configuration file changes
> *There have also been changes in various configuration blocks and settings. 
> Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files 
> to UnrealIRCd 4 format. There's no need to start from scratch.
> Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
> information on the config file conversion.
>
> *3) Third party modules*
> If you are using 3rd party modules (modules not developed by the UnrealIRCd 
> team) then they will require an update before they can run on UnrealIRCd 4. 
> Contact your developer for a new version or ask on our Modules forum 
> <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
> enough to convert the module for you if you ask nicely. Due to the many core 
> changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
> out-of-the-box on 4.x as well.
>
> *Running a mixed 3.2.x / 4.x network*
> You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
> <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
>
> *End of the 3.2.x series*
> With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
> All support for the 3.2.x series will stop after December 31, 2016.
> See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
>
> *Download*
> As always, you can download UnrealIRCd from https://www.unrealircd.org/
> All releases are signed with our PGP key (short key id 0x108FF4A9 and long 
> id 0xA7A21B0A108FF4A9)
>
> Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
> -- 
> Bram Matthys
> Software developer/IT con...@vu...
> Website:www.vulnscan.org
> PGP key:www.vulnscan.org/pubkey.asc
> PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6



-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.5 released (Security fixes)

[Bram M. <sy...@un...>]

Hi everyone,

UnrealIRCd 4.0.5 has been released today. *We **recommend everyone to upgrade* 
somewhere in the next few days. This release fixes the following serious issues:

  * Fix crash issue (read-after-free)
  * Prevent flood from unknown connection
  * Bans on IPv6 cloaked hosts had no effect

These issues affect all 4.0.x versions until now.

*Issue details
*The crash is rare under normal circumstance. However, it is possible to 
trigger the crash remotely on-purpose if you know how.
The crash issue has a CVSS score of 7.5 (High): 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RC:C

The "unknown connection flood" issue allows an attacker to consume IRCd 
resources. We have an "unknown flood" protection mechanism which was supposed 
to kick in and kill the user, but it didn't always do this in time.
The unknown connection flood issue has a CVSS score of 5.3 (Medium): 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RC:C

Finally, the IPv6 ban bug is an obvious mistake. Bans on nick, ident, hosts, 
IPv4 real IP's, IPv6 real IPs, vhosts, etc.. all work.. but bans on IPv6 
cloaked hosts do not (/+b *!*@XXXXXXX:YYYYYYY:ZZZZZZZ/). If you ban a user 
with such a mask, they can still (re)join and speak. You can temporarily work 
around this bug by replacing the colons with questionmarks (/+b 
//*!*@XXXXXXX/*/?/*/YYYYYYY/*/?/*/ZZZZZZZ/).

*Q&A*
*Have there been any reports of these bugs being abused by anyone?
*We have had no reports of the crash or flood bug being abused by anyone. 
However, we recommend everyone to upgrade somewhere in the next coupe of days.

*Should I upgrade?
*Yes.
*
****Are there any workarounds so I don't have to upgrade?*
**For the IPv6 ban bug on cloaked hosts there's a workaround, see /Issue 
details/ above. For the other bugs there is no workaround available.****
*
***Can I upgrade without restarting the IRC server?
**No. Although a lot of UnrealIRCd is modularized. These bugs are located in 
the "core", which cannot be upgraded without a restart.*
****
****How serious are these bugs?
*See the /Issue details/ above. These include CVSS scores.*
*
*When where these issues reported?*
The IPv6 ban issue was reported yesterday. The crash issue was reported before 
but the cause of it was very hard to trace. It was finally traced and fixed 
today. The flood issue was found recently during our own tests. We decided to 
bundle it with the other two fixes.*
*
*Updates to this advisory
*This release announcement/advisory can be found here 
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8568>. Small 
corrections/updates will be posted there, if any.*

What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.4 released

[Bram M. <sy...@un...>]

Hi everyone,

As you may have found out by now we have a new release policy where we try to 
push out a new 4.0.x release at least every 2 months, even if there are only 
minor changes. This makes sure that new installations benefit from recent 
fixes and enhancements. We always try to make clear what changed in each 
version so you can decide yourself if you find it worthwhile to upgrade an 
existing server or not.

This UnrealIRCd 4.0.4 release addresses a small GLINE/KLINE bug, two rare 
crashes and a few minor issues. See below.

*Changes between version 4.0.4 and 4.0.3
*New

  * Italian /HELPOP translation (help.it.conf)
  * Ability to turn off SSL-related connection info
    (set::options::no-connect-ssl-info)

Major issues fixed

  * GLINE/KLINE on usermask@ did not have any effect
  * Crash if you have a listen block with port 0
  * Infinite loop if you have an invalid operclass::parent reference in your
    configuration file

Minor issues fixed

  * files { } block only worked with absolute paths
  * delayjoin: hidden users were not always joined on +vhoaq
  * A small memory leak
  * Duplicate replies on /VERSION
  * When doing /VERSION on IRC as an IRCOp it showed the compile-time rather
    than runtime OpenSSL/LibreSSL version

*Other changes*

  * Documentation updates
  * Prevent installation in the same directory as the source

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

OpenSSL/LibreSSL security issues affecting UnrealIRCd (May 3, 2016)

[Bram M. <sy...@un...>]

*OpenSSL/LibreSSL security issues*

*Summary: if you have SSL enabled in UnrealIRCd then please upgrade your 
OpenSSL/LibreSSL libraries (*NIX) or download the new installer (Windows).*

Two high impact vulnerabilities were found in OpenSSL and LibreSSL.

