unreal-notify

UnrealIRCd 3.4-beta4 released

[Bram M. <sy...@vu...>]

More 3.4.x beta releases. We're happy to see more and more people testing our 
beta's!

*3.4-beta3* was released 3 weeks ago but was snowed under by the SASL security 
announcement <https://forums.unrealircd.org/viewtopic.php?f=1&t=8401>.
Major new features:

  * Always build with IPv6 support enabled. More important: IPv6 support is
    now available on Windows too (finally!)
  * Added a "crash reporter" which asks you to report a crash issue if
    UnrealIRCd crashed for some reason. Don't worry, it will always _ask_ and
    not do so automatically. Crash reports are not public and can only seen by
    UnrealIRCd developers. We already fixed 3 major crash bugs thanks to this,
    so it really helps!

Today I'm releasing *3.4-**beta4*, which fixes a number of major bugs and adds 
a few security enhancements. Several of these bugs were introduced by the 
changes in beta3.

Major bugs fixed:

  * Crash on outgoing server link attempt.
  * Crash on boot with bind/listen errors.
  * GLINE/KLINE/.. were refusing perfectly OK bans.
  * Possible freeze when SSL client is connecting.
  * Remote includes were broken.
  * Compile problems on OpenBSD.

Enhancements:

  * SSLv3 is now disabled for security <http://disablessl3.com/>. Pretty much
    all clients supports TLS so this shouldn't be a problem.
  * Support for ECDHE has been added to provide forward secrecy
    <https://en.wikipedia.org/wiki/Forward_secrecy>

Important notes:

  * If you are linking a 3.2.x with a 3.4.x server, with SSL enabled, then you
    need at least version 3.2.10.3 on the 3.2.x side. Earlier versions used an
    incorrect OpenSSL API call and therefore supported SSLv3 only. Yeah,
    silly, we know. We fixed it in May 2014 but some people may still be using
    old versions.
  * If upgrading from previous beta's then you'll have to run './unrealircd
    upgrade-conf' or change your listen blocks manually. This because we
    changed the listen block syntax
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Listen_block> to get
    rid of the strange [] brackets in IPv6 listen blocks.

As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8405>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Security: UnrealIRCd crash issue if SASL is enabled

[Bram M. <sy...@vu...>]

UNREALIRCD SECURITY ADVISORY
=============================

Summary: If SASL support is enabled in UnrealIRCd (this is not the default)
and is also enabled in your services package then a malicious user with
a services account can cause UnrealIRCd to crash.

Most people have not enabled SASL, and those who do can easily fix
this potential crash issue without a server restart. See below.

Index:
* Who is affected
* Solutions
* Workaround
* Patch / hotfix
* New versions
* Bug details
* Timeline
* References

==[ WHO IS AFFECTED ]==
For a user to be able to crash UnrealIRCd *ALL* of the following conditions
must be true:
1) Must be running UnrealIRCd version 3.2.10 or higher (including 3.2.10.4).
    The 3.4.x series are also affected (including 3.4-beta2).
2) In your configuration file (unrealircd.conf or included files) you have
    configured a SASL server via set::sasl-server
3) You are using a services package (such as anope) and the server is linked
4) SASL support is enabled in your services
5) The malicious user has (or can) register an account at services (usually
    via NickServ).

If one of the points above is not true for your installation then a remote
user cannot crash your server via this bug. In particular, if you are not
using SASL then no patch or upgrade is needed and you can stop reading here.

If you are unsure if you have enabled SASL then search for sasl-server
in your configuration files. If this word is not found then SASL is
disabled. This will actually be the case for the majority of installations.
When SASL is enabled in the configuration file it will look like this:
set {
         sasl-server "services.something.net";
};

==[ SOLUTIONS ]==
For UnrealIRCd 3.2.10.x we present 3 possible solutions in case you are
affected by this bug:
1) A workaround (NO restart needed)
2) A patch (NO restart needed) (*NIX only)
3) A new UnrealIRCd version (for new installations)

For the UnrealIRCd 3.4 beta series we suggest you to upgrade to 3.4-beta3.

==[ WORKAROUND ]==
If you remove the sasl-server directive from your configuration file
and rehash the IRCd then SASL support will be disabled.
This is an easy workaround but for most people who have SASL enabled this
won't be an acceptable solution.

==[ PATCH / HOTFIX ]==
If you are on *NIX then it's possible to fix the crash issue by patching
the source, recompiling UnrealIRCd, and then rehashing the server.
This will fix your IRC server without requiring a server restart.

Execute the following commands on the shell from your UnrealIRCd directory,
for example from /home/irc/Unreal3.2.10.4:

wget http://www.unrealircd.org/downloads/sasl.patch
patch -p0 <sasl.patch
make && make install

After doing the above you must rehash the IRCd. Either online as an IRCOp
by using the /REHASH command, or via ./unreal rehash on the command line.

==[ NEW VERSIONS ]==
New versions of UnrealIRCd are available which include a fix for this issue.
They are 3.2.10.5 (stable) and 3.4-beta3 (development version).
The new versions are meant for Windows users and new installations.
For *NIX users with existing installations we suggest to use the patch or
workaround instead because doing so incurs no downtime.

==[ BUG DETAILS ]==
Type of bug:          Crash due to NULL pointer dereference

CVSS v2:              AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVSS Base Score:      6.8
CVSS Temporal Score:  5.6

==[ TIMELINE ]==
Times are in UTC+2
2015-08-13 00:20    Bug reported privately to UnrealIRCd team
2015-08-13 07:55    First response
2015-08-13 16:05    Bug confirmed by developer
2015-08-15 16:15    Patched
2015-08-16 09:00    Source and binary releases ready
2015-08-16 15:05    Security advisory sent out

==[ REFERENCES ]==
This advisory (and updates to it, if any) is available from:
https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt
Forum thread:
https://forums.unrealircd.org/viewtopic.php?t=8401

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

UnrealIRCd 3.4-beta2 released

[Bram M. <sy...@vu...>]

After more than 2 years of development I'm happy to announce that UnrealIRCd 
3.4.x is now in BETA. This ends the 3.4 /alpha/ stage. Most of the features 
we have planned for UnrealIRCd 3.4.x are now done and we are shifting our 
focus towards getting a stable IRCd. This also means we are on schedule to 
deliver an UnrealIRCd 3.4 stable release by Q4 this year.

Let me take this opportunity to introduce UnrealIRCd 3.4 to everyone who 
hasn't been tracking it since the early alpha versions:

  * You decide what to load. We have moved as much functionality as possible
    to 150+ individually loadable modules (commands, user modes, channel
    modes, extbans, snomasks, ..). You decide which features your UnrealIRCd
    should have.
  * Fine-grained IRCOp privileges. The way IRCOp privileges are granted has
    been redone entirely. This allows you to configure oper privileges on a
    very detailed level. You don't want OperOverride? You don't want opers
    to see secret channels? Or you want an oper with a very minimal set of
    privileges? This is all possible.
  * Wiki. Documentation has been moved to a wiki
    <https://www.unrealircd.org/docs/>. It's even better than before and
    more accessible to people who are new to IRCd's. The wiki also allows
    easy translation by community members.
  * New directory structure. On *NIX the IRCd is now always installed to a
    different directory than where you compile from (~/unrealircd by
    default). No more mess. On both *NIX and Windows configuration files go
    in conf/, modules go in modules/, etc.. Configuration files can be
    identical on Windows and *NIX. This new directory structure also allows
    more easy packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands
    of users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. SSL client certificate fingerprints
    are visible in /WHOIS, a certfp extban (~S:certificatefingerprint) has
    been added, better defaults, etc.
  * DNS Blacklist support (DNSBL/RBL). Great for combating drones and other
    abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol. Such as using UID/SID's.
    Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter. You can now choose between 'regex' and
    'simple' matching. Simple matching allows using the usual '?' and '*'
    wildcards that everyone knows about. The regex engine has been moved
    from TRE to PCRE (=about twice as fast).
  * Configuration is more logical. Around 30% of the configuration blocks
    have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to
    3.4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in src/modules/third and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config
    will ask you to import settings from a previous installation,
    remembering your installation directory and other settings. It will also
    copy the 3rd party modules from the old to the new installation and
    re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..


For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has
    been restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...


Since this is such an early beta, we do not recommend running it on a 
production network yet.

Release notes are available here. 
<https://www.unrealircd.org/txt/unreal3_4_beta2_release_notes.txt> Be sure 
to read the release notes if you are trying out UnrealIRCd 3.4 and are 
currently on 3.2. It contains important information on the new location of 
files, configuration format, and how to automatically convert your 
unrealircd.conf to 3.4.x format.

As always, you can download UnrealIRCd from https://www.unrealircd.org/

Just a small note to people who verify PGP signatures of releases: please 
note that we use a new PGP release key as previously announced on July 2nd 
on this mailing list. The new PGP key has short key id 0x108FF4A9 and long 
id 0xA7A21B0A108FF4A9. All releases on the site are (re-) signed with this 
key, including 3.2.10.4 (just the signature, the 3.2.10.4 files themselves 
are unchanged, of course).

Have fun!

Bram.

PS: I actually sent in the announcement on 3.4-beta1 a week ago, however due 
to Sourceforge infrastructure problems outside my control problems it was 
never actually sent out. Today I released 3.4-beta2, so this is the first 
announcement on a 3.4 beta.

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

New releases@unrealircd.org PGP key coming up

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Just a quick message to all people who use PGP to verify the authenticity of
UnrealIRCd software downloads:

I've created a new rel...@un... signing key.
The key has id 0x108FF4A9 and is a 4096 bit RSA key.

The previous releases key (rel...@un...) was a 1024 bit DSA key.

Also note the move from .com to .org in the new key.

I have signed the new key (0x108FF4A9) both with sy...@vu... /
sy...@un... (0x7FE199A6) and also with the old release key
(0x9FF03937).

3.4-alpha4 is still signed with the old key.
The new key will be used for the releases after that, so 3.4-alpha5 /
3.4-beta1, any next 3.2.x release, etc. etc.

Regards,

Bram.

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlWVShcACgkQbmdtRX/hmabsmwD6AuNYSfS7jxfD+xEK9zJwT29l
3BO1ddaWkmtmvcRpHEMBAIMCDW6Zzzty4huPTSUxtp0eq8RqwP1bCyukDEhvSkzR
=5aFE
-----END PGP SIGNATURE-----

UnrealIRCd 3.4-alpha4 released

[Bram M. <sy...@vu...>]

Hi all,

A few days ago we released 3.4-alpha4. This will be (almost?) the last alpha 
release for UnrealIRCd 3.4.x. After that we will move to beta.

The oper privilege system received a complete makeover in this release, 
allowing you to grant/restrict oper privileges in a very fine manner. More 
work is on the way but it looks nice already.

More things (user modes, all extended bans, ..) have been moved to modules.
Have a look at the new improved modules.default.conf to see what modules you 
can enable/disable. There are 150 modules now!
(Note: if you upgrade from 3.4-alpha3 to 3.4-alpha4 then be sure to use 
'modules.default.conf' and not alpha3's old 'modules.conf')

Another major change is the new directory structure.
On *NIX you no longer put your configuration files (and other files) in your 
just-compiled-Unreal3.4 directory. Instead UnrealIRCd installs to 
/home/yourusername/unrealircd by default. This allows for a clear 'source' 
and 'installed' directory separation.
On all OS's we then enforce the following directory structure:
conf/    for configuration files
logs/    for log files
etc. etc.

Similarly, on *NIX you now have to start UnrealIRCd from the installed 
directory via the 'unrealircd' script:
cd /home/yourusername/unrealircd
./unrealircd start
(NOTE: the script is called 'unrealircd' now, previously it was 'unreal')

Finally, the UnrealIRCd 3.4.x documentation is now online at:
https://www.unrealircd.org/docs/UnrealIRCd_3.4.x_documentation
https://www.unrealircd.org/docs/FAQ
As you can see we use a wiki now for all (3.4.x) documentation.
The wiki is available for translation as well. At this point about half of 
the pages are open for translation, but more is on the way:
https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages
The old unreal32docs.*html files have been removed from 3.4.x.

Full release notes below:

Unreal3.4-alpha4 Release Notes
===============================

This is the fourth 'alpha' version of UnrealIRCd 3.4. We plan to move to
'beta' stage in a month to have a stable 3.4.x release later in 2015.

IMPORTANT REMARKS as long as UnrealIRCd 3.4.x is in alpha stage:
* Because this is an alpha version it is far more likely to crash or hang.
* Security issues are handled as regular issues (no security advisories!)
* Linking with 3.2.x servers is supported but highly untested.
* Things are likely to change between alpha versions. Including but not
   limited to: configuration, command syntax, location of files, etc.

Therefore:
* You should never run 3.4-alpha4 as a production server
* You should not link 3.4-alpha4 with a production 3.2.x network

Please do:
* Install 3.4-alpha4 to play around, show to your friends, have fun with
   the latest features and improvements, test things.
* Report any problems, bugs, issues and other feedback on
   https://bugs.unrealircd.org/ so we can improve 3.4.x!

Finally:
* If you are moving from 3.2.x then be sure to read 'CONFIGURATION CHANGES'
   which explains the new directory structure and how to make UnrealIRCd
   convert your existing 3.2.x configuration file to the 3.4.x format.

==[ DOCUMENTATION ]==
UnrealIRCd 3.4.x documentation is now located in a wiki online at:
* https://www.unrealircd.org/docs/
The old unreal32docs.*html files have been removed.

==[ CONFIGURATION CHANGES ]==
Starting with 3.4-alpha4 we use a new directory structure.

*NIX: If you are not on Windows then this means you must now choose a
       target directory to install UnrealIRCd to. ./Config will ask this
       and it's ~/unrealircd by default (eg: /home/nerd/unrealircd).
       You also need to run 'make install' after 'make' now.
       After compiling, you should leave your Unreal3.4-alphaX directory
       and change to ~/unrealircd as everything takes place there.
       For example to start UnrealIRCd you run './unrealircd start'
       (again, from the /home/xxxx/unrealircd directory).

The new directory structure is as follows (both on Windows and *NIX):
conf/      contains all configuration files
logs/      for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)
tmp/       temporary files
data/      persistent data such as ircd.tune
cache/     cached remote includes

It is possible to use your existing 3.2.x configuration file, but it needs
to be 'upgraded' to the new 3.4.x syntax. UnrealIRCd can do this for you.
Simply place your unrealircd.conf (and any other .conf's you use) in the
conf/ directory and then:
* On *NIX run './unrealircd upgrade-conf' (from /home/xxxx/unrealircd)
* On Windows simply try to boot and watch all the errors, click OK and
   you will be asked if UnrealIRCd should upgrade your configuration file.
On either OS, after running the step from above, simply start UnrealIRCd
again and it should boot up fine with your converted configuration file(s).

Note: UnrealIRCd can only convert *working* 3.2.x configuration files!
If your 3.2.x configuration contains mistakes or errors then the upgrade
process will likely fail or the resulting config file will fail to load.

You may still be interested in the configuration changes, they are
listed on: https://www.unrealircd.org/docs/Upgrading_from_3.2.x

==[ GENERAL INFORMATION ]==
* Below you will see a summary of all changes. Changes may be tagged when
   a change was made in a specific version, e.g. "(A3)" means 3.4-alpha3.
   For a complete list of changes (600+) use 'git log' or have a look at
   https://github.com/unrealircd/unrealircd/commits/unreal34

==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
   modes and all extended bans into 145 separate modules.
   This makes it...
   A) possible to fully customize what exact functionality you want to load.
      You could even strip down UnrealIRCd to get something close to the
      basic RFC1459 features from the 1990s. (No idea why you would want
      that, but it's possible)
   B) easier for coders to see all source code related to a specific feature
   C) possible to fix bugs and just reload rather than restart the IRCd.

   Have a look at modules.default.conf which contains the "default" set of
   modules that you can load if you just want to load all functionality.
   If you want to customize the list of modules to load then simply make
   a copy of that file, give it a different name, and include that one
   instead. Since the file is fully documented, you can just comment out
   or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: (A4)
   * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
   * oper::flags has been removed. Instead you must specify an operclass
     in oper::operclass (for example, 'operclass netadmin').
   * In operclass block(s) you define the privileges. You can now control
     exactly what an IRCOp can and cannot do. (This process is on-going)
     Have a look at operclass.default.conf which ships with UnrealIRCd,
     it contains a number of default operclass blocks suitable for the
     most common situations. See also the operclass block documentation:
     https://www.unrealircd.org/docs/Operclass_block
   * If you ask UnrealIRCd to convert your 3.2.x configuration file then
     it will try to select a suitable operclass for the oper. This will
     not always 100% match your current oper block rights, though.
   * Channel Mode +A (Admin Only) has been removed. You can use the new
     extended ban ~O:<operclass>. This allows you to, for example, create
     an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
   * set::hosts has been removed, use oper::vhost instead.
   * Since oper levels have been removed you no longer see things like
     "OperX is a Network Administrator" in /WHOIS by default.
     If you want that, then you can set oper::swhois to
     "is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS then your SSL Fingerprint (SHA256 hash) can
   be seen by yourself and others through /WHOIS. The fingerprint is also
   shared (broadcasted) with all servers on the network. In alpha3 we
   will add more features that will use SSL fingerprints. (A2)
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm (A3)
* './unreal mkpasswd' will now prompt you for the password to hash (A3)
* Protection against SSL renegotiation attacks (A3)
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version 3.4-alpha3 (or later) on both ends of the link (A3)
* Configuration file converter that will upgrade your 3.2.x conf to 3.4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. (A3)

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. (A2)
* Building with SSL (OpenSSL) is now mandatory (A2)
* The link { } block has been restructured, see
   https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block (A3)
* Better yet, check out our secure server linking tutorial:
   https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 (A3)
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. (A3)
* You will now see a warning when you link to a non-SSL server. (A3)
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. (A3)
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  (A3)
* If you have both 3.2.x and 3.4.x servers on your network then the
   3.4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your UnrealIRCd servers are on 3.4.x. (A3)
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. (A3)
* cgiirc block is renamed to webirc and the syntax has changed (A4)
* set::pingpong-warning is removed, warning always off now (A4)
* More helpful configuration file parse error messages (A4)
* You can use '/OPER username' without password if you use SSL
   certificate (fingerprint) authentication. The same is true for
   '/VHOST username'. (A4)
* You must now always use 'make install' on *NIX (A4)
* Changed (default) directory structure entirely, see the section
   titled 'CONFIGURATION CHANGES' about 100 lines up. (A4)
* badword quit { } is removed, we use badword channel for it. (A4)
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
   This file was called modules.conf in earlier alpha's.
   The file has been split up in sections and a lot of comments have
   been added to aid the user in deciding whether to load or not to
   load each module. (A4)
* Snomask +s is now (always) IRCOp-only. (A4)
* There's now actually an idea behind HalfOp permissions. The idea
   is that halfops should be able to help out in case of a flood but
   not be able to
* Previously there was little logic behind what modes halfops could
   set. Now the idea is as follows: halfops should be able to help out
   in case of a flood but not be able to change any 'policy decission
   modes' such as +G, +S, +c, +s. Due to this change halfops can now
   set modes +beiklmntIMKNCR (was: +beikmntI).

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. (A2+)
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module (A3)
* There have been *a lot* of source code cleanups (ALL)

==[ MAJOR BUGS FIXED ]==
* Crash bug on-boot in alpha1 (A2)
* IRCOp commands such as /GLINE were not always working (A2)
* link::outgoing::options::autoconnect did not work (A4)
* This is still an alpha release, so likely contains major issues
* If the IRCd could not bind to any ports it started anyway (A4)
* alpha3 did not compile on x86 (32 bit) systems (A4)

==[ MINOR BUGS FIXED ]==
* Errors in example configuration files (A2)
* Some fixes in delayjoin (Channel mode +d) (A2)
* Deal with services who allow you to log in by account name (A3)
* Detect "IRCd not running" situations better (A4)
* './unrealircd restart' will now always try to start UnrealIRCd,
   so also if it wasn't running previously. (A4)

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. (A1)
* PROTOCTL TOKEN and SJB64 are no longer implemented. (A1)
* Ziplinks have been removed. (A1)
* WebTV support. (A3)
* User mode +h (helpop). This user mode only added a line in /WHOIS
   saying the user "is available for help". You can use a vhost block
   with a vhost::swhois as a replacement. Or oper::swhois. (A4)

Have fun with the development release!

