unreal-notify

Security: DoS issue in OpenSSL, affecting UnrealIRCd (again)

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

The OpenSSL project team sent out a security advisory today regarding
several security issues that were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd when you compiled with SSL
support.

Most of the reported bugs result in a server crash or hang: the attacker
sends some bad data and the IRC daemon will crash or hang.
One other issue is a possible 'SSL downgrade' attack called "Logjam" which
could make SSL/TLS connections easier to crack (decrypt), but only if the
attacker has access to the network path between the client and the server.

The OpenSSL development team says there is NO risk for remote code
execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries
until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1 (Windows)
* Unreal3.4-alpha2 (Windows)
* Unreal3.4-alpha3 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix2 (version shown by installer)
* Unreal3.4-alpha3-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system
installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install).
~   This is often not needed, but is sometimes necessary.
~   If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
- -server.test.net- OpenSSL 1.0.2b 11 Jun 2015

Version 1.0.2b means you're good.

If you see 1.0.0 with a version lower than 1.0.1s,
or 1.0.1 with a version lower than 1.0.1n,
or 1.0.2 with a version lower than 1.0.2b,
then you are possibly vulnerable, see next version.

If you see no such line at all, and again.. you are sure you are IRCOp,
then it means the server does not have SSL support (no OpenSSL in use).
You're safe.

TIP: You can also check remote servers, again only if you are IRCOp,
~     by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix2.exe' and
'Unreal3.4-alpha3-fix.exe'
After installation, you see no change in UnrealIRCd version number.
This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block
'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version
in use? Even after you restarted UnrealIRCd? On several Linux distro's
this is pretty common as vendors routinely backport security fixes
without bumping the version number. So if you are on Linux, then after you
followed the 4 steps mentioned in '*NIX USERS' then you more or less have
to trust your vendor (and yourself).
NOTE: At the time this security advisory was sent, the OpenSSL security
advisory has only been out for an hour or so, so your distro may not
have a new OpenSSL version available yet!

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and
the OpenSSL version is vulnerable. Then if at least one port is reachable
for the attacker it can be attacked. It doesn't matter if this is an SSL
or non-SSL port and whether you have restrictive allow { } blocks or not.
In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-06-11 14:45    OpenSSL security announcement
2015-06-11 15:33    Downloads replaced
2015-06-11 16:05    Security announcement

==[ LINKS ]==
This advisory (and updates to it, if any) is posted to:
https://www.unrealircd.org/txt/unrealsecadvisory.20150611.txt

The OpenSSL security advisory can be found on:
https://www.openssl.org/news/secadv_20150611.txt

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlV5sjwACgkQbmdtRX/hmaYKWAD/UzyHHNQ0YOTy/HoTgnGi15R7
4njo1AIGdsy4BCNYObQA/izj0Bw8z80XNUOmZMjY+x+Qs99GXbzEgbRLlobQ7RVW
=SAfX
-----END PGP SIGNATURE-----

3.4-alpha3 released

[Bram M. <sy...@vu...>]

On a more positive note, the development of UnrealIRCd 3.4.x is going well.
I only just realized that I forgot to send an announcement out for 
3.4-alpha2. No problem, 3.4-alpha3 just came out ;)

In 1-2 months we plan to move 3.4.x to 'beta' stage so we can have a 
'stable' release by the end of this year (2015).

For UnrealIRCd module coders and developers we now have a development 
documentation available at https://www.unrealircd.org/docs/ which explains 
how to create a module from scratch and documents a lot of the UnrealIRCd 
API such as User & Channel modes, Hooks, adding new commands, Command 
Overrides, extended bans, storing per-user/per-channel custom module data, 
etc. etc.
During development of alpha2 and alpha3 we already noticed increased 
community interest and contributions to UnrealIRCd 3.4.x via GitHub.
We hope that with this detailed technical documentation even more people 
will be interested in UnrealIRCd. Be it code or patches for inclusion in 
official UnrealIRCd or coding 3rd party modules.

Notable changes in alpha2 are that we now always compile with SSL/TLS 
support, we show the SSL Fingerprint in /WHOIS, and several crash bugs were 
resolved including a crash-on-boot problem that affected many.

Notable changes in alpha3 are in the /SPAMFILTER command (also supports 
non-regex, simple '?' and '*' matching), the move to PCRE regex engine which 
uses a slightly different syntax but is considerably faster, bcrypt password 
hashing support (very secure, now the default), more secure defaults, 
warnings when doing something insecure, etc.

There have been many changes in the configuration file so we now provide an 
easy to use tool which will convert your existing configuration file from 
3.2.x or earlier 3.4-alpha's to the new style in 3.4-alpha3.