*CVE-2016-2107* is described as follows: /A MITM attacker can use a padding 
oracle attack to decrypt traffic when the connection uses an AES CBC cipher 
and the server support AES-NI/. Note that to exploit this an attacker needs to 
be able to intercept & modify packets between the client and server. See the 
OpenSSL security advisory <https://www.openssl.org/news/secadv/20160503.txt> 
for technical details (note that CVE-2016-2107 is the 2nd issue in the advisory).

When UnrealIRCd is compiled with SSL/TLS support it uses the OpenSSL/LibreSSL 
library and is therefore affected by this issue. This affects 50% of the 
UnrealIRCd installations out there.

Details on another vulnerability, *CVE-2016-2108*, were also published. That 
issue allows one to crash the server and may potentially allow remote code 
execution. However, the issue was already fixed a year ago in OpenSSL 1.0.2c. 
It was simply unknown to the OpenSSL folks at the time that the fix they made 
fixed a serious security issue. Again, see the OpenSSL security advisory 
<https://www.openssl.org/news/secadv/20160503.txt> for details. Specifically 
for UnrealIRCd it means that for this latter issue (CVE-2016-2108) Windows SSL 
versions of 3.2.10.5 and before are affected. The 3.2.10.6 Windows SSL version 
is not affected (it used OpenSSL 1.0.2e), but you probably still want to 
upgrade anyway because it's still vulnerable to the first issue (CVE-2016-2107).

*Linux/*BSD/OS X
*You are only _unaffected_ if you are using UnrealIRCd 3.2.x and you did not 
compile with SSL support. This question is asked during ./Config: /Do you want 
to support SSL (Secure Sockets Layer) connections?/ If you answered /No/ then 
you are unaffected. If you answered /Yes/ then you are affected.
UnrealIRCd 4.0.x always uses SSL/TLS so is always affected.

UnrealIRCd itself does not ship with OpenSSL/LibreSSL. Please use your distro 
tools to upgrade your SSL libraries (yum, apt-get, etc.). After upgrading the 
libraries you will have to restart UnrealIRCd. The same is true for other 
daemons using OpenSSL/LibreSSL by the way: apache, exim, etc.

*Windows
*UnrealIRCd 4.0.x (all versions) and UnrealIRCd 3.2.x (SSL versions) ship with 
vulnerable OpenSSL/LibreSSL. The downloads have therefore been replaced:

  * New versions of UnrealIRCd 4.0.3: The installer identifies itself as
    *4.0.3-SSL-sslfix*. Other than that UnrealIRCd is exactly the same and the
    IRCd reports as *4.0.3* on IRC.
  * New versions of UnrealIRCd 3.2.10.6: The installer will identify itself as
    *3.2.10.6-sslfix*. Other than that UnrealIRCd is exactly the same and the
    IRCd reports as *3.2.10.6* on IRC.

Note that this means that a regular user on IRC cannot judge from the 
UnrealIRCd version number (shown on IRC) if a server is vulnerable or not. 
This is exactly the same as on *NIX. See also next.

*How to check which OpenSSL/LibreSSL version is in use
*_Important_: Checking the SSL library version on *NIX isn't really useful. 
The reported library version is often an older OpenSSL version while in fact 
the libraries have been upgraded and you are safe. So just upgrade your 
OpenSSL or LibreSSL package as per your distro's advice, restart the IRCd and 
assume the upgrade succeeded.

As an IRCOp you can issue the //VERSION/ command (or //QUOTE VERSION/). This 
should output something like this:
/UnrealIRCd-4.0.3. irc.server.net FhinW6OoErM [Microsoft Windows 7  Service 
Pack 1 (build 7601)=4000]//
//-irc.server.net- *LibreSSL 2.3.4*//
//-irc.server.net- libcurl/7.48.0 LibreSSL/2.0.0 c-ares/1.11.0/
The text marked in bold is what you should be looking for. Ignore any lines 
containing libcurl.
Fixed versions are: *OpenSSL 1.0.2h* and *LibreSSL 2.3.4*
Be sure to run this command as an IRC Operator, otherwise the SSL library 
version number is not shown.
Are you sure you run as an IRC Operator and you see the UnrealIRCd version but 
not the OpenSSL/LibreSSL lines? Then SSL is not enabled on your server and you 
are unaffected (this is only possible on 3.2.x).

TIP: You can also use //VERSION remote.server.name/ to query remote servers. 
Again, you have to be an IRC Operator to get meaningful results.

*Final words*
A copy of this advisory is posted on the forums 
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8530>.

As always, you can download UnrealIRCd from www.unrealircd.org 
<https://www.unrealircd.org/>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.3 released

[Bram M. <sy...@un...>]

On UnrealIRCd 4.0.x an IRCOp could crash a server via the RPING command. This 
command has now been removed since it's rarely used anyway. Note that regular 
users cannot trigger this crash.
We classify this issue as *low impact* because IRC Operators usually have the 
power to kill many if not all users on a server. Many IRCOps can shutdown or 
make the server unusable for users through other commands or means.