Bram

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Security: DoS issue in OpenSSL, affecting UnrealIRCd (again)

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

The OpenSSL project team sent out a security advisory today regarding
several security issues that were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd when you compiled with SSL
support.

Most of the reported bugs result in a server crash or hang: the attacker
sends some bad data and the IRC daemon will crash or hang.
One other issue is a possible 'SSL downgrade' attack called "Logjam" which
could make SSL/TLS connections easier to crack (decrypt), but only if the
attacker has access to the network path between the client and the server.

The OpenSSL development team says there is NO risk for remote code
execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries
until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1 (Windows)
* Unreal3.4-alpha2 (Windows)
* Unreal3.4-alpha3 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix2 (version shown by installer)
* Unreal3.4-alpha3-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system
installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install).
~   This is often not needed, but is sometimes necessary.
~   If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
- -server.test.net- OpenSSL 1.0.2b 11 Jun 2015

Version 1.0.2b means you're good.

If you see 1.0.0 with a version lower than 1.0.1s,
or 1.0.1 with a version lower than 1.0.1n,
or 1.0.2 with a version lower than 1.0.2b,
then you are possibly vulnerable, see next version.

If you see no such line at all, and again.. you are sure you are IRCOp,
then it means the server does not have SSL support (no OpenSSL in use).
You're safe.

TIP: You can also check remote servers, again only if you are IRCOp,
~     by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix2.exe' and
'Unreal3.4-alpha3-fix.exe'
After installation, you see no change in UnrealIRCd version number.
This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block
'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version
in use? Even after you restarted UnrealIRCd? On several Linux distro's
this is pretty common as vendors routinely backport security fixes
without bumping the version number. So if you are on Linux, then after you
followed the 4 steps mentioned in '*NIX USERS' then you more or less have
to trust your vendor (and yourself).
NOTE: At the time this security advisory was sent, the OpenSSL security
advisory has only been out for an hour or so, so your distro may not
have a new OpenSSL version available yet!

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and
the OpenSSL version is vulnerable. Then if at least one port is reachable
for the attacker it can be attacked. It doesn't matter if this is an SSL
or non-SSL port and whether you have restrictive allow { } blocks or not.
In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-06-11 14:45    OpenSSL security announcement
2015-06-11 15:33    Downloads replaced
2015-06-11 16:05    Security announcement

==[ LINKS ]==
This advisory (and updates to it, if any) is posted to:
https://www.unrealircd.org/txt/unrealsecadvisory.20150611.txt

The OpenSSL security advisory can be found on:
https://www.openssl.org/news/secadv_20150611.txt

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlV5sjwACgkQbmdtRX/hmaYKWAD/UzyHHNQ0YOTy/HoTgnGi15R7
4njo1AIGdsy4BCNYObQA/izj0Bw8z80XNUOmZMjY+x+Qs99GXbzEgbRLlobQ7RVW
=SAfX
-----END PGP SIGNATURE-----

3.4-alpha3 released

[Bram M. <sy...@vu...>]

On a more positive note, the development of UnrealIRCd 3.4.x is going well.
I only just realized that I forgot to send an announcement out for 
3.4-alpha2. No problem, 3.4-alpha3 just came out ;)

In 1-2 months we plan to move 3.4.x to 'beta' stage so we can have a 
'stable' release by the end of this year (2015).

For UnrealIRCd module coders and developers we now have a development 
documentation available at https://www.unrealircd.org/docs/ which explains 
how to create a module from scratch and documents a lot of the UnrealIRCd 
API such as User & Channel modes, Hooks, adding new commands, Command 
Overrides, extended bans, storing per-user/per-channel custom module data, 
etc. etc.
During development of alpha2 and alpha3 we already noticed increased 
community interest and contributions to UnrealIRCd 3.4.x via GitHub.
We hope that with this detailed technical documentation even more people 
will be interested in UnrealIRCd. Be it code or patches for inclusion in 
official UnrealIRCd or coding 3rd party modules.

Notable changes in alpha2 are that we now always compile with SSL/TLS 
support, we show the SSL Fingerprint in /WHOIS, and several crash bugs were 
resolved including a crash-on-boot problem that affected many.

Notable changes in alpha3 are in the /SPAMFILTER command (also supports 
non-regex, simple '?' and '*' matching), the move to PCRE regex engine which 
uses a slightly different syntax but is considerably faster, bcrypt password 
hashing support (very secure, now the default), more secure defaults, 
warnings when doing something insecure, etc.

There have been many changes in the configuration file so we now provide an 
easy to use tool which will convert your existing configuration file from 
3.2.x or earlier 3.4-alpha's to the new style in 3.4-alpha3.

Full release notes below:

Unreal3.4-alpha3 Release Notes
===============================

This is the third 'alpha' version of UnrealIRCd 3.4. We plan to move to
'beta' stage in 1-2 months and have a stable 3.4.x release later in 2015.

IMPORTANT REMARKS as long as UnrealIRCd 3.4.x is in alpha stage:
* Because this is an alpha version it is far more likely to crash or hang.
* Security issues are handled as regular issues (no security advisories!)
* Linking with 3.2.x servers is supported but highly untested.
* Things are likely to change between alpha versions. Including but not
   limited to: configuration, command syntax, location of files, etc.

Therefore:
* You should never run 3.4-alpha3 as a production server
* You should not link 3.4-alpha3 with a production 3.2.x network

Please do:
* Install 3.4-alpha3 to play around, show to your friends, have fun with
   the latest features and improvements, test things.
* Report any problems, bugs, issues and other feedback on
   https://bugs.unrealircd.org/ so we can improve 3.4.x!
   During alpha stage we are still very flexible so feedback is really helpful.

Finally:
* If you are moving from 3.2.x then be sure to read 'CONFIGURATION CHANGES'!
* The documentation has not been updated to reflect the changes in 3.4.x.

==[ GENERAL INFORMATION ]==
* Documentation is still in doc\unreal32docs.html but - as said - is not
   up to date for 3.4.x. FAQ is on: http://www.unrealircd.com/faq
* Please report bugs at http://bugs.unrealircd.org/
* Below you will see a summary of all changes. Changes may be tagged when
   a change was made in a specific version, e.g. "(A3)" means 3.4-alpha3.
   For a complete list of changes (500+) use 'git log' or have a look at
   https://github.com/unrealircd/unrealircd/commits/unreal34

==[ CONFIGURATION CHANGES ]==
UnrealIRCd 3.4.x comes with an easy to use tool to upgrade your configuration
file from the 3.2.x syntax to 3.4.x. If you already have a good working
3.2.x configuration file then this should make it very easy to move to 3.4.x.

After UnrealIRCd is compiled/installed you copy your unrealircd.conf over
from 3.2.x (along with any other custom .conf's).
Then, on *NIX run './unreal upgrade-conf'.
On Windows simply try to boot and watch all the errors, click OK and
you will be asked if UnrealIRCd should upgrade your configuration file.

UnrealIRCd will go through your unrealircd.conf and any other files that
are included from there and upgrade the files one by one.

For both *NIX and Windows, after running the step from above, simply
start UnrealIRCd (again) and it should boot up fine with your freshly
converted configuration file(s).

Note: UnrealIRCd can only convert *working* 3.2.x configuration files!
If your 3.2.x configuration contains mistakes or errors then the upgrade
process will likely fail or the resulting config file will fail to load.

You may still be interested in the configuration changes, they are
listed on: https://www.unrealircd.org/docs/Upgrading_from_3.2.x

==[ NEW ]==
* We moved a lot of channel and user modes to modules. These are all
   loaded by modules.conf, but if you don't want to load a certain module
   you can now simply comment them out or remove that line.
   Since a lot of code has been moved from the core to these modules it
   makes it A) easier for coders to see all source code related to a
   specific feature, and B) makes it possible to fix something and reload
   the module rather than restart the IRCd.
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS then your SSL Fingerprint (SHA256 hash) can
   be seen by yourself and others through /WHOIS. The fingerprint is also
   shared (broadcasted) with all servers on the network. In alpha3 we
   will add more features that will use SSL fingerprints. (A2)
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm (A3)
* './unreal mkpasswd' will now prompt you for the password to hash (A3)
* Protection against SSL renegotiation attacks (A3)
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version 3.4-alpha3 (or later) on both ends of the link (A3)
* Configuration file converter that will upgrade your 3.2.x conf to 3.4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. (A3)

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. (A2)
* Building with SSL (OpenSSL) is now mandatory (A2)
* The link { } block has been restructured, see
   https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block (A3)
* Better yet, check out our secure server linking tutorial:
   https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 (A3)
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. (A3)
* You will now see a warning when you link to a non-SSL server. (A3)
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. (A3)
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  (A3)
* If you have both 3.2.x and 3.4.x servers on your network then the
   3.4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your UnrealIRCd servers are on 3.4.x. (A3)
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. (A3)

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. (A2+)
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module (A3)
* There have been *a lot* of source code cleanups (ALL)

==[ MAJOR BUGS FIXED ]==
* Crash bug on-boot in alpha1 (A2)
* IRCOp commands such as /GLINE were not always working (A2)
* This is still an alpha release, so likely contains major issues

==[ MINOR BUGS FIXED ]==
* Errors in example configuration files (A2)
* Some fixes in delayjoin (Channel mode +d) (A2)
* Deal with services who allow you to log in by account name (A3)

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. (A1)
* PROTOCTL TOKEN and SJB64 are no longer implemented. (A1)
* Ziplinks have been removed. (A1)
* WebTV support. (A3)

==[ KNOWN ISSUES ]==
* Documentation has NOT been updated to reflect 3.4.x features!!!


-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Security: DoS issue in OpenSSL, affecting UnrealIRCd

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

Several security issues were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd if you compiled with SSL support.

At least one issue is a server crash: the attacker sends some bad data
and the IRC daemon will crash.

As far as we know there is NO risk for remote code execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries
until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.4-alpha1 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system
installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install).
   This is often not needed, but is sometimes necessary.
   If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
[18:40:06] -server.test.net- OpenSSL 1.0.1m 19 Mar 2015

Version 1.0.1m means you're good.

If you see anything lower than 1.0.1m, such as "1.0.1h" then you are
possibly vulnerable, see next section.

If you see no such line at all, and again.. you are sure you are IRCOp,
then it means the server does not have SSL support (no OpenSSL in use).
You're safe.

TIP: You can also check remote servers, again only if you are IRCOp,
     by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix.exe' and
'Unreal3.4-alpha1-fix.exe'
After installation, you see no change in UnrealIRCd version number.
This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block
'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version
in use? Even after you restarted UnrealIRCd? On several Linux distro's
this is pretty common as vendors routinely backport security fixes
without bumping the version number. So if you are on Linux, then after you
followed the 4 steps mentioned in '*NIX USERS' then you more or less have
to trust your vendor (and yourself).

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and
the OpenSSL version is vulnerable. Then if at least one port is reachable
for the attacker it can be attacked. It doesn't matter if this is an SSL
or non-SSL port and whether you have restrictive allow { } blocks or not.
In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-03-19 14:12    OpenSSL security announcement
2015-03-19 17:57    Downloads replaced
2015-03-19 20:15    Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20150319.txt

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlULL64ACgkQbmdtRX/hmaamSwD7BhhnKAD0FuD5W0e3fT6KppZ8
hde7mYukukjBdjKAYW0A/i349jcHXUQcBC2wHalTaNh9EcEXaojV/d50tCVtOCAE
=VOM4
-----END PGP SIGNATURE-----

Re: Unreal3.4-alpha1 & Unreal3.2.10.4 released, help us, move to GitHub, ..

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To anyone using GitHub: the address has changed.
It's http://www.github.com/unrealircd/unrealircd now.
(rather than unreal-ircd)


Bram Matthys wrote, on 29-7-2014 13:44:
> Hi all,
> 
> There has been a lot of activity on the UnrealIRCd project past few months!
> 
> Index
> ======
> * UnrealIRCd 15 years!
> * New website
> * Survey results
> * Help us with development
> * UnrealIRCd 3.4
> * UnrealIRCd 3.2
> * Move to GitHub
> * GitHub/Twitter account
> * Finally
> 
> UnrealIRCd 15 years!
> =====================
> In May of this year UnrealIRCd celebrated its 15th birthday.
> See http://forums.unrealircd.com/viewtopic.php?t=8271 where I thanked all
> past coders, contributors and the community (you!) for all the support.
> In the same article I also wrote about the past and future development of
> UnrealIRCd, openly speaking about the difficulties we have encountered and
> the challenges in moving forward.
> 
> New website
> ============
> On UnrealIRCd's 15th birthday www.unrealircd.com got a new design as well.
> The new website is easier to navigate and just looks a lot more 'clean'.
> Thank n0kS for all the work on this.
> 
> Survey results
> ===============
> I've made a document summarizing the results of the UnrealIRCd survey. In
> total 342 people completed the survey, (almost) all of them were admins
> running UnrealIRCd. Thanks *a lot*! This was really useful. The survey
> results are (already) used to guide future 3.4.x development.
> In general people are really satisfied with UnrealIRCd (49% even gave us a 9
> or 10 out of 10), but we can always do better and we got many suggestions.
> The UnrealIRCd survey results are available from:
> http://www.unrealircd.com/files/UnrealIRCd%20Survey%20results.pdf
> (apologies in advance for the lack of fancy graphics)
> 
> Help us with development
> =========================
> I welcome Travis McArthur (Heero) who recently joined as an UnrealIRCd 3.4.x
> developer. Travis has already worked on channel mode +d, improving the
> module API and modularizing modes and is - besides many other things -
> working on documenting the 3.4 Module API to make the source code more
> understandable for new (module) coders.
> 
> If you are a C programmer and interested in helping out with 3.4.x
> development then send an e-mail to sy...@un... and we can discuss.
> Even if it's just for the summer vacation you're more than welcome to help.
> 
> UnrealIRCd 3.4
> ===============
> This weekend I released the first alpha version of UnrealIRCd 3.4:
> 3.4-alpha1. Although 3.4 development started well over a year ago, this
> version marks the beginning of the alpha series: we plan to release an alpha
> version every month or so, the exact release schedule depends highly on the
> changes and bugs we encounter.
> Since this is an alpha version, and in fact the very first one, we strongly
> discourage you to run 3.4-alpha1 on a production network.
> However, if you are curious and want to help us by testing and reporting
> bugs at http://bugs.unrealircd.org/ then please go ahead and download it.
> Just don't be (too) surprised by the bugs you will encounter and if it
> crashes from time to time.
> 
> Major enhancements in 3.4-alpha1 compared to 3.2.x are:
> * We moved a lot of channel and user modes to modules, while at the same
> time improving the module system as a whole. This means A) You can now
> easily choose not to load a particular feature if you don't like it (we will
> be moving more in next few versions!), B) It makes it easier for coders to
> see all source code related to a specific feature, C) Enables you to fix /
> "patch" something and reload (the module) rather than needing to restart the
> entire IRCd.
> * The I/O engine has been rewritten. This makes the IRCd feel a lot more
> 'responsive' and can potentially accept a lot more users. Still, the entire
> system is not as stable as 3.2.x yet.
> * The SSL version of the IRCd will now boot even if you have no SSL
> certificates. Naturally SSL won't work then, but this means you can safely
> compile with SSL support even if you don't intend to use it straight away.
> This also means for 3.4.x we only provide the SSL version of Windows
> downloads, if you insist on not using SSL then simply don't make a
> server.*.pem certificate.
> * A new channel mode +d which hides joins/parts for users who don't say
> anything in a channel. Whenever a user speaks for the first time they will
> appear to join. Channel ops will still see everyone joining normally as if
> there was no +d set.
> * Behind-the-scenes: A lot of source code cleanups, enhancements, memory
> pooling, simplifying the code, all to make the source better and also more
> readable for (new) developers. This should make it easier for the community
> to contribute patches.
> * There have been some configuration changes, Unreal 3.4 will not boot with
> your existing 3.2.x unrealircd.conf! Be sure to read the section
> CONFIGURATION CHANGES in the Release Notes. In later alpha versions more
> configuration changes may be necessary.
> 
> This first alpha version contains by no means all of the changes and
> features we would like to see in the final version of UnrealIRCd 3.4. There
> will be many major changes to come.
> 
> UnrealIRCd 3.2
> ===============
> I forgot to send out an announcement to this mailing list for 3.2.10.3 which
> was released on the 31st of May.
> 3.2.10.3 has the following bugs fixed:
> * Crash when SASL is enabled and ping-cookie is disabled (a rare combination)
> * Compile issue with remote include
> * OS X compile problems
> * ./unreal backtrace not always working well
> Two days ago I released another update: 3.2.10.4. This fixes the following
> two major issues:
> * Compile problems with clang, which is the default compiler on a number of
> systems nowadays.
> * Newer services like anope 2.0 allow you to log in by account name, this
> means you don't necessarily get user mode +r (registered nick). Previously
> even if you logged in to anope you could still not join +R channels
> ("registered only") or speak in +M channels ("only registered users may
> speak"). Now this has been fixed.
> 
> In addition to these two issues, the OpenSSL/curl/.. libraries for the
> Windows build have also been updated to the latest versions. Plus an update
> to the shipped curl-ca-bundle.crt, which now contains the latest certificates.
> 
> If you are not encountering any of the issues from above then there's little
> reason to upgrade from 3.2.10.2 or 3.2.10.3.
> 
> Move to GitHub
> ===============
> To give UnrealIRCd development more exposure and make it easier for people
> to contribute we decided to move our source code over to GitHub. This was
> actually one of the suggestions that came out of the UnrealIRCd survey.
> This means from now on the Mercurial repository is no longer functional.
> See this FAQ item http://www.unrealircd.com/faq.php#82 for more information
> on how to access the 'bleeding edge' source code.
> Or go directly to our GitHub page on
> https://github.com/unreal-ircd/unrealircd
> 
> Note that the bug tracker, downloads, and all the rest of the project will
> stay at www.unrealircd.com. It is only our repository (source code) which
> moved to GitHub.
> 
> GitHub/Twitter account
> =======================
> We are searching for the owner of the 'unrealircd' account on GitHub, and
> similarly the owner of @unrealircd on Twitter. We already sent a message to
> both accounts but received no response.
> Presumably these accounts were registered in advance with good intentions,
> ensuring nobody else could take them, as a placeholder until the project
> needs it.
> That moment is now, if you are the owner of one of these accounts (or know
> who is) then please contact sy...@un...
> 
> Finally
> ========
> I'm really glad to see all the activity on the UnrealIRCd project as a whole
> and on 3.4.x in particular. I hope more people will jump in to help out,
> either as a developer or simply by testing the 3.4.x releases and reporting
> bugs or giving suggestions.
> Since there's a lot more activity now, especially on 3.4.x, this newsletter
> and release announcements is likely to be sent out more often than before. I
> hope everyone sees this as a positive sign, but if not then you can always
> unsubscribe.
> 
> Finally, as always..
> * You can download UnrealIRCd from www.unrealircd.com - Downloads
> * All our releases are signed with our release key 0x9FF03937
> * Thanks everyone for their continued support!
> 
> 

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlPanegACgkQbmdtRX/hmaa33QD8DcVrDy06RwpltKXeMRmlz0Bi
jjcW+fmpe38Tpa/raegA/R2+mlP24Umk4FVNey29j0hFu5/UBwdxUVEAsQg631Gl
=R3Oe
-----END PGP SIGNATURE-----

Unreal3.4-alpha1 & Unreal3.2.10.4 released, help us, move to GitHub, ..

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

There has been a lot of activity on the UnrealIRCd project past few months!

Index
======
* UnrealIRCd 15 years!
* New website
* Survey results
* Help us with development
* UnrealIRCd 3.4
* UnrealIRCd 3.2
* Move to GitHub
* GitHub/Twitter account
* Finally

UnrealIRCd 15 years!
=====================
In May of this year UnrealIRCd celebrated its 15th birthday.
See http://forums.unrealircd.com/viewtopic.php?t=8271 where I thanked all
past coders, contributors and the community (you!) for all the support.
In the same article I also wrote about the past and future development of
UnrealIRCd, openly speaking about the difficulties we have encountered and
the challenges in moving forward.

New website
============
On UnrealIRCd's 15th birthday www.unrealircd.com got a new design as well.
The new website is easier to navigate and just looks a lot more 'clean'.
Thank n0kS for all the work on this.