Full release notes below:

Unreal3.4-alpha3 Release Notes
===============================

This is the third 'alpha' version of UnrealIRCd 3.4. We plan to move to
'beta' stage in 1-2 months and have a stable 3.4.x release later in 2015.

IMPORTANT REMARKS as long as UnrealIRCd 3.4.x is in alpha stage:
* Because this is an alpha version it is far more likely to crash or hang.
* Security issues are handled as regular issues (no security advisories!)
* Linking with 3.2.x servers is supported but highly untested.
* Things are likely to change between alpha versions. Including but not
   limited to: configuration, command syntax, location of files, etc.

Therefore:
* You should never run 3.4-alpha3 as a production server
* You should not link 3.4-alpha3 with a production 3.2.x network

Please do:
* Install 3.4-alpha3 to play around, show to your friends, have fun with
   the latest features and improvements, test things.
* Report any problems, bugs, issues and other feedback on
   https://bugs.unrealircd.org/ so we can improve 3.4.x!
   During alpha stage we are still very flexible so feedback is really helpful.

Finally:
* If you are moving from 3.2.x then be sure to read 'CONFIGURATION CHANGES'!
* The documentation has not been updated to reflect the changes in 3.4.x.

==[ GENERAL INFORMATION ]==
* Documentation is still in doc\unreal32docs.html but - as said - is not
   up to date for 3.4.x. FAQ is on: http://www.unrealircd.com/faq
* Please report bugs at http://bugs.unrealircd.org/
* Below you will see a summary of all changes. Changes may be tagged when
   a change was made in a specific version, e.g. "(A3)" means 3.4-alpha3.
   For a complete list of changes (500+) use 'git log' or have a look at
   https://github.com/unrealircd/unrealircd/commits/unreal34

==[ CONFIGURATION CHANGES ]==
UnrealIRCd 3.4.x comes with an easy to use tool to upgrade your configuration
file from the 3.2.x syntax to 3.4.x. If you already have a good working
3.2.x configuration file then this should make it very easy to move to 3.4.x.

After UnrealIRCd is compiled/installed you copy your unrealircd.conf over
from 3.2.x (along with any other custom .conf's).
Then, on *NIX run './unreal upgrade-conf'.
On Windows simply try to boot and watch all the errors, click OK and
you will be asked if UnrealIRCd should upgrade your configuration file.

UnrealIRCd will go through your unrealircd.conf and any other files that
are included from there and upgrade the files one by one.

For both *NIX and Windows, after running the step from above, simply
start UnrealIRCd (again) and it should boot up fine with your freshly
converted configuration file(s).

Note: UnrealIRCd can only convert *working* 3.2.x configuration files!
If your 3.2.x configuration contains mistakes or errors then the upgrade
process will likely fail or the resulting config file will fail to load.

You may still be interested in the configuration changes, they are
listed on: https://www.unrealircd.org/docs/Upgrading_from_3.2.x

==[ NEW ]==
* We moved a lot of channel and user modes to modules. These are all
   loaded by modules.conf, but if you don't want to load a certain module
   you can now simply comment them out or remove that line.
   Since a lot of code has been moved from the core to these modules it
   makes it A) easier for coders to see all source code related to a
   specific feature, and B) makes it possible to fix something and reload
   the module rather than restart the IRCd.
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS then your SSL Fingerprint (SHA256 hash) can
   be seen by yourself and others through /WHOIS. The fingerprint is also
   shared (broadcasted) with all servers on the network. In alpha3 we
   will add more features that will use SSL fingerprints. (A2)
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm (A3)
* './unreal mkpasswd' will now prompt you for the password to hash (A3)
* Protection against SSL renegotiation attacks (A3)
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version 3.4-alpha3 (or later) on both ends of the link (A3)
* Configuration file converter that will upgrade your 3.2.x conf to 3.4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. (A3)

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. (A2)
* Building with SSL (OpenSSL) is now mandatory (A2)
* The link { } block has been restructured, see
   https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block (A3)
* Better yet, check out our secure server linking tutorial:
   https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 (A3)
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. (A3)
* You will now see a warning when you link to a non-SSL server. (A3)
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. (A3)
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  (A3)
* If you have both 3.2.x and 3.4.x servers on your network then the
   3.4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your UnrealIRCd servers are on 3.4.x. (A3)
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. (A3)

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. (A2+)
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module (A3)
* There have been *a lot* of source code cleanups (ALL)

==[ MAJOR BUGS FIXED ]==
* Crash bug on-boot in alpha1 (A2)
* IRCOp commands such as /GLINE were not always working (A2)
* This is still an alpha release, so likely contains major issues

==[ MINOR BUGS FIXED ]==
* Errors in example configuration files (A2)
* Some fixes in delayjoin (Channel mode +d) (A2)
* Deal with services who allow you to log in by account name (A3)

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. (A1)
* PROTOCTL TOKEN and SJB64 are no longer implemented. (A1)
* Ziplinks have been removed. (A1)
* WebTV support. (A3)

==[ KNOWN ISSUES ]==
* Documentation has NOT been updated to reflect 3.4.x features!!!