If you use UnrealIRCd 4.0.x and want to fix the RPING crash but don't want to 
upgrade to 4.0.3 yet then you can unload the module by editing 
conf/modules.default.conf. You should remove this line:
/loadmodule "m_rping";/
Then, rehash the IRCd (no restart needed).
If you now type '/RPING' or '/QUOTE RPING' on IRC you should see 'RPING 
Unknown command'.

There are more changes in this 4.0.3 release. On Windows we changed the build 
process and are now using LibreSSL. Two crash bugs related to invalid link 
blocks were fixed. For more details see below.

*Changes between version 4.0.2 and 4.0.3
*Major issues fixed

  * Crash on RPING command (IRCOp-only!)
  * Crash on Windows on failed outgoing server connect
  * Crash if you had a link { } block with invalid syntax

Minor issues fixed

  * Windows: remote includes did not support https
  * Compile problem with LibreSSL

*Other*

  * Windows version compiled with Visual Studio 2012 rather than a mix of 2012
    and 2010
  * Windows version now using LibreSSL
  * Crash reporter produces more useful reports (very important for us)
  * PCRE2 Regex engine upgraded to 10.21

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/


-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.2 released

[Bram M. <sy...@vu...>]

UnrealIRCd 4.0.2 addresses a number of minor issues and comes with two small 
enhancements.

*Changes between version 4.0.1 and 4.0.2
*Enhancements

  * Ability to hide quit messages from *LINEd users (set::hide-ban-reason)
  * Blacklist <https://www.unrealircd.org/docs/Blacklist_block> hits are now
    sent to new snomask +b rather than all ircops
    <https://www.unrealircd.org/docs/Cron_job>

Major issues fixed

  * None

Minor issues fixed

  * prefix-quit was not working
  * Incorrect server description in /LINKS
  * Logging to syslog was broken
  * FreeBSD: fix kevent bug flood in error log
  * OS X: Update ./Config to use Homebrew OpenSSL by default
  * Don't show UID to client in case of a SVSMODE

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will require an update before they can run on UnrealIRCd 4. 
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely. Due to the many core 
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Full summary of changes*
We did our best to "summarize" the 1100+ changesets in about 120 bullet points 
but it's still a long read.
The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS 
/ DEVELOPERS.
==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
   modes and all extended bans into 138 separate modules.
   This makes it...
   A) possible to fully customize what exact functionality you want to load.
      You could even strip down UnrealIRCd to get something close to the
      basic RFC1459 features from the 1990s. (No idea why you would want
      that, but it's possible)
   B) easier for coders to see all source code related to a specific feature
   C) possible to fix bugs and just reload rather than restart the IRCd.

   Have a look at modules.default.conf which contains the "default" set of
   modules that you can load if you just want to load all functionality.
   If you want to customize the list of modules to load then simply make
   a copy of that file, give it a different name, and include that one
   instead. Since the file is fully documented, you can just comment out
   or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: [A4+]
   * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
   * oper::flags has been removed. Instead you must specify an operclass
     in oper::operclass (for example, 'operclass netadmin').
   * In operclass block(s) you define the privileges. You can now control
     exactly what an IRCOp can and cannot do.
     Have a look at operclass.default.conf which ships with UnrealIRCd,
     it contains a number of default operclass blocks suitable for the
     most common situations. See also the operclass block documentation:
https://www.unrealircd.org/docs/Operclass_block
   * If you ask UnrealIRCd to convert your 3.2.x configuration file then
     it will try to select a suitable operclass for the oper. This will
     not always 100% match your current oper block rights, though.
   * Channel Mode +A (Admin Only) has been removed. You can use the new
     extended ban ~O:<operclass>. This allows you to, for example, create
     an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
   * set::hosts has been removed, use oper::vhost instead.
   * Since oper levels have been removed you no longer see things like
     "OperX is a Network Administrator" in /WHOIS by default.
     If you want that, then you can set oper::swhois to
     "is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* On-connect DNSBL/RBL checking via the new blacklist block. [B1]
* The Windows version now has IPv6 support too. [B3]
* On all OS's we compile with IPv6 support enabled. You can still
   disable IPv6 at runtime by setting set::options::disable-ipv6. [B3]
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS with a client certificate then your SSL
   Fingerprint (SHA256 hash) can be seen by yourself and others through
   /WHOIS. The fingerprint is also shared with all servers on the network.
* ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This
   can be used like +iI ~S:000000000etc.
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm [A3]
* './unreal mkpasswd' will now prompt you for the password to hash [A3]
* Protection against SSL renegotiation attacks [A3]
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version alpha3 (or later) on both ends of the link [A3]
* Configuration file converter that will upgrade your 3.2.x conf to 4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. [A3]
* The IRCd can now better handle unknown channel modes which expect a
   parameter. This can be useful in a scenario where you are slowly
   upgrading all your servers.
* If you want to unset a vhost but keep cloaked then use /MODE yournick -t
* A "crash reporter" was added. When UnrealIRCd is started it will check
   if a previous UnrealIRCd instance crashed and (after booting a new
   instance) it will spit out a report and ask if you want to submit it
   to the UnrealIRCd developers. Doing so will help us a lot as many bugs
   are often not reported. Note that UnrealIRCd will always ask before
   sending any information and never do so automatically. [B3]
* SSL: Support for ECDHE has been added to provide "forward secrecy". [B4]