Survey results
===============
I've made a document summarizing the results of the UnrealIRCd survey. In
total 342 people completed the survey, (almost) all of them were admins
running UnrealIRCd. Thanks *a lot*! This was really useful. The survey
results are (already) used to guide future 3.4.x development.
In general people are really satisfied with UnrealIRCd (49% even gave us a 9
or 10 out of 10), but we can always do better and we got many suggestions.
The UnrealIRCd survey results are available from:
http://www.unrealircd.com/files/UnrealIRCd%20Survey%20results.pdf
(apologies in advance for the lack of fancy graphics)

Help us with development
=========================
I welcome Travis McArthur (Heero) who recently joined as an UnrealIRCd 3.4.x
developer. Travis has already worked on channel mode +d, improving the
module API and modularizing modes and is - besides many other things -
working on documenting the 3.4 Module API to make the source code more
understandable for new (module) coders.

If you are a C programmer and interested in helping out with 3.4.x
development then send an e-mail to sy...@un... and we can discuss.
Even if it's just for the summer vacation you're more than welcome to help.

UnrealIRCd 3.4
===============
This weekend I released the first alpha version of UnrealIRCd 3.4:
3.4-alpha1. Although 3.4 development started well over a year ago, this
version marks the beginning of the alpha series: we plan to release an alpha
version every month or so, the exact release schedule depends highly on the
changes and bugs we encounter.
Since this is an alpha version, and in fact the very first one, we strongly
discourage you to run 3.4-alpha1 on a production network.
However, if you are curious and want to help us by testing and reporting
bugs at http://bugs.unrealircd.org/ then please go ahead and download it.
Just don't be (too) surprised by the bugs you will encounter and if it
crashes from time to time.

Major enhancements in 3.4-alpha1 compared to 3.2.x are:
* We moved a lot of channel and user modes to modules, while at the same
time improving the module system as a whole. This means A) You can now
easily choose not to load a particular feature if you don't like it (we will
be moving more in next few versions!), B) It makes it easier for coders to
see all source code related to a specific feature, C) Enables you to fix /
"patch" something and reload (the module) rather than needing to restart the
entire IRCd.
* The I/O engine has been rewritten. This makes the IRCd feel a lot more
'responsive' and can potentially accept a lot more users. Still, the entire
system is not as stable as 3.2.x yet.
* The SSL version of the IRCd will now boot even if you have no SSL
certificates. Naturally SSL won't work then, but this means you can safely
compile with SSL support even if you don't intend to use it straight away.
This also means for 3.4.x we only provide the SSL version of Windows
downloads, if you insist on not using SSL then simply don't make a
server.*.pem certificate.
* A new channel mode +d which hides joins/parts for users who don't say
anything in a channel. Whenever a user speaks for the first time they will
appear to join. Channel ops will still see everyone joining normally as if
there was no +d set.
* Behind-the-scenes: A lot of source code cleanups, enhancements, memory
pooling, simplifying the code, all to make the source better and also more
readable for (new) developers. This should make it easier for the community
to contribute patches.
* There have been some configuration changes, Unreal 3.4 will not boot with
your existing 3.2.x unrealircd.conf! Be sure to read the section
CONFIGURATION CHANGES in the Release Notes. In later alpha versions more
configuration changes may be necessary.

This first alpha version contains by no means all of the changes and
features we would like to see in the final version of UnrealIRCd 3.4. There
will be many major changes to come.

UnrealIRCd 3.2
===============
I forgot to send out an announcement to this mailing list for 3.2.10.3 which
was released on the 31st of May.
3.2.10.3 has the following bugs fixed:
* Crash when SASL is enabled and ping-cookie is disabled (a rare combination)
* Compile issue with remote include
* OS X compile problems
* ./unreal backtrace not always working well
Two days ago I released another update: 3.2.10.4. This fixes the following
two major issues:
* Compile problems with clang, which is the default compiler on a number of
systems nowadays.
* Newer services like anope 2.0 allow you to log in by account name, this
means you don't necessarily get user mode +r (registered nick). Previously
even if you logged in to anope you could still not join +R channels
("registered only") or speak in +M channels ("only registered users may
speak"). Now this has been fixed.

In addition to these two issues, the OpenSSL/curl/.. libraries for the
Windows build have also been updated to the latest versions. Plus an update
to the shipped curl-ca-bundle.crt, which now contains the latest certificates.

If you are not encountering any of the issues from above then there's little
reason to upgrade from 3.2.10.2 or 3.2.10.3.

Move to GitHub
===============
To give UnrealIRCd development more exposure and make it easier for people
to contribute we decided to move our source code over to GitHub. This was
actually one of the suggestions that came out of the UnrealIRCd survey.
This means from now on the Mercurial repository is no longer functional.
See this FAQ item http://www.unrealircd.com/faq.php#82 for more information
on how to access the 'bleeding edge' source code.
Or go directly to our GitHub page on
https://github.com/unreal-ircd/unrealircd

Note that the bug tracker, downloads, and all the rest of the project will
stay at www.unrealircd.com. It is only our repository (source code) which
moved to GitHub.

GitHub/Twitter account
=======================
We are searching for the owner of the 'unrealircd' account on GitHub, and
similarly the owner of @unrealircd on Twitter. We already sent a message to
both accounts but received no response.
Presumably these accounts were registered in advance with good intentions,
ensuring nobody else could take them, as a placeholder until the project
needs it.
That moment is now, if you are the owner of one of these accounts (or know
who is) then please contact sy...@un...

Finally
========
I'm really glad to see all the activity on the UnrealIRCd project as a whole
and on 3.4.x in particular. I hope more people will jump in to help out,
either as a developer or simply by testing the 3.4.x releases and reporting
bugs or giving suggestions.
Since there's a lot more activity now, especially on 3.4.x, this newsletter
and release announcements is likely to be sent out more often than before. I
hope everyone sees this as a positive sign, but if not then you can always
unsubscribe.

Finally, as always..
* You can download UnrealIRCd from www.unrealircd.com - Downloads
* All our releases are signed with our release key 0x9FF03937
* Thanks everyone for their continued support!

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlPXiQUACgkQbmdtRX/hmaa8IwD+J9q33qqkJZDZyTTwh0wrdV+E
GGJ/QslQQSiMWfDrwwAA/iEdS2glthzCqfVz6LC6ubzL5yBOMfbtQ0xQWCcOi1Fc
=cRML
-----END PGP SIGNATURE-----

Re: SSL Heartbleed security issue & UnrealIRCd

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Below are some very important additions to previous advisory:

With regards to *NIX:
Some Linux distros (including Debian and Ubuntu) fixed the issue but didn't
update their OpenSSL version. This means they won't show up as the safe
'1.0.0g' version even though they are indeed fixed. So, if you installed the
OpenSSL security update, restarted the IRCd, and still see the old version
in UnrealIRCd then you'll simply have to assume you're safe now.

Regarding the exploit:
The exploit was already out there, it is unknown for how long, but the bug
itself has been in OpenSSL since March 2012. The exploit I found only needed
some minor modifications to work with UnrealIRCd.
When testing the exploit I can indeed see server memory being exposed. This
includes memory of OpenSSL and possibly (likely) some key material. On some
servers I could also see short phrases of text that other users had been
saying. This is all possible without actually getting online as a user on
IRC. And again, this issue exists on any SSL-capable server, not just
UnrealIRCd.

This brings us to a (rather drastic) recommendation:

AFTER YOU HAVE UPGRADED ALL YOUR SERVERS WE RECOMMEND YOU TO GENERATE A NEW
SSL CERTIFICATE & KEYS. I highly recommend this because there's no way to
tell if your private key has been retrieved by someone due to this
vulnerability.
This recommendation is not unique to UnrealIRCd or even IRC, the same
applies to apache, exim, and any other service that was using a vulnerable
OpenSSL. That's why other software makers are actually recommending the same.

HOW TO GENERATE A NEW SSL CERTIFICATE & KEYS
=============================================
If you are using a self-signed certificate, like most people, then see
below. Otherwise, if you are using an SSL certificate that has been signed
by a Certificate Authority then you should already know how to make and get
a new one.

Windows:
Start -> Programs -> UnrealIRCd -> Make Certificate

*NIX:
Run 'make pem' in your Unreal3.2.x directory. After that use 'make install'
if you installed UnrealIRCd in a different directory.

HOW TO ACTUALLY USE THE NEW SSL CERTIFICATE & KEYS
===================================================
Once you have made/installed the new certificate and keys, /OPER up on your
server and run:
/REHASH -ssl
You should see:
*** Notice -- [SSL rehash] XYZ (no...@so...) requested a reload of all
SSL related data (/rehash -ssl)
That's it. You should not see any errors.

There's no need to restart UnrealIRCd (again) if you only want to reload the
certificate and keys. This can be reloaded on the fly with /REHASH -ssl.


Bram Matthys wrote, on 8-4-2014 18:56:
> Hi all,
> 
> A serious issue in OpenSSL was reported yesterday, the so called
> 'Heartbleed' bug (CVE-2014-0160).
> This bug is very serious because it gives remote users the ability to read
> highly sensitive data from memory from programs using OpenSSL. This includes
> private SSL keys, passwords, etc.
> 
> There's a lot of media attention regarding this bug, and a lot of attention
> from hackers. It's likely that there is or very soon will be an active
> exploit available. We therefore suggest to take this matter seriously and
> not delay fixing it (IF you are affected, read on..).
> 
> UNREALIRCD & HEARTBLEED
> ========================
> UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So
> if you are using an UnrealIRCd version with SSL support then you may be
> vulnerable to this serious security issue.
> 
> Note that even if you are not actively using SSL/TLS, even if you have no
> SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL
> support means you may be affected.
> 
> In fact, even if your server is completely password protected, like a hub.
> Even then, if you are running a vulnerable version of OpenSSL then you are
> still affected.
> 
> HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION
> ========================================================
> Windows users who already know they are using the SSL version of UnrealIRCd
> can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all
> vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'.
> 
> Best way to check if you are vulnerable is to execute '/VERSION' as an IRC
> Operator (IRCOp) on your server and verify the OpenSSL version.
> 
> As IRCOp you can also check other servers for OpenSSL on your network by using:
> /VERSION [remote server name]
> 
> This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more:
> 
> 1) If you have SSL enabled then you will see something like:
> [17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date]
> Continue reading under 'I AM USING SSL - AM I VULNERABLE?'...
> 
> 2) If you are an IRCOp, you did /VERSION, and you did not see any line with
> 'OpenSSL' in it, then this means OpenSSL support is not compiled in and you
> are safe. You don't need to take any action and can stop reading.
> 
> Note that if you are NOT an IRCOp then no OpenSSL version information will
> be displayed. Therefore it's important you execute the /VERSION command as
> IRCOp.
> 
> I AM USING SSL - AM I VULNERABLE?
> ==================================
> The following OpenSSL versions have the security issue:
> * 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..)
> * 1.0.2-beta1
> 
> The following versions are safe:
> * Any version before 1.0.1, so 1.0.0x or 0.9.8etc...
> * 1.0.1g (which has just been released on April 7, 2014)
> 
> If you are using any such 'safe' version, then you don't need to take any
> action.
> 
> I AM VULNERABLE - WHAT TO DO?
> ==============================
> If you are indeed using 1.0.1-1.0.1f then you are affected by this security
> issue.
> 
> Windows
> --------
> Simply re-download the package from http://www.unrealircd.com/
> The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once
> installed you will see (by using /VERSION as IRCOp) the OpenSSL version is
> 1.0.1g.
> 
> Linux / *NIX
> -------------
> Update your system the usual way. This depends on your OS and distribution.
> On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on
> Redhat-based systems 'yum' is used, etc...
> If you don't have root on your system, consult your (shell) provider.
> 
> You normally don't need to recompile UnrealIRCd. But once you installed an
> updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is
> not sufficient.
> After UnrealIRCd has been restarted, verify that your OpenSSL version is
> indeed safe now. You can see the OpenSSL version in the boot screen of
> ./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier.
> 
> TIMELINE
> =========
> [2014-04-07 18:39 GMT] OpenSSL Security advisory
> [2014-04-08 15:39 GMT] UnrealIRCd windows download replaced
> [2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out
> 
> UPDATES
> ========
> The following URL contains a copy of this advisory, and any updates to it:
> http://forums.unrealircd.com/viewtopic.php?f=1&t=8265
> 
> 

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlNE8JkACgkQbmdtRX/hmaaT6QD/YxbkLo/vZ/6Acpxy+MR0vusM
fzXdJHSuQHkkwdIuv2MA/1O8P1GwpvRtNNV4/6Co/+8ZdzXkHmImQYG9dU6G4dLw
=/G8k
-----END PGP SIGNATURE-----

SSL Heartbleed security issue & UnrealIRCd

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

A serious issue in OpenSSL was reported yesterday, the so called
'Heartbleed' bug (CVE-2014-0160).
This bug is very serious because it gives remote users the ability to read
highly sensitive data from memory from programs using OpenSSL. This includes
private SSL keys, passwords, etc.

There's a lot of media attention regarding this bug, and a lot of attention
from hackers. It's likely that there is or very soon will be an active
exploit available. We therefore suggest to take this matter seriously and
not delay fixing it (IF you are affected, read on..).

UNREALIRCD & HEARTBLEED
========================
UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So
if you are using an UnrealIRCd version with SSL support then you may be
vulnerable to this serious security issue.

Note that even if you are not actively using SSL/TLS, even if you have no
SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL
support means you may be affected.

In fact, even if your server is completely password protected, like a hub.
Even then, if you are running a vulnerable version of OpenSSL then you are
still affected.

HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION
========================================================
Windows users who already know they are using the SSL version of UnrealIRCd
can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all
vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'.

Best way to check if you are vulnerable is to execute '/VERSION' as an IRC
Operator (IRCOp) on your server and verify the OpenSSL version.

As IRCOp you can also check other servers for OpenSSL on your network by using:
/VERSION [remote server name]

This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more:

1) If you have SSL enabled then you will see something like:
[17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date]
Continue reading under 'I AM USING SSL - AM I VULNERABLE?'...

2) If you are an IRCOp, you did /VERSION, and you did not see any line with
'OpenSSL' in it, then this means OpenSSL support is not compiled in and you
are safe. You don't need to take any action and can stop reading.

Note that if you are NOT an IRCOp then no OpenSSL version information will
be displayed. Therefore it's important you execute the /VERSION command as
IRCOp.

I AM USING SSL - AM I VULNERABLE?
==================================
The following OpenSSL versions have the security issue:
* 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..)
* 1.0.2-beta1

The following versions are safe:
* Any version before 1.0.1, so 1.0.0x or 0.9.8etc...
* 1.0.1g (which has just been released on April 7, 2014)

If you are using any such 'safe' version, then you don't need to take any
action.

I AM VULNERABLE - WHAT TO DO?
==============================
If you are indeed using 1.0.1-1.0.1f then you are affected by this security
issue.

Windows
- --------
Simply re-download the package from http://www.unrealircd.com/
The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once
installed you will see (by using /VERSION as IRCOp) the OpenSSL version is
1.0.1g.

Linux / *NIX
- -------------
Update your system the usual way. This depends on your OS and distribution.
On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on
Redhat-based systems 'yum' is used, etc...
If you don't have root on your system, consult your (shell) provider.

You normally don't need to recompile UnrealIRCd. But once you installed an
updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is
not sufficient.
After UnrealIRCd has been restarted, verify that your OpenSSL version is
indeed safe now. You can see the OpenSSL version in the boot screen of
./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier.

TIMELINE
=========
[2014-04-07 18:39 GMT] OpenSSL Security advisory
[2014-04-08 15:39 GMT] UnrealIRCd windows download replaced
[2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out

UPDATES
========
The following URL contains a copy of this advisory, and any updates to it:
http://forums.unrealircd.com/viewtopic.php?f=1&t=8265

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlNEKlcACgkQbmdtRX/hmaYVOAD9GTCVWHtoBEGorShJ/7EViC2k
AIpbUcBKl12HGEQY7+0A/RF/4rJDRkd/ErSMudaarWKzPCkkLfRcQ2ZmmeBIKhTS
=lY4b
-----END PGP SIGNATURE-----

Unreal3.2.10.2 released

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello everyone,

We have released a second update to latest stable: UnrealIRCd 3.2.10.2

This version contains a number of important fixes. In particular:
* A remote crash issue when compiled with SSL (NULL pointer dereference)
* A second issue that can potentially lead to a crash (read-after-free)

These bugs are present in UnrealIRCd 3.2.10 and 3.2.10.1.
Previous versions, such as 3.2.9, are unaffected.

Other than that, there are also improvements in the area of server linking
and some flood hardening.

Unfortunately the upgrade will require an IRCd restart, as part of the
problem lies in the core.

We recommend all 3.2.10 & 3.2.10.1 users to upgrade somewhere in the next
few weeks, especially if you have SSL/TLS enabled.

This release announcement (and any updates to it) can be found at
http://forums.unrealircd.com/viewtopic.php?t=8221

Full release notes can be found at
http://www.unrealircd.com/txt/unreal3_2_10_2_release_notes.txt

As always, you can download UnrealIRCd from http://www.unrealircd.com/

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlKQoU4ACgkQbmdtRX/hmaa5aAD/W7gyG5jX0B1K5hIe3ALPPyv1
w3iwlmiWgk+9X2DXcBIBAIClgVbkwV8Y40U2KgFmlnon0NYU1wKhNxDMHxHqU45t
=JeeK
-----END PGP SIGNATURE-----

UnrealIRCd survey - give your feedback, and help us decide where to work on

[Bram M. <sy...@un...>]

Hi everyone,

We've launched an UnrealIRCd survey at http://survey.unrealircd.com/

The purpose of this survey is to give us a good idea of what people think
about UnrealIRCd, how it's being used, and - even more important - in what
areas we should improve.

The results of the survey will help us decide where to work on, mainly with
regards to the development of the new Unreal3.4.x series, but also in other
areas.

If you're satisfied with UnrealIRCd, not satisfied at all, or anywhere in
between, now is the time to tell us.

Thanks a lot in advance for your time!

Bram Matthys (Syzop) / The UnrealIRCd team.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Unreal3.2.10 released & Unreal3.4 development

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Happy Holidays everyone!

We have released UnrealIRCd 3.2.10. This release contains quite a number of
new features, but also a couple of minor bugs have been fixed. For a summary
of the changes, see the Release Notes below.

I would also like to announce that we have started development on UnrealIRCd
3.4. This means we now have two branches:
Unreal3.4 is where all (experimental) development takes place. The goal is
to have a lot of major changes and new features in 3.4, and after a while
start releasing beta's so we can have a 3.4 stable release somewhere in 2014.
Until then, Unreal3.2 will remain our stable branch, and bugfixes from 3.4
will be backported to 3.2.
The UnrealIRCd 3.2.x series will continue to be maintained until the 3.4
version has been declared stable, and for some time after that too.

To help us actually achieve this, nenolod has been added as a developer for
3.4.x. Other developers will hopefully hop in later. If you are a C
developer and interested in helping out, then send an e-mail to
sy...@un... or hop by in #unreal3-devel @ irc.unrealircd.com.

As always, you can download UnrealIRCd from http://www.unrealircd.com/

Release Notes:

==[ NEW ]==
* Improved socket engine. This brings some performance improvements and
  also makes it easier to configure a system to hold more than 1024
  clients (no more editing of header files on Linux!).
* ESVID support: services can communicate the account name of the user
  back to the IRCd. This only works on ESVID-capable services:
  * Extban ~a:<accountname>: matches users who are logged in to services
    with that account name.
  * Show account name in /WHOIS
* CAP support: this enables clients to enable certain features more easily.
  Can be disabled through set::options::disable-cap.
* Now that STARTTLS is advertised in CAP it is likely to be used more often.
* away-notify: informs clients of AWAY state changes of users on the same
  channels, for clients that support this.
* account-notify: similar to away-notify, inform clients of changes in the
  login status and account name used by other clients on the same channels.
* SASL support. To use this, and if your services support this, you point
  set::sasl-server to your services server.
* Server-side MLOCK support: the IRCd will prevent channel mode changes
  depending on the MLOCK setting in services. Requires special support
  from services for this feature.
* User Mode +I (IRCOp only): hide idle time
* auth-method 'sslclientcertfp': authenticate users using an SSL client
  certificate by the SHA256 fingerprint of that certificate.
  The documentation has a new section (3.19) called 'Authentication Types'
  which contains an (improved) example of how to use SSL client certificate
  authentication instead of regular passwords.
* oper::require-modes: an optional setting, which can be used to require
  users to have certain user modes (such as 'z') before they can /OPER up.
* allow/deny channel: you can now optionally specify a class here as an
  extra filter.
* doc/example.es.conf: Spanish translation of example configuration file.
* There have also been some behavior changes, which can be considered NEW,
  see next section (CHANGED).

==[ CHANGED ]==
* Anti-spoof protection (ping cookies) can now be enabled/disabled at
  run-time through set::ping-cookie [yes|no]. The default is 'yes' (enabled)
* A quit with 'Ping timeout' now shows the number of seconds since the ping.
* Print out a warning if we can't write to a log file.
* Refuse to boot if we can't write to ANY log file.
* Windows: if an SSL certificate exists, then uncheck the 'generate SSL
  certificate' checkbox by default.
* *NIX with SSL: We now ask in ./Config if you want to generate an SSL
  certificate. The certificate is then copied when you run 'make install'.

==[ MAJOR BUGS FIXED ]==
* Windows SSL crash (this issue was already fixed in 3.2.9-SSL-fix)
* Other than that, none?

==[ MINOR BUGS FIXED ]==
* Various compile problems, in particular with remote includes enabled.
* Windows: the installer sometimes insisted that the Visual C++ 2008
  redistributable package was not installed, when it actually was there.
* Windows: MOTD file date/time was always showing up as 1/1/1970.
* And more... see Changelog

==[ REMOVED / DROPPED ]==
* Windows 9X is no longer supported
* The networks/ directory has been removed

==[ FULL CHANGELOG ]==
For the full list of changes, see 'FULL CHANGELOG' at
http://www.unrealircd.com/txt/unreal3_2_10_release_notes.txt


- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlDcTR8ACgkQbmdtRX/hmaYMggD8DlYWqh4DhqYnd4dNRo4jaE9z
odRmXcD9+2iogjhrsV8A/Anpw7ND5KydRAPIVTHO2KbZIugOtx8r5NVf5XBvZgYi
=bHtO
-----END PGP SIGNATURE-----

Security: DoS issue in UnrealIRCd 3.2.9 Windows SSL version

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

A serious issue has been found in the Windows SSL versions of UnrealIRCd
3.2.9 and 3.2.10-rc1. This issue allows someone to remotely crash the server.

Admins of affected systems should upgrade immediately.

Note that only Windows versions with SSL support are affected.

==[ AFFECTED VERSIONS ]==
Vulnerable versions:
* 3.2.9 on Windows with SSL support
* 3.2.10-rc1 on Windows with SSL support
Not vulnerable:
* 3.2.9 and 3.2.10-rc1 on *NIX (Linux, FreeBSD, ..)
* 3.2.9 and 3.2.10-rc1 on Windows without SSL support
* 3.2.9-winsslfix and 3.2.10-rc1-winsslfix
* 3.2.8.1 and earlier

If you are unsure which version you are using, then follow this procedure:
Type /VERSION on IRC (on some clients you might have to type /QUOTE VERSION)
This should return a string like:
Unreal3.2.9. server.name FhinWXeOoZE
This contains the version number, the server name, and the compile flags.
You are vulnerable if ALL these three conditions are met:
* The version is 'Unreal3.2.9' or 'Unreal3.2.10-rc1'
* The compile flags contain a 'W' (this means you're on Windows)
* The compile flags contain a lower case 'e' (this means you're using the
SSL version)

Fixed Windows SSL versions can be identified by having 'winsslfix' in their
version name.

==[ SHOULD I UPGRADE? ]==
If you are using any of the vulnerable versions then you should upgrade
immediately as this is a serious issue.
Unfortunately there are no mitigating factors: even if you don't actually
use SSL, or if you have password-protected your server or hub, then you are
still vulnerable to this particular attack.

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from:
http://www.unrealircd.com/

There's no update for *NIX or the non-SSL Windows version, as these are safe
and thus do not require any update.

==[ IMPACT ]==
This issue will result in a direct server crash.
There's no possibility to execute any code, nor is there any information
disclosure.

==[ CVSS ]==
CVSS v2.0 report:

Confidentiality Impact:  None
Integrity Impact:        None
Availability Impact:     Complete

Access Vector:           Network
Access Complexity:       Low
Authentication:          None

CVSS Base Score:         7.8

Availability of exploit: Proof of concept code[*]
Type of fix available:   Official fix

CVSS Temporal Score:     6.1

[*] Proof of concept / exploit is currently not public. This is expected to
change soon after the release of this security bulletin.

==[ TIMELINE ]==
Times are in UTC
2012-11-11 19:20    Bug reported
2012-11-12 11:03    Bug confirmed by developer
2012-11-12 11:22    Bug traced
2012-11-12 13:45    Fixed versions compiled and packaged
2012-11-12 14:00    Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20121112.txt


- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlChAioACgkQbmdtRX/hmaaJagD/SeYBCHWPLYKsCVnrQXCFZ6Kh
AKiFc9rTkZQlo1O3lw4A/0eBASkAWWiaBVTGw1oOiwUk44vzRYO3KSbD3cuv0mBk
=JKvV
-----END PGP SIGNATURE-----

Unreal3.2.10-rc1 released for testing & help wanted (translators, PHP dev)

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

We have released our first Release Candidate for 3.2.10 (3.2.10-rc1).
Everyone is welcome to test this version, and check if there are any major
release critical bugs (such as crash bugs) present, so they can be corrected
before the real 3.2.10 stable release.
Note that we do NOT recommend running this version on production servers.
Several Release Candidates may follow (-rc2, -rc3, and so on). We have no
set date for a final 3.2.10 release.
More details on the 3.2.10-rc1 release can be found at:
http://forums.unrealircd.com/viewtopic.php?f=2&t=7675
Or you can download it straight away from www.unrealircd.com.

We are also looking for help in the following areas:

Translations:
People who are willing to create and maintain unreal32docs.html translations
in any of the following languages: Greek, Spanish, Dutch, and German. The
translated documents in these languages are currently out of date.
Naturally, other (new) languages are also welcome.
For more information (such as on how to apply), go to:
http://forums.unrealircd.com/viewtopic.php?f=1&t=7676

PHP developer:
We need a new www.unrealircd.com website. We held a design contest a while
ago, and a winner was chosen. We now need someone to do the actual PHP coding.
More information can be found at:
http://forums.unrealircd.com/viewtopic.php?f=16&t=7677

Previously, we didn't send out an announcement for release candidates, but
history has learned us that this resulted in too little testing and thus a
long time between the first Release Candidate and the final stable release.

If you have no time to test this 3.2.10-rc1, no problem, you can just wait
for the 3.2.10 stable release. Otherwise: thanks in advance for your help!

	Syzop / The UnrealIRCd team.

PS: This e-mail does not contain MD5 and SHA1 checksums of the download
files. If you want to verify the integrity of the files, then you can do so
with the help of PGP/GPG. Current and past releases are signed with the
rel...@un... key (0x9FF03937). Full instructions on how to verify
the files can be found on the final download screen at the website.

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlCBoMAACgkQbmdtRX/hmaa4OAD/QnO2CYz+TH2GzUOGbvY5hh6w
uFkC/npeZ1ofDOcORdoA/R3FYdXlZgscoWgKhWdgAh5bMc98bYZYi6FK2LWbBaVM
=uWhb
-----END PGP SIGNATURE-----

Unreal3.2.9 released

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

It has been more than 2 years since last stable release (3.2.8.1) and
4 months since last release candidate. Now, finally, UnrealIRCd 3.2.9 is out!
There have been 212 changes since previous release which is almost the same
as previous THREE stable releases combined.
The changes consist of the usual amount of bugfixes, however also a
substantial amount of new features have been added.
See the Release Notes below for a summary of the changes.

As usual, you can download UnrealIRCd from http://www.unrealircd.com/

MD5 checksums:
520df93a0f82b33a21f650ad7a8a2eda  Unreal3.2.9-SSL.exe
fb10daa6d4b37cba2e57ecae4b4fdec3  Unreal3.2.9.exe
bde023695347969f545ce5f2a9ac9aed  Unreal3.2.9.tar.gz

SHA1 checksums:
1ab39b4166bb796fc22a0bd0bff300142592372a  Unreal3.2.9-SSL.exe
1d5704e44182d35849fbca498e2aa72b40286fec  Unreal3.2.9.exe
0bb9d84ce6e4a395fda86e7d6250b7016cfeb913  Unreal3.2.9.tar.gz

Special thanks go to binki, who did a considerable amount of work to
make this release possible.

Also thanks to everyone who contributed to UnrealIRCd, whether it is
by doing support, reporting bugs, or just by using our software,
helping us to maintain our position as the most widely used IRCd.

Thanks,

	Syzop / The UnrealIRCd Team.

Unreal3.2.9 Release Notes
==========================

==[ GENERAL INFORMATION ]==
* If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
  first, before doing 'make'
* The official UnrealIRCd documentation is doc/unreal32docs.html
  online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
  FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
  Read them before asking for help.
* Report bugs at http://bugs.unrealircd.org/
* When upgrading a network, we assume you are upgrading from the previous
  version (3.2.8/3.2.8.1). Upgrading from 3.2.6 or 3.2.7 should also be no problem.
* The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY
  of the changes in this release. There have been 160+ changes, twice as much
  as usual for a release, hence this summary is a bit long too.
  For the FULL list of changes, see the Changelog.
* If you previously used CVS to access the development version of UnrealIRCd,
  you now need to use Mercurial, see see http://www.unrealircd.com/hgmove

==[ NEW ]==
* Extban ~j: this only prevents a user from joining, once in he can speak freely.
* Extban ~R:<nick>: this ban only matches if <nick> is a registered user (has
  identified to services). Especially useful in cases like: +e ~R:TrustedUser.
* Stacked Extended Bans:
  * Extbans are now split in two groups:
    * Ones that specify which user actions are affected (group 1):
      ~q (quiet), ~n (nick change), ~j (join)
    * Ones that introduce new criteria that can be used (group 2):
      ~c (channel), ~r (realname), ~R (registered)
  * With stacked extbans you can combine an extban of the first group with the second
    For example: ~q:~c:#lamers would quiet all users who are also in #lamers
* Extended Invex: very much like extended bans, but for +I (Invite Exception).
  Currently supported are: ~c (channel, ~r (realname) and ~R (registered) [=group 2]
  Possible useful uses are setting a channel +i (invite only) and then setting
  +I ~c:#trustedchan (or even: +I ~c:+#trustedchan) while still retaining the ability
  to easily ban users through +b.
* Channel Mode +Z: indicates whether a channel is 'secure' or not.
  This channel mode works in conjunction with +z (lower case z).
  While +z (normally) prevents new non-SSL users from joining, sometimes they
  can still join, like when after a netsplit the channels merge again.
  When all users on the channel are connected through SSL, the channel is set +Z
  by the server. Whenever an insecure user joins, the channel is put -Z.
* Remote MOTD support: you can now specify an URL instead of a file
* Automatic installation of curl (w/c-ares) if you answer 'Yes' to remote includes
* One can now rehash ALL servers with the command '/REHASH -global'. This can be
  particularly useful if you use remote includes or MOTD's. NetAdmin only command.
* files { } block by which you can configure the location of the tune file, pid, etc
* STARTTLS: On an IRCd compiled with SSL support this allows a client to start a SSL
  session on a regular non-SSL port (like 6667). Only supported by a few IRC clients.
  Can be disabled by setting set::ssl::options::no-starttls
* set::uhnames: this allows one to turn UHNAMES off ('no'), which can be a good idea
  if you have channels with more than 1000 users, as otherwise the nicklist can take
  several seconds to load. Defaults to on ('yes').
* IPv6 clones detection support: allow::ipv6-clone-mask determines the number of bits
  used when comparing two IPv6 addresses to determine if allow::maxperip is exceeded.
  This allows an admin to recognize that most IPv6 blocks are allocated to individuals,
  who might each get a /64 IPv6 block. set::default-ipv6-clone-mask defaults to 64 and
  provides default value for the allow blocks.
* The m_nopost module is now part of Unreal: this defends against the Firefox/
  Javascript 'XPS attack' which uses HTTP POST to create dummy IRC bots.
* There have also been some behavior changes, which can be considered NEW, see
  next section (CHANGED).

==[ CHANGED ]==
* Channel Mode +z: due to the +z/+Z changes, some things have changed:
  * +z can now be set even when insecure users are present
    (the channel will then be set +Z when the last insecure user leaves)
  * An oper previously had to invite himself and then join the channel
    with the key 'override' to set -z. This is no longer needed.
    The channel stays +z, but will be set -Z when the oper joins.
* Remote includes: if a remote include fails to load (eg: webserver down) then
  the most recent (cached) version of that remote include will be used, and the
  IRCd will still boot and be able to REHASH. This means it is now 'safe' to
  use remote includes on a network, without risking problems like unable to
  rehash in case of webserver problems.
* set::level-on-join now supports voice/halfop/protect/owner
* Backslashes (\) in MOTD/RULES files are no longer considered special, this
  might mean that you have to change some escaped backslashes (\\) to \.
* '/REHASH -motd' really rehashes ALL MOTD/OPERMOTD/BOTMOTD/RULES files, both
  the 'normal' files and the ones in tld { } blocks.
* The 'Compile as hub/leaf' choice is now gone, as it didn't do anything.
* Better document 'sslclientcert' in the Oper Block documentation.
  This allows one to authenticate against a SSL certificate for /OPER, instead
  of using a password.

==[ MAJOR BUGS FIXED ]==
* If you have autoconnect with a low connfreq, previously you often risked getting
  'Server exists' errors and 'breaking' the network. Now, the server handshake has
  been redesigned which means this will no longer happen. You can now safely have
  a low connfreq of - for example - 10 seconds.
* Windows: 'Permission denied' errors when starting Unreal
* A crash on some new Linux systems when replacing .so files
* Solaris & QNX: Compile problems
* IPv6: admins no longer have to tweak sysctl, like on FreeBSD & newer Linux systems
* IPv6: IPv4 ip's in link::bind-ip did not work properly which made the IRCd either
  not bind to the correct IP, or - like on FreeBSD - made it unable to link at all.
* A very rare crash on outgoing connect

==[ MINOR BUGS FIXED ]==
* autoconnect not working if TS offset was negative (for the duration of the offset)
* CGI:IRC & IPv6: sometimes a users' IP was incorrectly formatted, causing 'ghosts'
* Mac OS X: permission problems
* Several installation issues with curl
* SSL: No more 'Underlying syscall error', the actual error is now shown
* And many more... see Changelog

==[ KNOWN ISSUES ]==
* Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the
  IRCd down considerably and even bring it to a near-halt. In the spamfilter user
  target it's usually safe though. Slow spamfilter detection can help prevent the
  slowdown/freeze, but might not work in worst-case scenario's.
* Regexes: Possessive quantifiers such as, for example, "++" (not to be confused
  with "+") are not safe to use, they can easily freeze the IRCd.