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. [A2]
* Building with SSL (OpenSSL) is now mandatory [A2]
* The link { } block has been restructured, see
https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3]
* Better yet, check out our secure server linking tutorial:
https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 [A3]
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3]
* You will now see a warning when you link to a non-SSL server. [A3]
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. [A3]
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  [A3]
* If you have both 3.2.x and 4.x servers on your network then the
   4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your servers are running UnrealIRCd 4. [A3]
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. [A3]
* cgiirc block is renamed to webirc and the syntax has changed [A4]
* set::pingpong-warning is removed, warning always off now [A4]
* More helpful configuration file parse error messages [A4]
* You can use '/OPER username' without password if you use SSL
   certificate (fingerprint) authentication. The same is true for
   '/VHOST username'. [A4]
* You must now always use 'make install' on *NIX [A4]
* Changed (default) directory structure entirely, see the section
   titled 'CONFIGURATION CHANGES' about 100 lines up. [A4]
* badword quit { } is removed, we use badword channel for it. [A4]
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
   This file was called modules.conf in earlier alpha's.
   The file has been split up in sections and a lot of comments have
   been added to aid the user in deciding whether to load or not to
   load each module. [A4]
* Snomask +s is now (always) IRCOp-only. [A4]
* Previously there was little logic behind what modes halfops could
   set. Now the idea is as follows: halfops should be able to help out
   in case of a flood but not be able to change any 'policy decission
   modes' such as +G, +S, +c, +s. Due to this change halfops can now
   set modes +beiklmntIMKNCR (was: +beikmntI). [A4]
* If no link::hub or link::leaf is specified then assume hub "*". [B1]
* SWHOIS (Special whois title) has been extended in a number of ways:
   * We now "track" who or what set an swhois. This allows us to
     remove the swhois received via oper/vhost on de-oper/de-vhost.
   * You can now have multiple swhois lines
   * Multiple oper::swhois and vhost::swhois items are supported. [B1]
* When trying to link two servers without link::outgoing::options::ssl
   (which is not recommended) we try to use STARTTLS in order to
   'upgrade' the connection to use SSL/TLS anyway. This can be disabled
   via link::outgoing::options::insecure. [B2]
* SSLv3 has now been disabled for security. This also means you can only
   link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions
   used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4]

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. [A1]
* PROTOCTL TOKEN and SJB64 are no longer implemented. [A1]
* Ziplinks have been removed. [A1]
* WebTV support. [A3]
* Channel Mode +j was removed and replaced by the configuration setting
   set::anti-flood::join-flood (default: 3 per 90 seconds). [B1]
* /CHATOPS: use /GLOBOPS instead which does the same
   /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore
   Your opers should actually be in an #opers channel. If you also want
   special classes of oper channels like #admins then use +iI ~O:*admin*
* User modes:
   * +N (Network Administrator): see 'Oper permissions' under NEW as for why
   * +a (Services Administrator): same
   * +A (Server Administrator: same
   * +C (Co Administrator): same
   * +O (Local IRC Operator): same
   * +h (HelpOp): all this did was add a line "is available for help" in
     WHOIS. You can use a vhost block with vhost::swhois as a replacement
     or for opers just add an oper::swhois item.
   * +g (failops): we already have snomasks and the +o usermode for this
   * +v (receive infected DCC SEND rejection notices): moved to snomask +D

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. [A2+]
* For commands: do not read from parv[0] anymore, doing so will lead
   to a crash. Use sptr->name instead. This change is necessary as
   the "name" in parv[0] could possibly point to a UID/SID rather than
   a nick name. Thus, if you would send parv[0] to a non-UID or non-SID
   capable server this would lead to serious issues (not found errors).
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module [A3]
* There have been *a lot* of source code cleanups (ALL)
* We now use the information from PROTOCTL CHANMODES= for parameter
   skipping if the channel mode is unknown. Also, when channel modes
   are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1]
* The server protocol docs have been removed. The protocol is now
   documented at https://www.unrealircd.org/docs/Server_protocol
   See also https://www.unrealircd.org/docs/Server_protocol:Changes
   for a list of changes between the 3.2 and 4.0 server protocol.
* GCC typechecking has been added to make sure your HookAdd... calls
   are adding hook functions with the correct parameter (types).

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.1 released

[Bram M. <sy...@vu...>]

It's time for an update to the UnrealIRCd 4 series. In UnrealIRCd 4.0.1 we fix 
two crash issues & more, see below.

Thanks to everyone who provided feedback and suggestions!

*Changes between version 4.0.0 and 4.0.1
*Enhancements

  * The blacklist module <https://www.unrealircd.org/docs/Blacklist_block> now
    supports %ip (=banned IP) in blacklist::reason.
  * *NIX: You can use cron again, see https://www.unrealircd.org/docs/Cron_job
  * /MODULE now lists only 3rd party modules by default so you don't get flooded.
  * *NIX: Added './unrealircd reloadtls' to reload TLS certificate and keys.

Major issues fixed

  * Possible crash on-link if a user was in the process of connecting during
    linking
  * Crash if you removed a listen { } block with active clients on that port
  * MODEs set by a server (not by a user) were not always propagated correctly
    across the network. In practice this only affected /SAMODE and possibly
    some services that don't send MODEs from ChanServ/BotServ.