==[ CHANGELOG ]==
Full list of changes since previous release (3.2.8.1):
* Fixed compile issue on Solaris regarding c-ares (-lrt), reported and
  test shell provided by fraggeln (#0003854).
* Improved automatic SSL detection on Solaris (/usr/sfw), reported by
  fraggeln (also #0003854).
* Don't do show-connect-info on serversonly ports
* Fixed crash on Linux (with a 'new' dynamic linker) when a module has
  been updated and then reloaded. From now on we just copy to a tempfile,
  and never hardlink. (bug #3557).
* Print out an error if a user uses standard ./configure stuff instead of
  ./Config. Won't catch all cases, but will definitely catch most problems.
* Update some urls
* Added ./configure option called --with-system-tre by which you can specify
  a path to the TRE library (instead of using the TRE we ship with Unreal).
  Patch provided by ohnobinki (#0003842).
* Applied another patch from ohnobinki which adds --with-system-cares
  (#0003847).
* Comitted Windows Installer fix that was put in 3.2.8.1, fixing
  #0003845 and #0003809 (MS Visual Studio Redistributable package automatic
  installation).
* Fix /VERSION output on Windows, especially for Vista and newer Windows,
  patch from BuHHunyx and Bock (#0003846).
* Fixed issue where a negative time offset (either caused by ircd.tune or
  timesynch) made autoconnect not work for the duration of the offset
  (eg: -60 would make autoconnect wait 60 seconds after boot, instead of
  autoconnecting almost immediately). Reported by aragon (#0003853).
* class name 'default' is reserved. Using it caused the ircd to crash
  on-boot, reported by Dragon_Legion (#0003864).
* Fixed IPv4 ip's in link::bind-ip on IPv6 builds. This caused issues ranging
  from not binding to that ip when linking, to not being able to link at
  all. Also fixed a very small memory leak upon /REHASH. Bug reported by
  Mr_Smoke (#0003858).
* Applied patch from k4be (#0003866) which introduces a new packet hook
  (HOOKTYPE_PACKET). Replacing the 'text to be sent' to a client is
  supported, which allows character(set) conversion in a module.
  Note that modifying an incoming message by the hook is not supported.
* Applied patch from ohnobinki (#0003863) which makes run-time configuration
  of files (tune, pid, motd) possible.
* Fixed bug reported by mut80r (#0003867) where locops didn't get a
  proper vhost when set::hosts::local had a 'user@host' syntax instead of
  just 'host'. Also fixed a bug with regards to +x on-oper with locops.
* When an incorrect command line argument is passed, the IRCd will no longer
  boot. Previously it said 'Server not started' but started anyway.
  Reported and patch provided by ohnobinki (#0003870).
* Added special caching of remote includes. When a remote include fails to
  load (for example when the webserver is down), then the most recent
  version of that remote include will be used, and the ircd will still boot
  and be able to rehash. Even though this is quite a simple feature, it
  can make a key difference when deciding to roll out remote includes on
  your network. Previously, servers would be unable to boot or rehash when
  the webserver was down, which would be a big problem (often unacceptable).
  The latest version of fetched urls are cached in the cache/ directory as
  cache/<md5 hash of url>.
  Obviously, if there's no 'latest version' and an url fails, the ircd will
  still not be able to boot. This would be the case if you added or changed
  the path of a remote include and it's trying to fetch it for the first time.
  To disable this new behavior, check out REMOTEINC_SPECIALCACHE in
  include/config.h.
* set::level-on-join now also supports voice, halfop, protect and owner.
  Requested by katsklaw (#0003852). Partial patch provided by katsklaw and
  morpheus_pl.
* Added initial support for "stacked" extbans. Please see the Changelog item
  further down (250 lines or so) for more information, as it was heavily
  reworked later on and the API was changed.
* Misc fix for disabling stacked extbans, should've done stuff in our autoconf
  stuff instead of hacking configure directly :P .
* Made the timesynch log output more clear and understandable.
* Added an 'UnrealIRCd started' log message on startup.
* Added support for STARTTLS. This allows users to switch to SSL without
  having to use a special SSL-only port, they can simply switch to SSL on
  any port. This is currently only supported by few clients (such as KVIrc 4).
  This functionality can be disabled by setting set::ssl::options::no-starttls,
  for example if you don't want to offer SSL to your users and only want it
  to be used for server to server links.
  Naturally, the IRCd must be compiled with SSL support for STARTTLS to work.
* Fixed SSL_ERROR_WANT_READ in IRCd_ssl_write()
* Use RPL_STARTTLS/ERR_STARTTLS numerics
* Removed log target 'kline' from documentation, as it didn't do anything
  (use 'tkl' instead). Reported by nephilim and Stealth (#0003849).
* Server protocol: added PROTOCTL EAUTH=servername, which allows us to
  authenticate the server very early in the handshake process. That way,
  certain commands and PROTOCTL tokens can 'trust' the server.
  See doc/technical/protoctl.txt for details.
* Server protocol: between new Unreal servers we now do the handshake a
  little bit different, so it waits with sending the SERVER command until
  the first PROTOCTL is received. Needed for next.
* Server protocol: added PROTOCTL SERVERS=1,2,3,4,etc by which a server can
  inform the other server which servers (server numeric, actually) it has
  linked. See doc/technical/protoctl.txt and next for details.
* When our server was trying to link to some server, and at the same time
  another server was also trying to link with us, this would lead to a
  server collision: the server would link (twice) ok at first, but then a
  second later or so both would quit with 'Server Exists' with quite some
  mess as a result. This isn't unique to Unreal, btw.
  This happened more often when you had a low connfreq in your link blocks
  (aka: quick reconnects), or had multiple hubs on autoconnect (with same
  connfreq), or when you (re)started all servers at the same time.
  This should now be solved by a new server handshake design, which detects
  this race condition and solves it by closing one of the two (or more)
  connections to avoid the issue.
  This also means that it should now be safe to have multiple hubs with low
  connfreq's (eg: 10s) without risking that your network falls apart.
  This new server handshake (protocol updates, etc) was actually quite some
  work, especially for something that only happened sporadically. I felt it
  was needed though, because (re)linking stability is extremely important.
  This new feature/design/fix requires extensive testing.
  This feature can be disabled by: set { new-linking-protocol 0; };
* Made ./Config description about remote includes a bit more clear.
* When you now answer Yes to Remote includes in ./Config and $HOME/curl does
  not exist, it now asks you if you want to automatically download and
  install curl (which is done by ./curlinstall).
  This has been tested on Linux, further testing on f.e. FreeBSD is required.
* Fixed a /RESTART issue on Linux: Unreal did not properly close all file-
  descriptors. Because of this, Unreal did not restart properly as you would
  get an "Address already in use" error. This only seemed to happen when
  logging to syslog, or when there was something wrong with syslogd.
  Reported by Mouse (#0003882).
* Fixed a similar issue with syslog (and debugmode) and closing fd's as well:
  the first port we listened on would not open up, ircd did not log any error.
* Added set::uhnames setting which can be used to disable uhnames by setting
  it to 'no', the default is 'yes' (on). Requested by Robin (#0003885) as
  UHNAMES may increase the time of the nick list being loaded from 1 to 4
  seconds when joining several channels with more than 1000 users. As this
  problem is only present on some networks, we keep UHNAMES enabled by default.
* Added patch from ohnobinki (#0003888), only slightly edited, which improves
  curl detection, added checks to see if curl actually works (print out a
  clear curl error during configure, instead of getting an error during
  'make'), and we now error when using --enable-libcurl without
  --with-system-cares if the system curl depends on c-ares. This is because
  this can cause ABI incompatability between curl's c-ares and our c-ares,
  which leads to odd issues such as:
  Could not resolve host: www.example.net (Successful completion)
  And possibly other weird issues, perhaps even crashes.
* Patch from above is (temp.) reverted, Unreal wouldn't compile without curl.
* Reverted the revert and updated one line to fix the fix.
* Fix for --with-system-cares, reported and patch provided by ohnobinki
  (#0003890).
* Another c-ares fix for Solaris 10, this time it had to do with
  PATH_SEPARATOR, the exact error was: error: PATH_SEPARATOR not set.
  Reported by j0inty, patch provided by ohnobinki (#0003887).
* Updated pkg-config m4 macro (now 0.23) for configure, patch from ohnobinki
  (#0003889).
* Better document /REHASH flags. No longer document some flags as they are
  redundant and confusing. Also removed an old statement saying k-lines would
  be erased on rehash which is not true. Documented '/rehash -dns'.
  Reported by ohnobinki (#0003881).
* We now no longer treat \ (backslash) in *MOTD and RULES files as special.
  Previously this caused some really odd behavior. Backslashes are now
  treated as-is, so no special escaping is necessary. Reported by DelGurth
  (#0003002).
* Removed old dgets() and crc32 function (code cleanup)
* Updated ./Config description for NOSPOOF, it already said it protects
  against HTTP POST proxies, now added some extra text to say it also
  protects against the Firefox XPS IRC Attack. Also made NOSPOOF enabled by
  default on *NIX (this was already the case on Windows).
* Updated ./Config description for DPATH. Seems quite some people answer
  this question wrong, and when that happens, you only get some obscure
  error when running './unreal start'.
* Fixed 'unreal' script to give a better error if it cannot find the IRCd
  binary.
* Made '/REHASH -motd' really rehash *all* MOTD, OPERMOTD, BOTMOTD and RULES
  files. Reported by bitmaster (#0003894).
* IPv6: it seems some recent Linux dists decided to make IPv6 sockets
  IPv6-only, instead of accepting both IPv4&IPv6 on them like until now.
  FreeBSD (and other *BSD's) already did that move a few years back,
  requiring server admins to sysctl.
  We now make use of a new option to explicitly disable "IPv6-only".
  This should work fine on Linux.
  Whether it provides a complete solution for FreeBSD, I don't know, testing
  is welcome! In theory setting net.inet6.ip6.v6only to 0 should no longer
  be needed, but you might still need to enable ipv6_ipv4mapping.
* Fix stupid issue where current CVS would no longer link TO an earlier
  Unreal server (eg: outgoing connect to a 3.2.8 hub). Reported by ohnobinki
  (#0003901).
* Update Unreal.nfo with information about new support network setup (#0003904)
* Remove the ``Compile as hub/leaf'' concept as I'm quite sure this doesn't
  actually do anything (#0003891)
* Clarify/expand alias block documentation, especially for alias::type=command;
  (#0003902)
* Fix -DDEFAULT_PERMISSIONS=0 support. Previously, support.c:unreal_copyfile()
  would create files with no permissions, breaking loadmodule. (#0003905)
* Remove m_addline from commands.so
* Removed ugly ``files {} got initialized!'' message.
* SVSMODE now triggers HOOKTYPE_UMODE_CHANGE and HOOKTYPE_REMOTE_CHANMODE.
* Added chmode +r to HTML documentation.
* ./Config now remembers extra/custom ./configure parameters.
* Fixed bug in CVS where the ban exempt (+e) handling was reversed: if a
  non-matching +e was present, one could walk through bans. Reported by
  tabrisnet (#0003909). Bug was caused by stacked extbans.
* Partially fixed bug where IPv4 addresses were randomly mishandled by the
  cgiirc code, resulting in the sockhost/hostmask being set to something like
  ::ffff:127.0.0.1, which confused the s2s protocol. Reported by tabrisnet
  (#0003907). Also, reject incorrectly formed hostnames from WEBIRC command.
* More strict sockhost (hostmask) checking in m_nick.c:_register_user(). Fixed
  some bad string handling as well. See comments in bug (#0003907).
* Throw out old USE_POLL code which 1. has no buildsystem support and 2.
  has comments which claim it doesn't work.
* Removed extraneous apostrophe from a module loader error message.
* Added error message for unknown directives in the "files" block
* Remote MOTD support. Not adequately tested. Required restructuring of the
  asynchronous download callback and handler. (#)
* Added some consts throughout url.c, etc.
* Fix segfault where the an include directive specifies a URL and cURL follows
  redirects, resulting in a different resultant URL. The remote includes code
  would look for the an include block using the resultant URL and assume that
  it would be found. The new code searches differently, has new checks, and
  ignores the resultant URL.
* Removed duplicated m_motd() and friends that were both in modules and s_serv.c.
  The copies in s_serv.c (core) were overriding the in-module functions.
* Forgot to commit the REMOTEINC_SPECIALCACHE stuff to config.h which means
  it wasn't actually enabled until now...
* Fix typo
* Fix files::shortmotd to by accepted by unrealircd like the docs say it is.
* Fix remote includes download handling which I broke for remote includes ;-).
* Recursively add more consts.
* Rename configure.in to configure.ac and modernize AC_INIT.
* Handle bad flags in set::ssl::options better (#0003896).
* When removing a SHUN, check if users who were blocked by this SHUN are still
  blocked by another SHUN. Previously, if multiple shuns covered a single user,
  removing one of these shuns would mark the user as un-SHUN-ed. (#0003906)
* Fixed race condition / reference count issue where an outgoing server connect
  would cause the IRCd to crash. Reported by Monk (#0003913).
* Replaced some co...@li... references with bugs.unrealircd.org
* Fixed desynchronized prototype.
* Fixed a few trivial compilation warnings.
* Move configure.ac to the project's root.
* Separate m4 macros into *.m4 files (it is much easier to run aclocal now).
* Remove unused DOMAINNAME macro and --with-hostname= options as the DOMAINNAME
  macro isn't used anywheres and its use shouldn't be encouraged.
* autogen.sh to bootstrap the buildsystem. We now maintain setup.h with autoheader.
* --disable-blah now does the opposite of --enable-blah. The same for --with-blah
  and --without-blah. (This makes Gentoo users happier).
* Attempt to make up for Windows not having mode_t and not complying to POSIX.
* Fix references in src/win32 to aMotd to now be to aMotdFile.
* Fix references to motd and friends in src/win32. (#0003918)
* Remove include/nameser.h and reference to nameser.h from s_bsd.c. The associated
  functionality has been provided by c-ares for a long time.
* Remove remaining nameser.h references from Makfiles.
* Prevent stacked bans (like +b ~q:~q:~n:~c:#chanel) from crashing unrealircd due
  to over-recycling a static buffer. Discovered by syzop.
* helpop documentation for stacked extbans.
* Updated doc/coding-guidelines
* Fixed some odd behavior with SVSMODE and +z/-z, reported by TehRes (#0003498),
  fixed a strange SVSMODE +d <non-number> bug where it would act as a +x too.
* The patch from #0003888 made ./Config favor the curl in /usr, even if it
  was not compiled with c-ares, which is clearly a bad idea as then the
  entire IRCd can hang for several seconds or more...
  We now check if they support asynch DNS, and skip them if they don't.
* Remove extraneous `I' from configure.ac, run ./autogen.sh. (#3930)
* Added some checks in ./Config which (often) ensures that the self-compiled
  curl version is new enough and is not using a c-ares which is binary
  incompatible. If the self-compiled curl version is (too) outdated, then we
  now suggest to rename it and have the installer re-download and compile
  it automatically. This avoids some potential crashes.
* Give more clear error to users who use ``make custommodule'' without
  MODULEFILE. (#3935)
* Support compiling with a bundled c-ares again, the hacky way. (#3931)
* The configure.ac change silently changed the nospoof parameter in
  ./configure. This meant that the answer to NOSPOOF in ./Config was ignored
  and it was always enabled.
* Initialize ARG parameter properly in ./Config, otherwise everything fails.
* Fixed similar bug like nospoof with ./Config, but now with prefixaq.
* Same for IPv6
* Now define _SOLARIS, USE_LIBCURL, and ZIP_LINKS in setup.h instead
  of the Makefiles. This means better automatic rebuilds if the latter
  settings change.
* Updated unreal32docs:
  * Remove browser compatibility listing.
  * Added information about ``oper::password::auth-type sslclientcert''
    and the same for link::password-receive::auth-type.
  * A little bit more of interlinking and using id="" instead of a name=""
  * Some minor tweaks
* Fix the detection for curl-without-c-ares a little (#0003940).
* Add an extban of the schema +b ~j:*!*@* which _only_ prevents a user
  from joining a channel. (#3192)
* Fix src/Makefile's lack of depencencies for modules.c, related to
  #3938.
* Fix a few compiler warnings with some double-casting and another
  const. (#3939)
* Define intptr_t in win32's setup.h. (#3939)
* Upgraded c-ares to 1.7.3. API seems compatible with
  c-ares-1.6.0. (#3932)
* Force compilation with bundled c-ares to statically link using more
  sed hackery in configure.ac.
* Remove extras/c-ares before each time c-ares is compiled.
* Uniform naming for 'stacked extbans' in Changelog/etc.
* Make extended bans documentation more clear by splitting the extbans in
  two groups: one that specifies ban actions (~q/~n/~j) and one that
  introduces new criteria (~c/~r). Also added documentation for ~R which
  does not exist yet, but will soon...
* This is actually an update of earlier code from CVS, but now it works ok:
* Added support for "stacked" extbans. Put simply this allows extban combinations
  such as ~q:~c:#test to only silence users on #test, for example. This feature
  is enabled by default, but can be disabled during ./Config -advanced.
  This feature was suggested by Shining Phoenix (#0003193), was then coded
  by aquanight for U3.3, and later on backported and partially redone by Syzop.
  Module coders:
  In an extban ~x:~y:something where we call ~x the 1st, and ~y the 2nd extban:
  Since stacked extbans only makes sense where the 1st one is an action
  extended ban like ~q/~n/~j, most modules won't have to be changed, as
  their extban never gets extended (just like ~c:~q: makes no sense).
  However, you may still want to indicate in some cases that the extban your
  module introduces also shouldn't be used as 2nd extban.
  For example with a textban extban ~T it makes no sense to have ~n:~T.
  The module can indicate this by setting EXTBOPT_NOSTACKCHILD in
  the ExtbanInfo struct used by ExtbanAdd().
  For completeness I note that action modifier extbans are indicated by
  EXTBOPT_ACTMODIFIER. However, note that we currently assume all such
  extbans use the extban_is_ok_nuh_extban and extban_conv_param_nuh_or_extban
  functions. If you don't use these and use EXTBOPT_ACTMODIFIER, then things
  will go wrong with regards to stack-counting.
  Module coders should also note that stacked extbans are not available if
  DISABLE_STACKED_EXTBANS is defined.
* Added extended ban ~R:<nick>, which only matches if <nick> is a registered
  user (has identified to services). This is really only useful in ban
  exemptions, like: +e ~R:Nick would allow Nick to go through all bans if he
  has identified to NickServ. This is often safer than using +e n!u@h.
* Added Extended Invex. This is very much like extended bans, in fact it
  supports some of the same flags. Syntax: +I ~character:mask
  Currently supported are: ~c (channel), ~r (realname) and ~R (registered).
  This can be useful when setting a channel invite only (+i) and then
  setting invite exceptions such as +I ~c:#chan (or even ~c:+#chan), while
  still being able to ban users.
  Because action modifiers (~q/~n/~j) make no sense here, extended invex
  stacking (+I ~a:~b:c) makes no sense either, and is not supported.
  Suggested by DanPMK (#0002817), parts based on patch from ohnobinki.
  Module coders: set EXTBOPT_INVEX in the ExtbanInfo struct used by
  ExtbanAdd() to indicate that your extban may also be used in +I.
* Invex (+I) now always checks cloaked hosts as well. Just like with bans,
  it checks them also when the user is not currently cloaked (eg: did -x, or
  is currently using some VHOST).
* Fixed client desynch caused by (un)banning, reported by Sephiroth (#2837).
* IPv6 clones detection support (#2321). allow::ipv6-clone-mask determines
  the number of bits used when comparing two IPv6 addresses to determine if
  allow::maxperip is exceeded. This allows an admin to recognize that most
  IPv6 blocks are allocated to individuals, who might each get a /64 IPv6
  block. set::default-ipv6-clone-mask defaults to 64 and provides default
  value for the allow blocks.
* Upgrade to tre-0.8.0, adding hack similar to the one for c-ares to
  ensure that the bundled tre is compiled against even when a system
  libtre is installed. (#3916)
* Install ircdcron scripts. (#2620)
* Autogenerate ircdcron/ircd.cron based on ./configure settings.
* Get rid of any setsockopt(IPV6_V6ONLY) errors in ircd.log (#3944).
* Actually initialize m_starttls when it's included into commands.so.
* Prepend a `0' to the begining of --with-permission, working around a
  Mac OS X bug and hiding the fact that chmod()'s params are octal
  from users. (#3189)
* Warn users against running UnrealIRCd as root without setting
  IRC_USER. (#3053 reported by Stealth)
* Remove snomasks upon deopering when it seems like the user shouldn't
  have snomasks. (#3329)
* Fix /msg IRC WHOIS response for persons with secure connections. (#3947)
* Fix segfault by checking if RESTRICT_USERMODES is NULL in the code
  for bug #3329.
* Don't use sys/errno.h, as it's not POSIX and breaks on QNX-6.5.0. (#3955)
* Fixed another compile problem on QNX, reported by chotaire (#3955 too).
* Fixed incorrect messages regarding clock going backwards on QNX 6 and
  later, reported by chotaire (#0003956).
* Reverted an IPv6/Config fix I did on July 17. Reported by chotaire (#3958).
* Document the badword block more explicitly and clearly. (#3959)
* Add the m_nopost module written by syzop and compile it into
  commands.so. This module was written to help IRCd maintainers deal
  with some sort of ``XPS'' attack in which javascript-initiated HTTP
  POST form submissions were able to act as dummy IRC bots. These
  simple bots were the cause of much spam. Note that enabling NOSPOOF,
  which was the default on Windows and is now also the default on *NIX,
  already stops the troublemakers from getting on IRC. However, the nopost
  module kills them right away, rather than have them idle for 30 seconds
  which could consume all your connections, preventing (legit) users
  from being able to connect (#3893).
* Add a modules section to the documentation. This was created to put
  all documentation specific to the m_post module in one, easy to find
  place. The documentation on m_post is likely incomplete, however.
* Fixed notices to opers about server delinks not being broadcasted to all
  other servers if they were on SSL links. Reported by chotaire (#0003957).
* SSL errors are now more descriptive. In some cases, like server to server
  links it was still showing 'Underlying syscall error', this has now been
  replaced to show the actual (surprise!) underlying syscall error instead.
  Reported by vonitsanet, patch from ohnobinki (#0003157).
* Fix ordering of ``9. FAQ'' and ``10. Modules'' in HTML docs.
* Always display the real host of successful OPERing up. Reported by
  Josh. (#3950)
* Fixed braindamage in stacked bans.
* Add m_nopost to makefile.win32 in the hopes that it may work (#3961).
* Document spamfilter 'warn' action in unreal32docs.
* Fix missing OperOverride notices for +u and +L if not chanowner, reported
  by Mareo (#0003358), partial patch from goldenwolf.
* Updated doc/compiling_win32.txt with current free MS SDK information,
  patch from goldenwolf.
* And another m_nopost makefile.win32 fix.
* Some small updates to the extended channel mode system: it now has minimal
  support for 'local channel modes'. This is really only meant for channel
  mode +Z (upcase z), see next.
* Added Channel Mode Z which indicates if a channel is 'secure' or not.
  This mode works in conjunction with +z (lower case z).
  If +z is set ('only secure users may join'), then the IRCd scans to see
  if everyone in the channel is connected through SSL. If so, then the
  channel is set +Z as well ('channel is secure').
  Whenever an insecure user manages to join, the channel is -Z. And whenever
  all insecure users leave, the channel is set +Z.
  The 'insecure user being present in a +z channel' can be because:
  - An IRCOp joined the channel, and he's not secure
  - When servers link together and a user on the other side is not secure
    This only happens on net merge (equal time stamp).
    On different time stamp, we still kick insecure users on the new side.
  - At the time when +z is set, there are insecure users present.
  This feature was implemented after a heavy discussion in bug #3720 by fez
  and others, and was suggested by Stealth.
  Tech note: +Z/-Z is handled locally by each server. Any attempt to
  remotely set +Z/-Z (eg: by services) will be ignored.
* As mentioned above, +z can now be set even if any insecure users are
  present. Previously, this was not permitted. Now, as soon as the last
  non-SSL user leaves, the channel will be set +Z.
* An oper not connected through SSL previously had to /INVITE himself
  to a channel and then /JOIN the channel with the key 'override'.
  This 'override' key is no longer required, a simple JOIN will suffice.
* Sorted channel modes in /HELPOP ?CHMODES
* Re-enabled 'fishy timestamp' errors in MODE. For some reason this was
  commented out, even though the (more annoying and less useful) code in
  JOIN was enabled so that did not make a lot of sense. It also now logs to
  ircd.log (or whatever you configure). This enables people to easier find
  the cause of any timestamp issues (which usually is badly coded services).
* Win32 installer: Make it so a user can no longer accidentally check both
  'install as service' and 'encrypt SSL certificate', as they are
  incompatible (a service cannot ask a user to enter a password).
  Reported by HotFusionMan (#0003848).
* Win32 installer: Fixed long outstanding problem with some Vista / Windows 7
  installations, which has to do with file permissions of the Unreal3.2
  folder. Symptoms were error messages such as:
  Unable to create file 'tmp/10D9D743.commands.dll': Permission denied
  But also failing to create SSL certificates, nothing being logged, etc.
  This is now fixed by setting write access on the Unreal3.2 folder to the
  user running the install, unless the user chooses not to use this new
  option (it can be unchecked), in which case the user is warned that he
  should take care of this himself.
  Reported by various persons, special thanks to Bock and goldenwolf for
  helping us to track down this issue (#0003943).
* Little tweak to +Z: when the last insecure user parts and the channel is
  set +Z (secure), the parting user saw the MODE too, which was silly.
  Reported by Robby22 (#0003720).
* Added '/REHASH -global' command which will rehash all servers on the
  network. You can also specify options like '/REHASH -global -motd' to
  rehash only the MOTD/RULES/etc. Just like /REHASH <servername> this is a
  NetAdmin-only command. This command is fully backwards compatible with
  older UnrealIRCd version in the sense that it will also REHASH old
  Unreal's. Suggested by 'P' in #0001522.
* Clarified the difference between 'except ban' (which exempts from KLINE
  and ZLINE) and 'except tkl' (which can exempt from GLINE, GZLINE, SHUN,
  QLINE and GQLINE). Reported by Digerati (#0002535).
* Added except tkl::type 'all', which exempts from all TKL types (except
  KLINE).
* Added set::options::allow-insane-bans which makes it possible to set
  really broad bans such as *@*.xx. Needless to say this can be very
  dangerous. Reported and patch provided by Stealth (#0003963).
* Windows: When trying to load a module (DLL) windows can give us the
  mysterious error 'The specified module could not be found' even though the
  file exists. This usually means that it depends on another DLL, but
  apparently Microsoft decided not to mention that in the error message.
  We now append some small text when such an error happens, saying that it
  could be because of a missing dependency. Reported by Phil.
* Fixed Windows compile problem with current CVS due to m_issecure,
  reported and fix provided by therock247uk (#3970).
* Added release notes.
* Error on zero sendq in class::sendq, reported by jonbeard.
* Fix return values in src/auth.c on Win32.
* Win32: Attempt to move to 100% winsock2 (the include, to be precise),
  this means includes have to be in a very particular order (!)
* Win32: #define _WIN32_WINNT 0x0501 and force our own inet_ntop/pton,
  otherwise you get an ntop runtime error on XP and earlier.
* Win32: Get rid of c-ares includes and library in our tree, and use the
  DLL instead of static LIB, just like we do for ssl and zlib.
* Win32: Get rid of TRE lib and includes
* Win32: reorder includes to fix winsock errors with curl
* Win32: show missing /INFO in GUI
** 3.2.9-rc1 release **
* Enable parallel building of modules.
* Fixed bug with curl not finding libcares, reported by katslaw.
* Added workaround for 'curl-config' depending on 'bc'.
* Fix typo 'alias::spampfilter' in German docs, reported by seraphim (#3978).
* Fix missing #include <stdint.h>. Fixes compile error on OpenBSD
  reported by CuleX (#3977).
* Fix invalid use of 'wc -l' when detecting the AsynchDNS feature of
  libcurl which breaks compilation on FreeBSD; instead use 'grep
  -q'. Reported by Jobe (#3981), solution proposed by satmd.
* Fix bundled TRE compilation error on OpenBSD with pkg-config-0.21
  where pkg-config can't find 'tre.pc'. Reported by CuleX. (#3982)
  Also properly escape the sed expression used in the pkg-config call.
* Fix remote MOTDs for URLs whose path components contain
  subdirectories, in the process much simplifying my remote MOTD
  code. Reported by goldenwolf (#3986).
* Windows installer: if an SSL certificate already exists, then don't check
  the 'create SSL certificate' by default. Patch from goldenwolf (#3965).
* Update doc/compiling_win32.txt a bit (#3975).
* Updated credits a bit (#3980).
* Fix set::ssl::options::no-starttls not being recognized.
* Fix pointer handling in remote MOTD code, fixing a crash on REHASH
  reported by goldenwolf (#3992).
* Bump server protocol version to 2310, due to the various changes and so
  you can use deny link { } blocks if you want to deny older versions than
  this release.
* Fix documentation about channel mode +t and halfops, thanks warg (#4007).
* Fix empty/nonexistent short MOTD being shown instead of the full
  MOTD on user registration. Thanks WakiMiko (#4011).
* Module coders: Added HOOKTYPE_HANDSHAKE which is called before the client
  handshake, IOTW: as soon as the connection is established. This can be used
  to do things prior to accepting any commands, such as sending some text.
* Moved from cvs to hg (thanks binki!), this means cvs from this point in
  time should no longer be used (the lastest CVS version will not compile,
  this has been done on-purpose).
  The new way to access the development version of UnrealIRCd is:
  hg clone http://hg.unrealircd.org/unreal
  If you get something like 'hg: command not found' then you need to
  install mercurial. Most *NIX systems have such a 'mercurial' package,
  but if you don't, or you are on Windows or Mac OS X, then grab it at
  http://mercurial.selenic.com/
* Updated doc/compiling_win32.txt a bit.
* The unreal32docs translations in Greek, Spanish and Dutch are marked as
  out of date.
* CRLF conversion of unreal32docs.gr.html
* Zip links: once a link was zipped, the error message when closing the
  connection was never actually sent (due to buffering). Hence, things like
  the /SQUIT reason was never seen on the other side (just 'server closed
  the connection'). This has now been fixed.
* Fix compile failure introduced by last change when zip links are
  disabled.
* Check that the automatically-generated cloak keys fit unrealircd's
  own criteria before printing them out. (#4017)
* Added aliases/atheme.conf, provided by katsklaw (#0003990).
* Support installing the ircd binary for people who set
  --with-spath=<dpath>/bin/ircd.
* Add missing quotation to doc/help.fr.conf (#4026 by MewT).
* Remove temporary message (Unreal3.2.1) regarding cloaking modules.
* Add a self-documented and commented files {} block to example.conf.
* Another fix-for-fix of zip links buffering from a few weeks ago.
  Reported by fbi (#0004030).
* Win32: fix rehash from the command line not working, reported by Platzii
  (#0004028).
* Update curl-ca-bundle.crt
** 3.2.9-rc2 release **
* Updated credits (donations)
* Updated credits (supporters, coders)
** 3.2.9 release **

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: BBBC E14E 3D9B 3655 7BE1 24A0 E3A8 A873 9DF4 E5AF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFOtVEX46ioc5305a8RAjPOAKDgvJwR0i2l0PAoSH9UEziPngnjiwCff6YA
Uy485DnKUbJmub3X6eCICeo=
=ZPW8
-----END PGP SIGNATURE-----

countermeasures

[Bram M. (Syzop) <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

After receiving many questions of what we are doing with regards to the hack
incident, here's my reply:

First, we now PGP/GPG sign releases. Our GPG key is rel...@un...
(0x9FF03937). When downloading UnrealIRCd you will be given instructions on
how to verify the integrity of the file.

Second, we're now isolating/shielding the main site from the rest, and making
parts unmodifiable, to prevent catastrophes in case of a break-in.

Third, we added several methods of detection when files and other data is
modified.

Fourth, we'll only serve the files from the main site for now. While the
mirror admins did not have any blame in this, it does mean we only have to
protect our own site(s).

And finally we did some other things which I won't mention here.

In short: we've really tightened security since the break-in to make sure this
will never ever happen again. As you may understand, we really can't afford a
repeat of this incident.

On an unrelated side note, I find the claims in various media that this
security incident indicates that Linux and Open Source cannot be trusted and
that Microsoft and closed-software is better really silly. It lacks any
foundation. A hacker, once in, could just as easily have inserted the backdoor
in Windows software. In fact, it is *THANKS* to it being Open Source that this
backdoor got noticed, though - I fully agree - much too late.

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: BBBC E14E 3D9B 3655 7BE1 24A0 E3A8 A873 9DF4 E5AF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFMFosK46ioc5305a8RAmDEAKDTuw29yKIBaX5d0ps8HZWh+SZ11ACgwEES
3YAEvVlHmpWtxDSMHlbpvyI=
=1guj
-----END PGP SIGNATURE-----

Security: some versions of Unreal3.2.8.1.tar.gz contain a backdoor (trojan)

[Bram M. (Syzop) <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

This is very embarrassing...

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of
the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn't allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at least
on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we're taking precautions so this
will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice
(very) few people verify files, it will still be useful for those people who do.

Safe versions
==============

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE October 11 2009 should be safe, but
you should really double-check, see next.

How to check if you're running the backdoored version
======================================================
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by running
'md5sum Unreal3.2.8.1.tar.gz' on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you're running the backdoored/trojanized version.
If it outputs nothing, then you're safe and there's nothing to do.

What to do if you're running the backdoored version
====================================================
Obviously, you only need to do this if you checked you are indeed running the
backdoored version, as mentioned above. Otherwise there's no point in
continuing, as the version on our website is (now back) the good one from
April 13 2009 and nothing 'new'.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to 'clean' UnrealIRCd without
a restart or through a module.

How to verify that the release is the official version
=======================================================
You can check by running 'md5sum Unreal3.2.8.1.tar.gz', it should output:
7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18  Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3  Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the initial
3.2.8.1 announcement to the unreal-notify and unreal-users mailing list.
<http://sourceforge.net/mailarchive/forum.php?thread_name=49E341E0.3000702%40vulnscan.org&forum_name=unreal-notify>

Finally
========
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Hope you'll all continue to support UnrealIRCd.

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: BBBC E14E 3D9B 3655 7BE1 24A0 E3A8 A873 9DF4 E5AF

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFME09+46ioc5305a8RApKHAKCWZNS0tDToLXBZdpQni2VmDq+N3ACgjh5R
MkQ3RNlvQQy0J4gmpBgS0YQ=
=i+W6
-----END PGP SIGNATURE-----

Security: Buffer overflow in UnrealIRCd when using allow::options::noident

[Bram M. (Syzop) <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY ADVISORY
==================

A serious buffer overflow issue has been discovered in UnrealIRCd. This
issue can cause the IRC server to crash. It is not clear if this issue can
lead to remote code execution.

==[ AFFECTED VERSIONS ]==
This bug can ONLY be triggered if allow::options::noident is in use. By
default, this is not the case, and it's not a very common option to use.
To check for this, you can search for "noident" (without quotes) in your
config files (such as unrealircd.conf). If you don't use this option, you
are safe, and there's no need to upgrade.
If you use the noident option, and you're using Unreal3.2.8 or earlier (this
issue goes back to 3.2beta11), then you are affected.

==[ PROBLEM ]==
A buffer in the code which handles user authorization is copied without
sufficient length checks, causing a buffer overflow.
This bug happens BEFORE the user is online. In other words: even if you have
a password protected server, or only allow certain ip/hosts in, and you use
allow::options::noident, then this bug can still be triggered.

There has been one report of this bug being abused by "bad guys" to crash
the server, so if you're using allow::options::noident then it's highly
recommended to either implement the WORKAROUND or FIX as soon as possible.

==[ WORKAROUND ]==
The workaround is simply to remove noident from the allow::options and /REHASH.
For example, if you have:
allow {
        ip "*abc@*";
        hostname "*abc@*";
        class clients;
        maxperip 3;
        options { noident; }; // MARK
};
Then simply remove the line marked with MARK, and /REHASH the IRCd.

Naturally, if you rely on the noident feature on your network/IRCd, then
this may not be an option for you. Check out the FIX in next section, instead.

==[ FIX ]==
Thanks to having a (partially) modular IRC server, we have created a "hot
fix" utility that will fix the issue WITHOUT requiring a server restart. All
you will have to do is install it and rehash.
This patch can be used on UnrealIRCd versions 3.2.3 - 3.2.8.
If you are using any older version (unsupported), then we suggest you to
upgrade to the latest version or implement the workaround.

*NIX:
 Download and run the hotfix utility, available from these locations:
 http://www.unrealircd.com/upd/unrealpatch328
 http://www.vulnscan.org/unr/unrealpatch328

 EXAMPLE:
 cd ~/Unreal3.2 && wget http://www.unrealircd.com/upd/unrealpatch328 && \
 chmod +x unrealpatch328 && ./unrealpatch328
 (or use 'fetch' instead of 'wget', or any other download utility)

 Alternatively if that did not work, try this .tar.gz:
 http://www.unrealircd.com/upd/qpatch.tar.gz  OR
 http://www.vulnscan.org/unr/qpatch.tar.gz

 Extract it, cd to the qpatch directory and run ./doinstall

Windows:
 Unfortunately, we did not have the resources to make a hotfix utility for
 Windows, so you will have to either implement the workaround or upgrade
 your UnrealIRCd to 3.2.8.1:
 http://www.unrealircd.com/downloads/unreal/win     (Windows)
 http://www.unrealircd.com/downloads/unreal/winssl  (Windows SSL)

==[ NEW VERSION ]==
While for existing installations you can use the FIX as explained above.
For fresh installs, we've released a new Unreal version called 3.2.8.1,
which can be downloaded from http://www.unrealircd.com/

MD5 checksums:
86212ebf6feab6cc57a4ebba99632db2  qpatch.tar.gz
c855fd1fe1cb2f08095bf7cd8f2f1120  unrealpatch328
7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18  Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3  Unreal3.2.8.1-SSL.exe

SHA1 checksums:
6654bccd941ea038e9bef847703b25450b739ba1  qpatch.tar.gz
766118e3cdad454dc189a8bb06cbc8ff55cdb7f7  unrealpatch328
363c3c995bb38cf601f409610ce1937a0002c419  Unreal3.2.8.1.tar.gz
d2e73094149bbcc9238b111f12f30fa8f8a463cc  Unreal3.2.8.1.exe
336972a8201a67be2bcbb012f66abd11d19ade46  Unreal3.2.8.1-SSL.exe

==[ TIMELINE ]==
Times are UTC
2009-04-10  Bug reported
2009-04-11  Additional information requested
2009-04-12  Information provided
2009-04-12  Bug traced, working on fix
2009-04-13  Fix & binaries ready. Public announcement

==[ SOURCE ]==
A copy (and any updates) of this advisory is available at:
http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFJ40Hg46ioc5305a8RAtJ8AJ93VqLlPO4mG/Cpd2oTTQLp0y1O9wCgrDWP
Y05KNA9Z/Qahog8dR9SrAlQ=
=27vA
-----END PGP SIGNATURE-----

Unreal3.2.8 released

[Bram M. (Syzop) <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It has been 1.5yrs since last release, and quite some things have changed.
Stskeeps has left the UnrealIRCd project [1], and Unreal4 (and it's
based-on-InspIRCd idea) is dead.
The story of Unreal3.2, however, continues (at a slow pace): we bring you a new
UnrealIRCd version, 3.2.8, in which we have added a few new features, some
innovative like watch away notification, and have fixed some major bugs / added
some important workarounds such as slow spamfilter detection(&removal) and
detection of time shifts. In total this release consists of over 70 changes.
See the Release Notes below for more information.

 Unreal3.2.8 Release Notes
 ==========================

 ==[ GENERAL INFORMATION ]==
 - If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
   first, before doing 'make'
 - The official UnrealIRCd documentation is doc/unreal32docs.html
   online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
   FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
   Read them before asking for help.
 - Report bugs at http://bugs.unrealircd.org/
 - When upgrading a network, we assume you are upgrading from the previous
   version (3.2.7). Upgrading from 3.2.6 or 3.2.5 should also be no problem.
   However, if you have a network running with servers that are several versions behind
   (eg: 3.2.1) then you might experience small (desynch) problems.
   Please also minimize the time you have multiple versions running, a few days or
   one week is generally not a problem, but having mixed versions on a network for several
   weeks or months is not recommended.
 - The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY of
   the changes in this release. There have been 70+ changes, and trying to mention them
   all would be useless, see the Changelog for the full list of changes.

 ==[ NEW ]==
 - set::level-on-join: this defines which privileges a user receives when creating a
   channel, default is 'chanop', the only other available setting is 'none' (opless).
 - Away notification through WATCH: This allows clients to receive a notification
   when someone goes away or comes back, along with a reason, a bit like IM's.
   There's probably no current client supporting this but it would be a nice feature
   in notify lists. Client developers: see Changes file for full protocol details.
   This feature can be disabled by setting set::watch-away-notification to 'no'.
 - Spamfilter: Slow spamfilter detection: For each spamfilter, Unreal will check,
   each time it executes, how long it takes to execute. When a certain threshold is
   reached the IRCd will warn or even remove the spamfilter. This could prevent a
   spamfilter from completely stalling the IRCd. Warning is configured through
   set::spamfilter::slowdetect-warn (default: 250ms) and automatic deletion is
   configured by set::spamfilter::slowdetect-fatal (default: 500ms).
   You can set both settings to 0 (zero) to disable slow spamfilter detection.
   This feature is currently not available on Windows.
 - SSL: set::ssl::server-cipher-list can be used to limit the allowed ciphers
 - SSL: To specify when an SSL session key should be renegotiated you can use
   set::ssl::renegotiate-bytes <bytes> and set::ssl::renegotiate-timeout <seconds>.
 - UHNAMES support: This sends the full nick!ident@host in NAMES which can be
   used by clients for their IAL. mIRC, Klient, etc support this.
 - There have also been some behavior changes, which can be considered NEW, see
   next section (CHANGED).

 ==[ CHANGED ]==
 - IPv6: On IPv6 servers you no longer have to use ::ffff:1.2.3.4 IP's for IPv4 in the
   config file, you can use the simple 1.2.3.4 form, as they are converted automatically.
 - When someone is banned and /PARTs, the part reason (comment) is no longer shown
 - ChanMode +S/+c: now strips/blocks 'reverse' as well
 - Smart banning is now disabled by default because it was too annoying, this means that
   f.e. if there's a ban on *!*@*.com then you can still add a ban on *!*@*.aol.com
 - except ban { } now also protects against ZLINEs and ban ip { }
 - Modules: user modes and channel modes without parameters (eg: +X) no longer have
   to be PERManent, this means they can be upgraded/reloaded/unloaded on-the-fly.

 ==[ MAJOR BUGS FIXED ]==
 - Zip links issue (Overflowed unzipbuf)
 - Crash issue with 3rd party modules that introduce new channel modes w/parameters
 - Mac OS X: Various issues which prevented the IRCd from booting up
 - Remote includes (constant) crash with new curl/c-ares versions
 - A few rare crash issues, including a crash when linking to another server
 - In case of clock adjustments, the IRCd will no longer freeze when the time is
   adjusted backwards, nor will it incorrectly throttle clients when adjusted forward.
   However, because clock adjustments (time shifts) of more than xx seconds are
   so dangerous (and will still cause a number of issues), big warnings are now
   printed when they happen.
   Morale: synchronize your system clock, or use the built-in timesync feature.

 ==[ MINOR BUGS FIXED ]==
 - CGI:IRC: Several IPv6 issues, both on IPv6 IRCd's and CGI:IRC gateways
 - IP masks in oper::from::userhost sometimes didn't match when they should
 - (G)ZLINE's on IPv6 users were sometimes rejected
 - CHROOTDIR works again
 - OperOverride fixes
 - Throttling is now more accurate
 - And more... see Changelog

 ==[ KNOWN ISSUES ]==
 - Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the IRCd
   down considerably and even bring it to a near-halt. In the spamfilter user target it's
   usually safe though. Slow spamfilter detection can help prevent the slowdown/freeze,
   but might not work in worst-case scenario's.
 - Regexes: Possessive quantifiers such as, for example, "++" (not to be confused with
   "+") are not safe to use, they can easily freeze the IRCd.
 - Suse 10.3 in 64 bit mode (amd64, x64) is known to crash UnrealIRCd on-boot, this is
   likely to be a Suse 10.3 bug as over 3 people reported it with that exact OS / arch.