Minor issues fixed

  * When doing /LIST under mIRC it would hide empty +P channels.
  * Servers wouldn't link if link::outgoing::hostname was a CNAME.
  * SSL Certificate fingerprint not communicated properly to servers/services.
  * *NIX: ./unrealircd [stop|rehash] failed if not installed to ~/unrealircd.
  * Windows: IRCd could crash after showing the config error screen on startup.
  * Possibly some interoperability issues with services.

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will need an update to run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely.
Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 
3.2.x modules work out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecating the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Full summary of changes*
We did our best to "summarize" the 1100+ changesets in about 120 bullet points 
but it's still a long read.
The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS 
/ DEVELOPERS.
==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
   modes and all extended bans into 138 separate modules.
   This makes it...
   A) possible to fully customize what exact functionality you want to load.
      You could even strip down UnrealIRCd to get something close to the
      basic RFC1459 features from the 1990s. (No idea why you would want
      that, but it's possible)
   B) easier for coders to see all source code related to a specific feature
   C) possible to fix bugs and just reload rather than restart the IRCd.

   Have a look at modules.default.conf which contains the "default" set of
   modules that you can load if you just want to load all functionality.
   If you want to customize the list of modules to load then simply make
   a copy of that file, give it a different name, and include that one
   instead. Since the file is fully documented, you can just comment out
   or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: [A4+]
   * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
   * oper::flags has been removed. Instead you must specify an operclass
     in oper::operclass (for example, 'operclass netadmin').
   * In operclass block(s) you define the privileges. You can now control
     exactly what an IRCOp can and cannot do.
     Have a look at operclass.default.conf which ships with UnrealIRCd,
     it contains a number of default operclass blocks suitable for the
     most common situations. See also the operclass block documentation:
https://www.unrealircd.org/docs/Operclass_block
   * If you ask UnrealIRCd to convert your 3.2.x configuration file then
     it will try to select a suitable operclass for the oper. This will
     not always 100% match your current oper block rights, though.
   * Channel Mode +A (Admin Only) has been removed. You can use the new
     extended ban ~O:<operclass>. This allows you to, for example, create
     an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
   * set::hosts has been removed, use oper::vhost instead.
   * Since oper levels have been removed you no longer see things like
     "OperX is a Network Administrator" in /WHOIS by default.
     If you want that, then you can set oper::swhois to
     "is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* On-connect DNSBL/RBL checking via the new blacklist block. [B1]
* The Windows version now has IPv6 support too. [B3]
* On all OS's we compile with IPv6 support enabled. You can still
   disable IPv6 at runtime by setting set::options::disable-ipv6. [B3]
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS with a client certificate then your SSL
   Fingerprint (SHA256 hash) can be seen by yourself and others through
   /WHOIS. The fingerprint is also shared with all servers on the network.
* ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This
   can be used like +iI ~S:000000000etc.
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm [A3]
* './unreal mkpasswd' will now prompt you for the password to hash [A3]
* Protection against SSL renegotiation attacks [A3]
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version alpha3 (or later) on both ends of the link [A3]
* Configuration file converter that will upgrade your 3.2.x conf to 4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. [A3]
* The IRCd can now better handle unknown channel modes which expect a
   parameter. This can be useful in a scenario where you are slowly
   upgrading all your servers.
* If you want to unset a vhost but keep cloaked then use /MODE yournick -t
* A "crash reporter" was added. When UnrealIRCd is started it will check
   if a previous UnrealIRCd instance crashed and (after booting a new
   instance) it will spit out a report and ask if you want to submit it
   to the UnrealIRCd developers. Doing so will help us a lot as many bugs
   are often not reported. Note that UnrealIRCd will always ask before
   sending any information and never do so automatically. [B3]
* SSL: Support for ECDHE has been added to provide "forward secrecy". [B4]

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. [A2]
* Building with SSL (OpenSSL) is now mandatory [A2]
* The link { } block has been restructured, see
https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3]
* Better yet, check out our secure server linking tutorial:
https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 [A3]
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3]
* You will now see a warning when you link to a non-SSL server. [A3]
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. [A3]
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  [A3]
* If you have both 3.2.x and 4.x servers on your network then the
   4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your servers are running UnrealIRCd 4. [A3]
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. [A3]
* cgiirc block is renamed to webirc and the syntax has changed [A4]
* set::pingpong-warning is removed, warning always off now [A4]
* More helpful configuration file parse error messages [A4]
* You can use '/OPER username' without password if you use SSL
   certificate (fingerprint) authentication. The same is true for
   '/VHOST username'. [A4]
* You must now always use 'make install' on *NIX [A4]
* Changed (default) directory structure entirely, see the section
   titled 'CONFIGURATION CHANGES' about 100 lines up. [A4]
* badword quit { } is removed, we use badword channel for it. [A4]
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
   This file was called modules.conf in earlier alpha's.
   The file has been split up in sections and a lot of comments have
   been added to aid the user in deciding whether to load or not to
   load each module. [A4]
* Snomask +s is now (always) IRCOp-only. [A4]
* Previously there was little logic behind what modes halfops could
   set. Now the idea is as follows: halfops should be able to help out
   in case of a flood but not be able to change any 'policy decission
   modes' such as +G, +S, +c, +s. Due to this change halfops can now
   set modes +beiklmntIMKNCR (was: +beikmntI). [A4]
* If no link::hub or link::leaf is specified then assume hub "*". [B1]
* SWHOIS (Special whois title) has been extended in a number of ways:
   * We now "track" who or what set an swhois. This allows us to
     remove the swhois received via oper/vhost on de-oper/de-vhost.
   * You can now have multiple swhois lines
   * Multiple oper::swhois and vhost::swhois items are supported. [B1]
* When trying to link two servers without link::outgoing::options::ssl
   (which is not recommended) we try to use STARTTLS in order to
   'upgrade' the connection to use SSL/TLS anyway. This can be disabled
   via link::outgoing::options::insecure. [B2]
* SSLv3 has now been disabled for security. This also means you can only
   link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions
   used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4]