 ==[ CHANGELOG ]==
 - Fix aquanight's email
 - #0003351 reported by Mareo regarding m_addmotd.so and m_svslusers.so
   not being created
 - Fixed bug in SJOIN, possibly causing things like odd bans showing up in
   some circumstances. Reported by Hurga, patch provided by fbi.
 - Now allowing '1.2.3.4' ips again in IPv6 mode as well (instead of enforcing
   '::ffff:1.2.3.4' ips in the conf, they are now auto-converted to that).
   Based on patch from tabrisnet.
 - Fixed issue where the cgiirc block did not work with IPv6, reported by
   djGrrr, fixed by previous change.
 - Fixed CHROOTDIR, which was broken in 3.2.7: IRC_USER/IRC_GROUP did not work
   properly when CHROOTDIR was in use (#0003454).
 - Fixed oper block bug where ip masks in oper::from::userhost did not always
   work succesfully (ex: 192.168.* worked, but 192.168.*.* didn't). Issue was
   introduced in 3.2.7, reported by tabrisnet (#0003494).
 - CGI:IRC + IPv6: Fixed cgiirc block hostname never matching ipv4 cgiirc
   gateway properly (..again..), this was previously reported by pv2b.
 - CGI:IRC + IPv6: Fixed issue where all cgiirc ipv4 clients were rejected with
   the message 'Invalid IP address', reported by stskeeps (#0003311), nate
   (#0003533) and others.
 - Document CHROOTDIR in unreal32docs, reported by Beastie (#0002446).
 - Fixed Mac OS X issue where "access denied" errors were encountered when
   trying to read unrealircd.conf. All due to strange chmod() behavior. We now no
   longer try to set permissions on Mac OS X. Patch provided by Tibby (#3489).
 - Hopefully fixed 'Overflowed unzipbuf increase UNZIP_BUFFER_SIZE' issue,
   reported by Monk (#0003453). It should be large enough now. Also changed the
   way we deal with this when it happens (if it ever happens again..): we now
   close the server connection, instead of trying to continue, because continueing
   is too dangerous.
 - Remove part reason when user is banned, suggested by vonitsanet (#0003354).
 - Fixed set::modes-on-join: could crash or disfunction with certain
   parameter mode combinations.
 - Minor source cleanup in src/modules/m_map.c, suggested by fez (#0003540).
 - Usermode modules now no longer have to be permanent (#3174), this was
   simply a bug that was introduced when adding remote includes support years
   ago.
 - Channelmode modules without parameters (like: +X, but not: +X 1) no longer
   have to be permanent. Channelmodes with parameters still have to be PERM
   however, and there are currently no plans to change it.
 - Fixed bug (in all Unreal versions) with parameter channelmodes, any 3rd
   party module which adds an extra parameter chanmode could cause crashes.
 - Added set::level-on-join: which level should the user get when (s)he's is
   the first to enter a channel. Currently only 'none' and 'op' are supported.
 - unreal32docs.html: doubt it will help much but at least this makes it a
   little bit more clear (#3548), chatops vs globops.
 - ChanMode +S/+c: reverse is now stripped/blocked as well, because it's
   similar to color, and is just as annoying (..if not worse).
 - So called 'smart' banning is now disabled by default, this means you can
   now set a ban on *!*@*h.com and then later add one on *!*@*blah.com without
   any trouble. Previously the second one was rejected due to the former
   already matching it. To change it back edit the include/config.h setting
   SOCALLEDSMARTBANNING.
 - Fixed (G)ZLINE check.. it was incorrectly rejecting many IPv6 bans.
   Reported by guigui (#0003572).
 - Backport from 3.3 away notification from Oct 2006, this is v0, a further
   patch will follow soon and the numerics will be changed.
 - Ok, finished away notification in WATCH. It now shows the away reasons too.
   This new feature (away notify) is announced in 005 (ISUPPORT) as: WATCHOPTS=A

   Format is: WATCH A +UserOne +UserTwo

   New numerics to cope with away notification in WATCH are:
   RPL_NOWISAWAY: to indicate the user is away _when adding_ it to WATCH list
   RPL_GONEAWAY:  user was not away, but is now
   RPL_NOTAWAY:   user was away, but is no longer away
   RPL_NOWISAWAY: user was away, and still is, but the reason changed
   Example:

   WATCH A +Target
   Request to add user 'Target' to the watch list with away notification

   :maintest.test.net 609 MySelf Target ~blih test.testnet 1204309588 :not here atm
   Reply to watch add: user is online and away, reason is provided

   :maintest.test.net 599 MySelf Target ~blih test.testnet 1204309588 :is no longer away
   User is back (no longer away)

   :maintest.test.net 598 MySelf Target ~blih test.testnet 1204309722 :lunch
   State change: user is now away, reason is provided

   :maintest.test.net 597 MySelf Target ~blih test.testnet 1204309738 :shopping, bbl
   User is still away, but reason changed.

   The syntax for each numeric is:
   <nickname> <username> <hostname> <awaysince> :<away reason>
   In case of 599 (RPL_NOTAWAY) it is:
   <nickname> <username> <hostname> <awaysince> :is no longer away

   For the record, this is all based on a draft from codemastr from 2004, which was
   implemented in Unreal3.3 (devel branch) in 2006. Today, in 2008 it was updated
   with away reason support and backported to Unreal3.2. Because away notification
   hasn't been used until now (due to it only being in Unreal3.3) we felt it was
   safe to break some numerics.
 - Upgraded c-ares to 1.5.1, thanks to aegis for the partial patch (#0003671).
   This also fixed a curl compile/run issue, reported by static-x (#0003545).
 - Added slow spamfilter detection. For each spamfilter, Unreal will check,
   each time it executes, how LONG it takes to execute. When a certain threshold
   is reached the IRCd will warn or even remove the spamfilter. This will prevent
   a spamfilter (regex) from slowing down the IRCd too much, though it's still not
   a guarantee that it will never go to a halt (eg: in case it takes several
   minutes to execute a regex or loops forever).
   Warning can be configured via set::spamfilter::slowdetect-warn (default:
   250 milliseconds) and automatic deletion of spamfilters if it takes too
   long is set through set::spamfilter::slowdetect-fatal (default: 500 ms).
   NOTE: slow spamfilter detection is currently not available on Windows.
   NOTE 2: to disable slow detection you can set the warn and fatal settings
   to 0 (zero). OR to really disable all code, remove SPAMFILTER_DETECTSLOW
   from include/config.h and recompile.
 - Added another Mac OS X hack, such as one that should help against
   'error setting max fd's to 9223372036854775807' which prevents the ircd
   from booting up. Reported by btcentral and Bock. This hack might not be
   totally correct though ;).
 - Limit watch status requests to one per time, more will often flood you off
   and is stupid/useless. Reported by ash11.
 - The OS version output is now taken from uname() at runtime instead of
   'uname -a' at compile time. This fixes bug #1438 and #3320 reported by
   Mouse and Monk, where because of previous behavior the IRCd sometimes would
   not compile in certain environments.
 - configure script is now generated by autoconf 2.61 (was: 2.59), hopefully
   that won't cause any issues, perhaps it even helps to fix some bugs...
 - #0001740 reported by Trocotronic, making the IRCd send ERROR : to all
   links with possible reason for RESTART; like /die does it. [Backport, sts]
 - Added set::ssl::server-cipher-list, #002368 requested by Beastie
   [Backport, sts]
 - Added set::ssl::renegotiate-bytes, set::ssl:renegotiate-timeout, #0002971
   suggested by tabrisnet. Gets activated when >0. Please set sane values.
   [Backport, sts]
 - #0002475 reported by aquanight on detecting \'s in module filenames on
   win32 and not do ./module for it [Backport]
 - #0002172 reported by Stealth, patched by WolfSage, fixing if you have an
   admin block, and forget a semicolon on a line, Unreal will proceed to use
   the block with no error, but the information will be incorrect/incomplete.
   [Backport, WolfSage]
 - #0002833 reported and patched by tabrisnet, implementing UHNAMES
   [Backport, only slightly modified for speed]
 - #0001924 - requested by syzop: Added ./unreal gencloak, which generates
   random keys 10 ~ 20 characters in length (*NIX only). [Backport, aquanight]
 - #0003313 reported by Stealth, regarding not erroring/warning when me::name
   is bigger than HOSTLEN, from now it will error on config read. [Backport, sts]
 - /REHASH -all not case sensitive
 - Win32 makefile: removed /MAPINFO:LINES, since visual studio 2005 and up
   don't support this and will fail to compile UnrealIRCd. This fixes #3680,
   reported by therock247uk.
 - Upgraded c-ares to 1.6.0 (also now using pkg-config).
   If you get a "undefined reference to `clock_gettime'" error, then you
   might consider installing 'pkg-config' on your system, and then simply re-run
   ./Config and make, should fix things.
   TODO: testing! testing! i'd like to be sure this c-ares is stable!
 - Win32 compile fixes.
 - Upgraded c-ares on windows to 1.6.0 as well.
 - Win32: build w/manifest. Looks like Unreal@Win32 now actually works again :).
 - except ban { } is now also effective against Z:lines. It already protected
   when the user was connected, but not once he/she tried to reconnect, this
   is now fixed. Reported several times, last by Stealth in #0003377.
 - Fix crash if settime/expirytime is out of range in TKL, set by another server.
   Should never happen except when using faulty services or when something else
   got horrible wrong (like a date which is 40 years ahead). Reported by
   Darth Android (#0003738).
 - Fix NAMES with UHNAMES support, screwed it up at 'Win32 compile fixes' a
   few lines up...
 - Fix OOB read caused by UHNAMES support.
 - Added some countermeasures against crash-on-boot, #0003725 and #0003653,
   reported by Ablom2008 and mist26.
 - Win32: rebuild TRE for Vstudio 2008 (and ditch C++ / MSVCP... dependency).
 - Added release notes (not finished yet).
 - Added set::watch-away-notification which can be set to 'no' to disable
   WATCH away notification. The default is 'yes' (=enabled).
 - Fixed crash which could happen when rehashing while linking to a server,
   this could be #0003689 reported by Monk.
 - New HOOKTYPE_LOCAL_NICKPASS: the 2 parameters are: sptr (client) and nsptr
   (NickServ client, NULL if not present). You can return 1 (HOOK_DENY) to
   make the IRCd not send IDENTIFY to NickServ. Suggested by tabrisnet
   (#0003739).
 - A notice is now sent when listing spamfilters through /SPAMFILTER just
   like /stats f. Bug #0003752 reported by Strawberry_Kittens, similar to
   #0002533.
 ** 3.2.8-rc1 release **
 - Added documentation for set::spamfilter::slowdetect-warn,
   set::spamfilter::slowdetect-fatal, set::ssl::server-cipher-list,
   set::ssl::renegotiate-bytes, set::ssl::renegotiate-timeout,
   set::watch-away-notification and ./unreal gencloak. Reported by Bock
   (#0003764).
 - set::ssl::renegotiate-bytes: fix when specifying a value such as 10m.
 - './unreal gencloak' now actually works
 - Fix typo in user mode q notice, reported by Strawberry_Kittens and others
   (#0003761). Patch provided by Stealth.
 - Fix for Mac OS X compile problem (in setpgrp), reported by Bock / Jckf
   (#0003767).
 - Possible fix for MAC OS X compile problem
 - Bump docdate..
 - Fixed OperOverride bug: if you are halfop you couldn't -q/-a, reported
   by Strawberry_Kittens (#0003758).
 - Added note to release notes regarding Suse 10.3 on amd64 causing a crash
   on-boot. #0003725, #0003653, #0003791.
 - Updated regex documentation in unreal32docs, it had some incorrect
   statements regarding wildcards. Reported by james2vegas (#0003800).
 - Added some big warnings regarding big timeshifts.
   In the IRCd world correct time is very important. This means that time
   should be correct when the IRCd is booted, either by running ntpd/ntpdate
   on the system or some other synchronization software, or by using the
   built-in timesync feature.
   Whenever the clock is adjusted for more than a few seconds AFTER the IRCd
   has booted, it can lead to dangerous effects ranging from unfair timestamps
   for nicks and channels (and hence the possibility to takeover channels),
   to even completely stalling the IRCd (negative timeshift) or making it so
   nobody can connect anymore due to throttling (positive timeshift).
   We now try to 'fix' the worst effects such as the IRCd freeze and
   throttling. This does not fix the whole problem, so I've added some big
   warnings when the clock is adjusted, including an annoying one every 5
   minutes if the clock was set backwards, until the time is OK again
   (catches up with the original time).
   This fixes #0003230 reported by Stealth, and #0002521 reported by durrie.
 - Throttling time is now more accurate, especially with larger time values
   such as 3 connections per 60 seconds. Previously that -could- result in
   3 per 90 seconds due to timer inaccuracy (which was max <time>*1.5), now
   it would be max 65 seconds (max 5s inaccuracy, lower with lower times).
 - Smallll fix for time shift protection
 ** 3.2.8-rc2 release **
 - Some text fixes regarding time shift feature
 - Fix for compile problem on FreeBSD (and possibly other OS's):
   - When pkg-config is present but does not recognize --static, use
     default c-ares library options.
   - Set default c-ares library options to -lcares on FreeBSD and others.
     Set to -lcares -lrt on Linux (previously was -lcares -lrt for all).
   Thanks to goldenwolf for the bugreport (#0003803) and providing a test-
   shell to trace this issue down.
 ** 3.2.8-rc2 *NIX downloads replaced **
 - 'link xx with SSL option enabled on non-SSL compile' was incorrectly
   printed out as a warning, when in fact it's an error (and was treated as
   such). Same for ZIP on non-zip compile. Reported by Stealth (#0003833).
 - Fixed harmless (but silly) message which happened on every IRCd boot
   (time jump message).
 - Updated credits (donations)
 ** 3.2.8 release **

As usual, you can download UnrealIRCd from http://www.unrealircd.com/

MD5 checksums:
53dd20a7581670997400a74fa0bb674a  Unreal3.2.8.tar.gz
3bc329c9892959df8f40ebc7359110fc  Unreal3.2.8.exe
5246701fcf90bcb8b1bf1c3f18575807  Unreal3.2.8-SSL.exe

SHA1 checksums:
4b03254d5e19b827f0653a083c0b7f895914b8be  Unreal3.2.8.tar.gz
a6c6002b161b623df4e44e2f070b2e80bf2af78c  Unreal3.2.8.exe
26ff2e3aad0dd6638009483696b44fe7c198c355  Unreal3.2.8-SSL.exe

Thanks go to:
* Stskeeps for his work on the UnrealIRCd project over the past 10 years
* All people who reported bugs and contributed by supplying patches
* Everyone who has helped with testing the 3.2.8-RC's

Thanks also to our users (3.2.7 had a new download record of over 200,000),
for keeping UnrealIRCd the #1!

	Syzop / The UnrealIRCd Team.

[1] http://forums.unrealircd.com/viewtopic.php?t=5701 {Stskeeps says goodbye}

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFJqvLX46ioc5305a8RArurAJ9MX840hCFBMjImxEeTN/X5xZDscACfZE6s
0N2zIGD4oYzg6oUHtZpPhyk=
=67Rx
-----END PGP SIGNATURE-----

Unreal3.2.7 release and important strategy change

[Carsten M. <cvm...@da...>]

[ Strategy change ] - This is important, please read.

Unreal3.2.7 will be released on 14th July 2007 - marking 8 years since 
the first UnrealIRCd release. With this, we've decided to do a rather 
big change in strategy. Fact is, the Unreal3 code base has gone stale 
and is not suitable to service your IRC networks for 8 more years.

We've been working to improve this code base but run into serious issues 
constantly due to old code laying about and design decisions in the past 
by previous coders that has locked us into an IRCd that can hardly evolve.

In light of this, and through that people have worked on a IRCd from 
scratch, in C++ - InspIRCd. InspIRCd was made by people who initially 
used Unreal, but foresaw that something radical was needed to fix the 
IRCd code base so many IRCds share.

InspIRCd was partly inspired by Unreal and this means that it will be 
easier for us to move on to the logical step - we're forking InspIRCd 
(through a tight cooperation with them), to give
you Unreal4.0. For more information on the new core, see 
http://www.inspircd.org - any documents
dealing with module coding, server protocol, etc, works for Unreal4 too 
- as we will be the project that extends from bare (InspIRCd) to 
colourful and featureful (UnrealIRCd) and the goal is to be able to move 
modules from Unreal to InspIRCd without problems.

The target is for both development teams to work what's their speciality 
- we're dedicated to give our users service, implement features and 
maintain stability and innovate, where InspIRCd also has some of these 
qualities, but focuses more on a base IRCd that can be extended
with new features through modularity and maintaining a stable core that 
just works and performs well.

The fork will not be a hostile one - the idea is to have a shared core 
(InspIRCd) and we work together on inventing and implementing new ideas 
that can be added through the module system, and we will work alone on 
features that InspIRCd coders may not want to touch and reverse.

We hope to shape InspIRCd in our image and provide an Unreal4 that feels 
like an Unreal3 - same configuration format, same quality documentation, 
support, etc, and in the progress give you users the ability to have a 
"modern" IRCd that can handle loads and loads of users, and still give 
you the choice to choose what features your network wants to use.

The Unreal3.2 branch will continue mostly as bug fixes - and adding 
ability to link to Unreal4, so we're not giving up on you people who 
want to keep on running Unreal3, but when this link is stable (in 3.2.8 
- based off 3.3), and Unreal4 is as feature complete with Unreal3, we 
stop supporting Unreal3.

So, how will this affect you? We could need a hand. Enter the 
development wiki on http://dev.unrealircd.com/unreal4_development - aid 
out and find out what we're missing in Unreal4 to make it an IRCd you'd 
switch to. Test the SVN, find bugs we introduce, and we hope this 
cooperation between InspIRCd and UnrealIRCd will lead to a new age in 
IRCd development and for IRC networks in general - since we have many 
new ideas we can try out together.

Hang out in #unreal-devel on irc.unrealircd.com - we're interested in 
having you along. Making modules should be slightly easier from now on 
as well.

[ New Website ]

Our webmaster, nate, has redesigned UnrealIRCd.com for us - if you have 
comments on the design or any aspect of the new website, please comment 
in the IRC channel or in the comments on this new item.


[ Unreal3.2.7 ]

As a minor sidenote, we've also released Unreal3.2.7, with some minor 
changes yet important - elaborated in Changes. The IRCd can be 
downloaded through http://www.unrealircd.com

- Updated c-ares to 1.4.0, TRE to 0.7.5
- chmode +L does no longer require chmode +l
- Oper blocks now can have CIDR, as in "userhost *@127.0.0.1/32";
- Services coders: SVSNOLAG/SVS2NOLAG (described in Changes) will allow 
a user to avoid fake lag (ie, flood as much as he/she wants).
- More intelligent accept() handling - that is, take in multiple times 
at a time instead of one per I/O loop
- A lot of bug fixes, basically.

[ Known issues found in testing ]

- CHROOTDIR does not work nicely together with the new patch where you 
can do hardcoded
IRC_USER / IRC_GROUP (setuid / setgid with names), due to having to look 
up password files.
- Spamfilter warn does not work with /setname
- Documentation is not complete
- There is a problem with bans getting truncated we are still trying to 
investigate. Happens in 3.2.6 too.

/Stskeeps

Unreal3.2.6 released

[Bram M. (Syzop) <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As an (early) Christmas present we've released UnrealIRCd 3.2.6.
This release comes with tons of bugfixes and is a recommended upgrade.

Our coders contest held after previous release has resulted in two new
coders in our team. Welcome aquanight and Trocotronic!

I'd like to stress that contributors are still very much welcomed,
especially C coders willing to spend time on making patches for bugs
or features. As a contributor you can work on things anytime you
please, without having to become an official coder with all it's
added responsibilities.
While we now have two new coders, and 2-3 contributors, it's still far
from ideal and not entirely what we hoped for. To be able to have an
Unreal 3.3 release in 12-18 months we would really need some extra help.
See http://dev.unrealircd.com/wiki/how_to_help_out for more information.
If you still have any questions or doubts on how to help out as a C coder
or what procedures to follow, then don't hesitate to email me at
sy...@un...

Release notes follow...

 Unreal3.2.6 Release Notes
 ==========================

 ==[ GENERAL INFORMATION ]==
 - If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
   first before doing 'make'
 - The official UnrealIRCd documentation is doc/unreal32docs.html
   online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
   FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
   Read them before asking for help.
 - Report bugs at http://bugs.unrealircd.org/
 - When upgrading a network, we assume you are upgrading from the previous
   version (3.2.5). Upgrading from 3.2.3 or 3.2.4 should be ok as well.
   However, if you have a network running with servers that are several versions behind
   (eg: 3.2.1) then you might experience small (desynch) problems.
   Please also minimize the time you have multiple versions running, a few days or
   one week is generally not a problem, but having mixed versions on a network for several
   weeks or months is not recommended.
 - The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY of
   the changes in this release. There have been 80+ changes, and trying to mention them
   all would be useless, see the CHANGELOG section for the full list of changes.

 ==[ NEW ]==
 - None. Except some behavior changes, see next.

 ==[ CHANGED ]==
 - SSL: The server certificate and keys can now be reloaded via '/REHASH -ssl', no
   restart needed anymore.
 - IRCOps can now view the bans of a channel ("MODE #channel b") from the outside
 - Moved failed /OPER attempt notices to snomask +o and made them sent to all servers.
   This means all failed oper attempts can now be seen globally. Plus, the UID is now
   always shown (like for incorrect host and maxlogin), unless trying an unknown oper acc.
 - The annoying "please type /quote pong" message is now no longer shown on connect, unless
   explicitly enabled by setting set::pingpong-warning to 'yes'. (mainly Windows)
 - /INVITE's from people on the silence list are now silently ignored
 - SAPART now works for multiple channels (again)
 - Non-SSL users are now kicked when netsynching and channel is +z (SSL only)
 - No longer showing server numerics in /MAP to non-opers (too confusing anyway)
 - Updated ukrainian-w1251, belarussian-w1251 and catalan character sets
 - Spamfilter + IPv6: for target 'u' (nick!user@host:realname bans), the 'host' part
   is now in brackets if it's an IPv6 address (eg: blah!blah@[1:2:3:4:5:6:7:8]:hello)
 - loadmodule errors are improved
 - Snomask 'N' will no longer show nick changes of U-lined servers
 - The set::dns block is now no longer mandatory, because it is actually not used
   (except for set::dns::bind-ip) and fetched from /etc/resolv.conf (*NIX) or the
   registry (Windows) instead. This has always been the case, but has never been documented.
 - Various doc updates ('/HELPOP ?EXTBANS', and some unreal32docs improvements)

 ==[ MAJOR BUGS FIXED ]==
 - Crash if link::options::quarantine was used
 - Another crash which could happen in some rare cases
 - Throttling was not always being applied correctly
 - Windows 2003: Fixed crash on-boot if no nameserver was set
 - Windows: Fixed /RESTART not always working properly (leaving the ircd dead)

 ==[ MINOR BUGS FIXED ]==
 - Remote includes: should now work with latest curl again, due to c-ares upgrade
 - a bunch of OperOverride bugs.. messages being sent when they shouldn't, some things
   not being logged or broadcasted, and more.
 - Sometimes no message was shown when a link to an SSL server failed
 - Desynch problem caused by +Q
 - SAJOIN now properly deals with +z channels
 - "MODE #channel" showing extended channel mode parameters if not in channel
 - Channel Mode 'f' did not properly eat a parameter on unset (even though it would
   show like it did), this could have caused desynchs in some cases.
 - Fixed handling of CNAME's once again (now showing original name instead of fwded name)
 - The "looking up your hostname" message was always sent, regardless of show-connect-info
 - deny link { } blocks were being ignored by autoconnect
 - Windows: SSL private key prompt caused a crash
 - Windows: Unable to write to service.log caused a crash
 - set::allowed-nickchars could cause a segfault for some unknown languages
 - If class::connfreq was omitted and used for a server link, this would cause a huge
   connection flood when autoconnect was used.
 - set::dns::bind-ip was seen as a duplicate when it actually wasn't
 - And more... see Changelog

 ==[ KNOWN ISSUES ]==
 - Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the IRCd
   down considerably and even bring it to a near-halt. In the spamfilter user target it's
   usually safe though.
 - Regexes: Possessive quantifiers such as, for example, "++" (not to be confused with "+")
   are not safe to use, they can easily freeze the IRCd.

 ==[ SERVICES / CODERS ]==
 - Note: this is a new section, it describes changes specifically for services coders
   and unreal module coders. Note that other changes (such as new modes, etc) mentioned
   elsewhere in this document might affect you as well. For more info about a particular
   change mentioned below (such as a new hooktype), see the Changelog.
 - New hooktype: HOOKTYPE_SILENCED (called when a message is not delivered due to silence)
 - New hooktype: HOOKTYPE_POST_SERVER_CONNECT (called after users synched to remote server)
 - Fixed CALLBACKTYPE_CLOAK_EX, wasn't working properly at all
 - Fixed SVSNICK: cAsE cHaNgE no longer causes a collision, fixed QUIT not being sent
 - SVSMODE/SVS2MODE: when doing -x on a user, the virthost is removed from memory.
   This means services can now properly "unvhost" a user and give them back their cloaked
   host by doing "SVSMODE User -x+x".
 - Services timestamps for users are now properly treated as unsigned long, previously
   some trouble could arise when netsynching for values larger than 2147483647.
 - 'SVSMOTD !' now removes the svsmotd from memory as well.
 - Fixed SVSMODE -b User not always removing all bans for that user (specifically, bans on
   the cloaked host, when the user has a vhost).
 - Fixed SVSO - not removing coadmin (+C)

 ==[ CHANGELOG ]==
 Changes sine 3.2.5:
 - c-ares resolver: upgrade from 1.3.0 to 1.3.1. This mainly fixes compile problems,
   including one reported by frigola on an old Sun Cobalt RAQ3.
   It will probably also fix an issue with the just released curl 7.15.4, if compiling
   with remote includes.
   TODO: Update win32 (not urgent)
 - Added HOOKTYPE_SILENCED: this is called whenever a message did not get delivered to a user
   because the user was on the silence list.
 - Added OpenBSD 3.9 to the supported OS list.
 - Made it so undefining SHOW_SECRET (not the default) properly hides +s channels from ircops
   (except netadmins), as it should. Reported and patch supplied by Jason (#0002965).
 - Fixed tld::options:: not working properly, reported by DelGurth (#0003003).
 - Fixed problem with oper as chanadmin kicking himself causing an operoverride notice,
   reported by Bock (as part of #2889).
 - Fixed desynch problem with +Q, reported by tabrisnet (#0002992).
 - Updated doc/coding-guidelines
 - Added bugs.* url to /info, was still showing some email address.
 - Fixed forgotten operoverride logmessage (kick if chan +Q), reported in #2889.
 - Fixed operoverride message if oper is +h and -h's himself, reported by Bock (#2889).
 - Fixed SVSMODE -b [user] not always removing all bans (specificly, bans on the cloaked
   host when you have a vhost), a code cleanup was also done. Based on patch from tabrisnet.
   Reported by Rob (#0002981).
 - MARK: 3.3* was forked off from here
 - Removed server numeric output from /MAP for normal users (still visible to ircops).
 - Renamed unreal32docs.tk.html to unreal32docs.tr.html
 - Module coders: Added HOOKTYPE_POST_SERVER_CONNECT (1 param: cptr) which is called when
   a server connects, just like HOOTYPE_SERVER_CONNECT but this is actually called *after*
   all clients and channels are synched. Obviously needed for some modules which must synch
   data that refers to clients/channels that would otherwise not exist yet on the other side.
 - The server SSL certificate and private key can now be reloaded without requiring a server
   restart, simply use: /REHASH -ssl
 - Small compile fix for above
 - Fixed /SAJOIN able to join insecure users to +z channels, reported by phedny (#0002601).
 - Fixed SSL crash problem due to previous SSL change.
 - Fixed some bugs in webtv code that could have caused trouble in the future (off by one),
   reported by Ilja van Sprundel.
 - Module coders: Fixed CALLBACKTYPE_CLOAK_EX, it was not working properly at all.
 - Fixed bug in MODE #channel showing extended channel mode parameters when not in #channel.
 - Made 'MODE #channel b' and friends show bans to ircops even when not in channel.
 - Fix for channel mode +f: It incorrectly didn't eat a paramter on unset (ouch!), even
   though it always acted like it did in the MODE line sent to the channel. This bug caused
   desynchs in some cases. Bug reported by Korfio (#0003048).
 - Fixes to SVSNICK: case-change no longer causes a collision, don't return the value from
   exit_client (which would be FLUSH_BUFFER), fix QUIT not being sent back on collision.
 - Fix for above so it doesn't -r the client.
 - Fixed small memory leak in resolver (~40 bytes when connecting to a server)
 - Made Unreal use the original name in case of a CNAME, instead of the forwarded name,
   reported by jerrcsnet (#0003054).
 - The "looking up your hostname" message was always sent, regardless of show-connect-info.
 - Kick non-SSL users when the channel turns out to be +z during netmerge, reported by
   Ron2K (#0002942).
 - Windows 2003: Fixed UnrealIRCd unable to boot if no DNS server is configured, we now
   fallback to set::dns::nameserver in such a case. Thanks to Romeo (reporter, #0002802)
   and Bock for tracing this down.
 - Fixed cloak cutoff problem with long hosts.
 - Added doc/help.tr.conf (Turkish), translated by Diablo.
 - Added doc/example.tr.conf (Turkish), translated by ironic.
 - Fixed zlib version check: 1.x is compatible with all 1.*, etc. (#0002966).
 - Fixed a couple of add_Command/del_Command lines in m_chgname and m_helpop trying to
   add the same token twice. Didn't cause any trouble, normally, though...
 - Updated ukrainian-w1251 and belarussian-w1251 charsets: some characters were previously
   included that shouldn't. Reported by avb (#0003102), patch supplied by Bock.
 - Made it so that when 'java' is enabled for a listen block, then the 2nd parameter to
   NICK is not seen as a password on this port. Patch from afolentes (#0003097).
 - Fixed some unitialized pointer things for win32 w/ssl on keyprompt, no idea if it
   helps, though. Would appreciate it if another code looks into this. -- Syzop
 - Fixed SVSO - not removing coadmin (+C). Reported by Muisje (#0003077).
 - Fixed deny link {} blocks being ignored by autoconnect. Reported by a couple people,
   also see #0003084.
 - Fixed m_names.so not being build (a problem for people not using commands.so),
   reported by aegis (#0003085).
 - Using SVSMODE (or SVS2MODE) to set -x will now actually remove the vhost from memory,
   instead of letting it magically reappear whenever +x is set. This means services can
   now properly "unvhost" a user by sending a "SVSMODE User -x+x" (then any existing vhost
   will be removed and user will have a cloaked host). Reported by avenger and others
   (#0002933).
 - [internal] Made a spamfilter_build_user_string function that will build the spamfilter
   user target string (nick!user@host:info), insteaf of doing it at like 5 places.
 - Spamfilter target 'u' (user): the host field (nick!user@HOST:realname) is now escaped
   with brackets if it's an IPv6 address, eg: blah!blah@[1:2:3:4:5:6:7:8]:hello, reported
   by aquanight and others (#0003010).
 - Win32: SSL private key prompt should now no longer crash. Patch provided by Alexey
   Markevich (#0002866).
 - Win32: we now no longer crash if no access to write to service.log, suggested and
   patch by Xuefer (#0002886).
 - Services timestamps are now always treated as an unsigned long (0..2^32-1), instead
   of accidently as signed long during netsynchs. This bug caused issues with values
   larger than 2147483647. Reported by avenger (#0002980).
 - If the 'crypt' algorithm is used, then passwords were/are truncated to 8 characters.
   We now print a warning when this happens (both on the IRC command and command-line).
   Suggested by JasonTik (#0002953).
 - Win32: Fixed a few compiler warnings, suggested by Zell (#0002890).
 - Moved a couple isatty() calls to DEBUGMODE (#0002945).
 - Made win32 compile again, reported by Bock (#0003106).
 - Moved failed oper snotices to snomask +o, and are sent out to all servers. Also now
   shows the uid attempted (like [FAILEDAUTH] does) for incorrect host or maxlogin.
 - Fixed set::allowed-nickchars causing a segfault for some unknown charsets, reported
   by avb (#0003069).
 - Cutoff webtv whois at MAXTARGETS (#0003004).
 - loadmodule now reports proper errors when the actual file can't be found, instead of
   blaming it on the temp file, reported in #3015.
 - Fixed 'SVSMOTD !' not deleting the services motd in memory, reported by avb (#0003110).
 - Snomask N: Don't show nickchanges for U-lines, reported by seneces (#0002636).
 - Fixed set::dns::bind-ip directive seen as duplicate, reported by aegis (#0003074).
 - set::dns::* block is now no longer mandatory. All info has always been read from
   /etc/resolv.conf (*NIX) or the registry (Win32), and the set::dns block is ignored
   (except for set::dns::bind-ip, but that's a special case). Suggested by many including
   djGrrr to make things slightly more logical (#0003019).
 - As a consequence of the above, set::dns blocks were removed from doc/example*conf.
 - Added two more characters to Catalan charset, reported by rmh (#0002995).
 - Added set::pingpong-warning [yes|no] which decides whether to send the "** If you are
   having problems connecting due to ping timeouts, please type /quote pong .." message
   to each client when NOSPOOF is enabled (usually on Win32). The default is NO.
   Previously this message was always sent if NOSPOOF was on, which often caused
   confusion among users. The message was intended for non-confirming clients, but these
   should be fixed by now, and those that were not fixed (self-made bots/etc) did often
   not understand the message anyway. Anyway, you can still turn it on ;). (#2680).
 - /INVITE's from people on the silence list are now (silently) ignored, suggested by
   White_Magic (#0002478).
 - Fixed a couple of typos and other one-line-text fixes at various places: reported by
   aegis (#3081), DanPMK (#2818), tabrisnet (#2974, #2970, #2467), penna (#2721),
   Brad (#2488), vonitsanet (#2467).
 - Made OpenSSL version dynamic, reported by buildsmart (#0002975).
 - Rejecting fake +z modes in conf, reported by rve (#0002532).
 - Changed some minor Makefile stuff
 - Fixed belarussian-w1251 charset.. accidently copied a "'" which caused an internal
   error, reported by Bock (#0003114).
 - Added information about extbans to help.conf (/HELPOP ?EXTBANS). Patch from Bock
   (#0003113).
 - Made SAPART work for mulitple channels, just like SAJOIN. Reported by Snake and
   SeigHart, patch provided by Bock (#0003064). This also fixes SAPART now being
   announced to all opers globally, just like SAJOIN.
 - Finally fixed /RESTART issue on windows for good, should now always restart correctly.
   Patch provided by BuHHunyx and Bock (#0002734).
 - Fixed charsys config error message sometimes saying stuff about set::accept-language,
   which should be set::allowed-nickchars (the former does not exist). Reported and
   patch provided by avb (#0003122).
 - Fixed compile bug on Solaris due to missing INADDR_NONE, fix provided by Schak
   (#0003125).
 - Fixed bug where omitting class::connfreq would result in a huge connection attempt
   flood when autoconnect was enabled. We now set class::connfreq to 60 if it's not
   specified. Reported by Milliways (#0003018).
 - Improved description of link::hub/leaf/leafdepth in unreal32docs.html reported by Bugz
   (#2623), also fixed typo (leafdepth, not leaf-depth), reported by monas (#3083).
 - c-ares resolver: upgrade to 1.3.2.
 - upgraded windows c-ares (areslib.lib) as well.
 - fix for above
 - Added release notes for 3.2.6
 - Fixed help.conf typo
 ** 3.2.6-rc1 release **
 - Get rid of some old stuff in release notes
 - Added donators since 3.2.5
 - Setting set::pingpong-warning didn't work, reported by vonitsanet, patch supplied by
   avb (#0003131).
 - Don't show silence list to others
 - Improved detection of bad set::modes-on-oper and oper::modes, now rejecting things like
   'o', 'z', and more.
 - Fix from above fixes an /OPER announce problem reported by Bock (#0003135).
 - Fixed SSL bug where an outgoing connect (either autoconnect, or /connect), would not
   show any error message when it failed. Error information has also been slightly
   improved. Reported by vonitsanet (#0003138).
 - Updated SVSNLINE syntax in help.conf (the remove-syntax).
 - Post-3.2.5 CVS-only bug: Fixed spamfilter on user target not working properly when
   changing nicks (was still trying to match on the old nick), reported by vonitsanet
   (#0003143).
 ** 3.2.6-rc2 release **
 - Fixed possible crash with using quarantine, reported by Sephiroth (#0003151).
 - Showing even more SSL server errors now, hopefully all of them, also changed the
   error notice a bit so it's much more like non-SSL server link errors. Reported by
   vonitsanet (#0003150).
 ** 3.2.6-rc3 release **
 - Updated release notes, mass-change of version number, no code changes.
 ** 3.2.6 release **

As usual, you can get it from http://www.unrealircd.com/

All our releases are PGP signed (well, with GPG) with our releases key:
rel...@un... [0x1C8A554E] which you can grab from
http://www.unrealircd.com/pgp/release_key.asc
This is the same release key that was used for signing 3.2.3 and up.

By popular request, here are the checksums again...

MD5 checksums:
611ad9a3c524204b0d382409a09abf6c  Unreal3.2.6.tar.gz
4c3186ee7dc3398bddf40f0a7fe234be  Unreal3.2.6.exe
2e17b8744977929b8e5c61d95700c667  Unreal3.2.6-SSL.exe

SHA1 checksums:
60481664d448030e5369d20885d5807323e29e81  Unreal3.2.6.tar.gz
463a4f349c6e2eb924464d61a658d0c3d4278e35  Unreal3.2.6.exe
cd71812cc020619f6f9392e408d43b565ec44993  Unreal3.2.6-SSL.exe

Thanks to everyone who contributed to this release: bug reporters,
coders, contributors, translators and testers.

Thanks also to YOU for using UnrealIRCd, keeping it the most
popular IRCd out there (55,225 downloads of Unreal3.2.5)!

Merry Christmas and a happy new year to everyone!

	The UnrealIRCd Team.

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFjSx04cPWX+btKqIRAnDmAKDMvKwsxJETO0KanVcmv2wzpUk0RACfRIGz
cUCtiTh9XLidOmTDDGJRv2Q=
=DoCd
-----END PGP SIGNATURE-----

Security advisory: OpenSSL issue affects UnrealIRCd

[Bram M. (Syzop) <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NOTE: This security advisory is only relevant to people who have SSL
support enabled in their IRCd. If unsure, just read on.

SUMMARY
========

Yesterday, OpenSSL released a security advisory[1], stating that
multiple security bugs have been fixed. Most of these are DoS (Denial of
Service) issues. In this case it means an attacker could make the IRCd
eat up huge amounts of CPU and/or memory, effectively freezing the IRCd.

This is a bug in the OpenSSL library we use, not in the IRCd.
But, the UnrealIRCd team is:
A) Releasing a new Win32-SSL version to fix this issue (shipping with
   updated OpenSSL DLL's)
..and at the same time..
B) Warning the public that this bug impacts UnrealIRCd servers
   (just like it impacts apache-ssl, and any other programs relying on
    OpenSSL)


HOW TO CHECK IF YOU ARE VULNERABLE
===================================

All IRC commands below should be executed as an IRCOp.

STEP ONE
*********

To check if you have any open SSL ports you do '/STATS P' (upcase 'P',
so *NOT* '/STATS p'). This will show something like:
*** Listener on ....:...., clients ... is PERM SSL
(multiple lines might be outputted)

If any of these lines have the word 'SSL' in it, then you have SSL
enabled. Go to STEP TWO.

If all lines are without 'SSL' (eg: only '.. is PERM') then you are
generally not at risk. If you're extremely paranoid then you can still
upgrade, of course. There's a small risk if you are using SSL for
outgoing server connections (link blocks). Personally I wouldn't bother
doing an IRCd restart for that, but that's up to each admin to decide.

If it didn't show any lines with 'Listener on' in it, then you did
something wrong.

NOTE: If ANY listener is 'SSL' then you could be vulnerable (go to next
step). It doesn't matter whether the port is 'seversonly' or not. The
bug can be triggered before being registered.

STEP TWO
*********

To check out which OpenSSL version UnrealIRCd is using, you do
'/VERSION' on IRC as an IRCOp. You will then get a notice like:
- -server.somenet.net- OpenSSL 0.9.7e 25 Oct 2004

OpenSSL has two series, 0.9.7* and 0.9.8*. The particular bugs we are
talking about have been fixed in both series in:
* OpenSSL 0.9.7l (and later)
* OpenSSL 0.9.8d (and later)

Windows users: if it shows anything other than these versions, then you
are vulnerable, continue to HOW TO FIX.

Unix users: if it shows any of the versions of above, then you are safe.
If it shows an older version, then you could be vulnerable. The problem
with checking version numbers is that many *NIX distributors are
backporting fixes (which is generally a good idea btw), the consequence
of this is that bugs are fixed but the version number is not updated.
See HOW TO FIX.


HOW TO FIX
===========

Windows users:
Go to http://www.unrealircd.com/?page=downloads and (re)download the
Unreal3.2 (Win32-SSL) version. When running the installer, the first
screen will show 'Unreal3.2.5 (w/openssl0.9.8d)' so you can easily see
it's the updated version. To verify for sure, see VERIFYING THE FIX.

*NIX users:
Check out your distributor to see if a fixed package is available, and
how to verify it is installed.

After the fix is installed, you will have to restart your IRC server.


VERIFYING THE FIX
==================

To verify that the fix is installed, you can check out '/VERSION' as an
IRCOp on IRC again. For windows users it should show '0.9.8d'. For *NIX
users, it might not show that even if the fix is installed, as mentioned
ealier, use other means to verify the fix is installed (again, consult
the security advisory of your distributor).


REFERENCES
===========

[1] OpenSSL security advisory:
    http://www.openssl.org/news/secadv_20060928.txt

[2] This security advisory:
    http://www.unrealird.com/txt/unreal325sslfix.txt

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFFHX+h4cPWX+btKqIRAro3AJ9qP4ul16aw5KOZxOstk81CRq9b6QCeMwFV
UyyqjoyPc+2wzfvKUGtPwdE=
=Jut0
-----END PGP SIGNATURE-----