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. [A1]
* PROTOCTL TOKEN and SJB64 are no longer implemented. [A1]
* Ziplinks have been removed. [A1]
* WebTV support. [A3]
* Channel Mode +j was removed and replaced by the configuration setting
   set::anti-flood::join-flood (default: 3 per 90 seconds). [B1]
* /CHATOPS: use /GLOBOPS instead which does the same
   /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore
   Your opers should actually be in an #opers channel. If you also want
   special classes of oper channels like #admins then use +iI ~O:*admin*
* User modes:
   * +N (Network Administrator): see 'Oper permissions' under NEW as for why
   * +a (Services Administrator): same
   * +A (Server Administrator: same
   * +C (Co Administrator): same
   * +O (Local IRC Operator): same
   * +h (HelpOp): all this did was add a line "is available for help" in
     WHOIS. You can use a vhost block with vhost::swhois as a replacement
     or for opers just add an oper::swhois item.
   * +g (failops): we already have snomasks and the +o usermode for this
   * +v (receive infected DCC SEND rejection notices): moved to snomask +D

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. [A2+]
* For commands: do not read from parv[0] anymore, doing so will lead
   to a crash. Use sptr->name instead. This change is necessary as
   the "name" in parv[0] could possibly point to a UID/SID rather than
   a nick name. Thus, if you would send parv[0] to a non-UID or non-SID
   capable server this would lead to serious issues (not found errors).
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module [A3]
* There have been *a lot* of source code cleanups (ALL)
* We now use the information from PROTOCTL CHANMODES= for parameter
   skipping if the channel mode is unknown. Also, when channel modes
   are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1]
* The server protocol docs have been removed. The protocol is now
   documented at https://www.unrealircd.org/docs/Server_protocol
   See also https://www.unrealircd.org/docs/Server_protocol:Changes
   for a list of changes between the 3.2 and 4.0 server protocol.
* GCC typechecking has been added to make sure your HookAdd... calls
   are adding hook functions with the correct parameter (types).

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.0 released

[Bram M. <sy...@vu...>]

UnrealIRCd 4 is here!

We have been working hard over the past few years to replace the successful 
but aging 3.2.x series with a more modern code base. At the same time we have 
implemented suggestions from our bug tracker, ideas from ourselves and many 
good suggestions that came up during the UnrealIRCd survey in Q4 2013. After 4 
alpha versions, 4 betas and 6 release candidates we are proud to finally 
present you the first stable release of UnrealIRCd 4.

Thanks to everyone who has supported us in our efforts in whatever way: 
through donations <https://www.unrealircd.org/index/donations>, bug reports 
<https://bugs.unrealircd.org/>, testing releases, translating docs, providing 
support, telling others about IRC (and UnrealIRCd in particular), or simply by 
running UnrealIRCd.

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will need an update to run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely.
Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 
3.2.x modules work out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we are deprecating the previous series.
All support for the 3.2.x series will stop after December 31, 2016 (=12 months 
from now).
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Full summary of changes*
We did our best to "summarize" the 1100+ changesets in about 120 bullet points 
but it's still a long read.
The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS 
/ DEVELOPERS.
==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
   modes and all extended bans into 138 separate modules.
   This makes it...
   A) possible to fully customize what exact functionality you want to load.
      You could even strip down UnrealIRCd to get something close to the
      basic RFC1459 features from the 1990s. (No idea why you would want
      that, but it's possible)
   B) easier for coders to see all source code related to a specific feature
   C) possible to fix bugs and just reload rather than restart the IRCd.

   Have a look at modules.default.conf which contains the "default" set of
   modules that you can load if you just want to load all functionality.
   If you want to customize the list of modules to load then simply make
   a copy of that file, give it a different name, and include that one
   instead. Since the file is fully documented, you can just comment out
   or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: [A4+]
   * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
   * oper::flags has been removed. Instead you must specify an operclass
     in oper::operclass (for example, 'operclass netadmin').
   * In operclass block(s) you define the privileges. You can now control
     exactly what an IRCOp can and cannot do.
     Have a look at operclass.default.conf which ships with UnrealIRCd,
     it contains a number of default operclass blocks suitable for the
     most common situations. See also the operclass block documentation:
     https://www.unrealircd.org/docs/Operclass_block
   * If you ask UnrealIRCd to convert your 3.2.x configuration file then
     it will try to select a suitable operclass for the oper. This will
     not always 100% match your current oper block rights, though.
   * Channel Mode +A (Admin Only) has been removed. You can use the new
     extended ban ~O:<operclass>. This allows you to, for example, create
     an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
   * set::hosts has been removed, use oper::vhost instead.
   * Since oper levels have been removed you no longer see things like
     "OperX is a Network Administrator" in /WHOIS by default.
     If you want that, then you can set oper::swhois to
     "is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* On-connect DNSBL/RBL checking via the new blacklist block. [B1]
* The Windows version now has IPv6 support too. [B3]
* On all OS's we compile with IPv6 support enabled. You can still
   disable IPv6 at runtime by setting set::options::disable-ipv6. [B3]
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS with a client certificate then your SSL
   Fingerprint (SHA256 hash) can be seen by yourself and others through
   /WHOIS. The fingerprint is also shared with all servers on the network.
* ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This
   can be used like +iI ~S:000000000etc.
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm [A3]
* './unreal mkpasswd' will now prompt you for the password to hash [A3]
* Protection against SSL renegotiation attacks [A3]
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version alpha3 (or later) on both ends of the link [A3]
* Configuration file converter that will upgrade your 3.2.x conf to 4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. [A3]
* The IRCd can now better handle unknown channel modes which expect a
   parameter. This can be useful in a scenario where you are slowly
   upgrading all your servers.
* If you want to unset a vhost but keep cloaked then use /MODE yournick -t
* A "crash reporter" was added. When UnrealIRCd is started it will check
   if a previous UnrealIRCd instance crashed and (after booting a new
   instance) it will spit out a report and ask if you want to submit it
   to the UnrealIRCd developers. Doing so will help us a lot as many bugs
   are often not reported. Note that UnrealIRCd will always ask before
   sending any information and never do so automatically. [B3]
* SSL: Support for ECDHE has been added to provide "forward secrecy". [B4]

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. [A2]
* Building with SSL (OpenSSL) is now mandatory [A2]
* The link { } block has been restructured, see
https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3]
* Better yet, check out our secure server linking tutorial:
   https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 [A3]
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3]
* You will now see a warning when you link to a non-SSL server. [A3]
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. [A3]
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  [A3]
* If you have both 3.2.x and 4.x servers on your network then the
   4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your servers are running UnrealIRCd 4. [A3]
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. [A3]
* cgiirc block is renamed to webirc and the syntax has changed [A4]
* set::pingpong-warning is removed, warning always off now [A4]
* More helpful configuration file parse error messages [A4]
* You can use '/OPER username' without password if you use SSL
   certificate (fingerprint) authentication. The same is true for
   '/VHOST username'. [A4]
* You must now always use 'make install' on *NIX [A4]
* Changed (default) directory structure entirely, see the section
   titled 'CONFIGURATION CHANGES' about 100 lines up. [A4]
* badword quit { } is removed, we use badword channel for it. [A4]
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
   This file was called modules.conf in earlier alpha's.
   The file has been split up in sections and a lot of comments have
   been added to aid the user in deciding whether to load or not to
   load each module. [A4]
* Snomask +s is now (always) IRCOp-only. [A4]
* Previously there was little logic behind what modes halfops could
   set. Now the idea is as follows: halfops should be able to help out
   in case of a flood but not be able to change any 'policy decission
   modes' such as +G, +S, +c, +s. Due to this change halfops can now
   set modes +beiklmntIMKNCR (was: +beikmntI). [A4]
* If no link::hub or link::leaf is specified then assume hub "*". [B1]
* SWHOIS (Special whois title) has been extended in a number of ways:
   * We now "track" who or what set an swhois. This allows us to
     remove the swhois received via oper/vhost on de-oper/de-vhost.
   * You can now have multiple swhois lines
   * Multiple oper::swhois and vhost::swhois items are supported. [B1]
* When trying to link two servers without link::outgoing::options::ssl
   (which is not recommended) we try to use STARTTLS in order to
   'upgrade' the connection to use SSL/TLS anyway. This can be disabled
   via link::outgoing::options::insecure. [B2]
* SSLv3 has now been disabled for security. This also means you can only
   link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions
   used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4]

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. [A1]
* PROTOCTL TOKEN and SJB64 are no longer implemented. [A1]
* Ziplinks have been removed. [A1]
* WebTV support. [A3]
* Channel Mode +j was removed and replaced by the configuration setting
   set::anti-flood::join-flood (default: 3 per 90 seconds). [B1]
* /CHATOPS: use /GLOBOPS instead which does the same
   /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore
   Your opers should actually be in an #opers channel. If you also want
   special classes of oper channels like #admins then use +iI ~O:*admin*
* User modes:
   * +N (Network Administrator): see 'Oper permissions' under NEW as for why
   * +a (Services Administrator): same
   * +A (Server Administrator: same
   * +C (Co Administrator): same
   * +O (Local IRC Operator): same
   * +h (HelpOp): all this did was add a line "is available for help" in
     WHOIS. You can use a vhost block with vhost::swhois as a replacement
     or for opers just add an oper::swhois item.
   * +g (failops): we already have snomasks and the +o usermode for this
   * +v (receive infected DCC SEND rejection notices): moved to snomask +D

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. [A2+]
* For commands: do not read from parv[0] anymore, doing so will lead
   to a crash. Use sptr->name instead. This change is necessary as
   the "name" in parv[0] could possibly point to a UID/SID rather than
   a nick name. Thus, if you would send parv[0] to a non-UID or non-SID
   capable server this would lead to serious issues (not found errors).
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module [A3]
* There have been *a lot* of source code cleanups (ALL)
* We now use the information from PROTOCTL CHANMODES= for parameter
   skipping if the channel mode is unknown. Also, when channel modes
   are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1]
* The server protocol docs have been removed. The protocol is now
   documented at https://www.unrealircd.org/docs/Server_protocol
   See also https://www.unrealircd.org/docs/Server_protocol:Changes
   for a list of changes between the 3.2 and 4.0 server protocol.
* GCC typechecking has been added to make sure your HookAdd... calls
   are adding hook functions with the correct parameter (types).

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.0-rc6 released

[Bram M. <sy...@un...>]

The sixth - and possibly last - release candidate for UnrealIRCd 4 is now 
available for download <https://www.unrealircd.org/download>.

*Notable fixes between 4.0.0-rc5 and 4.0.0-rc6*

  * User could get an empty hostname
  * Some small memory leaks
  * CAP REQ did not work with multiple arguments

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8439>.

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 3.2.10.6 released & phase-out of 3.2.x series

[Bram M. <sy...@un...>]

*UnrealIRCd 3.2.10.6 released*
This release comes with the following changes:

  * Build Windows version with latest OpenSSL to fix possibly user-triggerable
    crash issue (CVE-2015-3194 <https://www.openssl.org/news/secadv/20151203.txt>)
  * Don't show vcredist dialog if installed (Windows installer)
  * Add notes regarding deprecation of 3.2.x series

It is recommended that all Windows SSL users upgrade. For other users there's 
no need to upgrade UnrealIRCd but we recommend 3.2.10.6 for new installations.

*UnrealIRCd 3.2.x phase-out
*With the upcoming release of UnrealIRCd 4 later this month we are deprecating 
the UnrealIRCd 3.2.x series.
The 3.2.x series will receive security fixes *for 12 months*, but after 
December 31, 2016 there will be no more fixes.
Users are suggested to upgrade to UnrealIRCd 4 in the course of 2016.
For more information see our policy on the wiki 
<https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>.<https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated> 


*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.

As always, please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8436>.

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.0-rc5 released

[Bram M. <sy...@un...>]

The fifth release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.

*Notable fixes between 4.0.0-rc4 and 4.0.0-rc5*

  * Windows: crash on connect reported by 1 user
  * Added workaround for rare "Cannot accept connections" flood
  * OperOverride did not work (INVITE+JOIN)
  * LIST didn't show more than 64 channels
  * JOIN error message not shown if IRCOp
  * SAJOIN ignored set::level-on-join

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8435>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.0-rc4 released

[Bram M. <sy...@vu...>]

The fourth release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.

Notable fixes between 4.0.0-rc3 and 4.0.0-rc4:

  * Crash on linking attempt
  * Crash on boot if mode +f was present in set::modes-on-join
  * Channels with channel mode +P were not always synched correctly

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8430>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.0-rc3 released

[Bram M. <sy...@un...>]

The third release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.

Notable fixes between 4.0.0-rc2 and 4.0.0-rc3:

  * Crash in invite notify
  * Strange behavior and possible crash in /WHOIS
  * Empty host bug
  * set::allowed-nickchars 'latin1' was broken
  * Files in the tld { } block were read from the wrong location (tld::motd, ..)
  * 'quarantine' didn't work in link::options
  * /MAP was hiding ulines and showing flat-map even for IRCOps

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

UnrealIRCd 3.2.x users may be interested in Upgrading from 3.2.x 
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x> and the Running a mixed 
UnrealIRCd 3.2 and UnrealIRCd 4 network 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network> 
article.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.
Google has been repeatedly blacklisting some of our downloads and 
unfortunately does not seem to be responding to removal or even information 
requests (any help with this would be appreciated).

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8427>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.0-rc2 released

[Bram M. <sy...@un...>]

The second release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.
Thanks everyone who is helping out by testing and reporting bugs. Much 
appreciated!

Notable fixes between 4.0.0-rc1 and 4.0.0-rc2:

  * Crash in invite notify
  * OS X and *BSD: Serious I/O engine problems with kqueue
  * IPv6 compile problem (rare)
  * Channel mode +P not working if set::modes-on-join is set
  * /NOTICE $* did not work
  * Problem if you use remote includes and add a new listen { } block at runtime

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

UnrealIRCd 3.2.x users may also be interested in Upgrading from 3.2.x 
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x> and the new Running a 
mixed UnrealIRCd 3.2 and UnrealIRCd 4 network 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network> 
article.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.
Google has been repeatedly blacklisting some of our downloads and 
unfortunately does not seem to be responding to removal or even information 
requests (any help with this would be appreciated).

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8423>.

Regards,

Bram.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 4.0.0-rc1 released

[Bram M. <sy...@un...>]

Hi everyone,

The first release candidate for UnrealIRCd 4 is now available for download. 
This -rc1 release fixes a number of crash and linking issues.

We're aiming for an UnrealIRCd 4.0.0 stable release before the end of the year 
(2015).

*Why UnrealIRCd _4_?*
When the development version was still in alpha/beta stage it was called 
3.4.x. It has been renamed to UnrealIRCd 4 to indicate the significant changes 
to the codebase and changes to end-users. See also What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Release Candiate*
We run daily tests against UnrealIRCd 4 without any issues and each release 
it's getting more stable. However because this version is a "Release 
Candidate" this means that it may still crash occasionally or have other 
issues. It's not yet of "release quality".

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.
Google has been repeatedly blacklisting some of our downloads and 
unfortunately does not seem to be responding to removal or even information 
requests (any help with this would be appreciated).

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8407>.

Regards,

Bram.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6