-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Security: DoS issue in OpenSSL, affecting UnrealIRCd

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

Several security issues were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd if you compiled with SSL support.

At least one issue is a server crash: the attacker sends some bad data
and the IRC daemon will crash.

As far as we know there is NO risk for remote code execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries
until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.4-alpha1 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system
installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install).
   This is often not needed, but is sometimes necessary.
   If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
[18:40:06] -server.test.net- OpenSSL 1.0.1m 19 Mar 2015

Version 1.0.1m means you're good.

If you see anything lower than 1.0.1m, such as "1.0.1h" then you are
possibly vulnerable, see next section.

If you see no such line at all, and again.. you are sure you are IRCOp,
then it means the server does not have SSL support (no OpenSSL in use).
You're safe.

TIP: You can also check remote servers, again only if you are IRCOp,
     by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix.exe' and
'Unreal3.4-alpha1-fix.exe'
After installation, you see no change in UnrealIRCd version number.
This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block
'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version
in use? Even after you restarted UnrealIRCd? On several Linux distro's
this is pretty common as vendors routinely backport security fixes
without bumping the version number. So if you are on Linux, then after you
followed the 4 steps mentioned in '*NIX USERS' then you more or less have
to trust your vendor (and yourself).

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and
the OpenSSL version is vulnerable. Then if at least one port is reachable
for the attacker it can be attacked. It doesn't matter if this is an SSL
or non-SSL port and whether you have restrictive allow { } blocks or not.
In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-03-19 14:12    OpenSSL security announcement
2015-03-19 17:57    Downloads replaced
2015-03-19 20:15    Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20150319.txt

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlULL64ACgkQbmdtRX/hmaamSwD7BhhnKAD0FuD5W0e3fT6KppZ8
hde7mYukukjBdjKAYW0A/i349jcHXUQcBC2wHalTaNh9EcEXaojV/d50tCVtOCAE
=VOM4
-----END PGP SIGNATURE-----

Re: Unreal3.4-alpha1 & Unreal3.2.10.4 released, help us, move to GitHub, ..

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To anyone using GitHub: the address has changed.
It's http://www.github.com/unrealircd/unrealircd now.
(rather than unreal-ircd)


Bram Matthys wrote, on 29-7-2014 13:44:
> Hi all,
> 
> There has been a lot of activity on the UnrealIRCd project past few months!
> 
> Index
> ======
> * UnrealIRCd 15 years!
> * New website
> * Survey results
> * Help us with development
> * UnrealIRCd 3.4
> * UnrealIRCd 3.2
> * Move to GitHub
> * GitHub/Twitter account
> * Finally
> 
> UnrealIRCd 15 years!
> =====================
> In May of this year UnrealIRCd celebrated its 15th birthday.
> See http://forums.unrealircd.com/viewtopic.php?t=8271 where I thanked all
> past coders, contributors and the community (you!) for all the support.
> In the same article I also wrote about the past and future development of
> UnrealIRCd, openly speaking about the difficulties we have encountered and
> the challenges in moving forward.
> 
> New website
> ============
> On UnrealIRCd's 15th birthday www.unrealircd.com got a new design as well.
> The new website is easier to navigate and just looks a lot more 'clean'.
> Thank n0kS for all the work on this.
> 
> Survey results
> ===============
> I've made a document summarizing the results of the UnrealIRCd survey. In
> total 342 people completed the survey, (almost) all of them were admins
> running UnrealIRCd. Thanks *a lot*! This was really useful. The survey
> results are (already) used to guide future 3.4.x development.
> In general people are really satisfied with UnrealIRCd (49% even gave us a 9
> or 10 out of 10), but we can always do better and we got many suggestions.
> The UnrealIRCd survey results are available from:
> http://www.unrealircd.com/files/UnrealIRCd%20Survey%20results.pdf
> (apologies in advance for the lack of fancy graphics)
> 
> Help us with development
> =========================
> I welcome Travis McArthur (Heero) who recently joined as an UnrealIRCd 3.4.x
> developer. Travis has already worked on channel mode +d, improving the
> module API and modularizing modes and is - besides many other things -
> working on documenting the 3.4 Module API to make the source code more
> understandable for new (module) coders.
> 
> If you are a C programmer and interested in helping out with 3.4.x
> development then send an e-mail to sy...@un... and we can discuss.
> Even if it's just for the summer vacation you're more than welcome to help.
> 
> UnrealIRCd 3.4
> ===============
> This weekend I released the first alpha version of UnrealIRCd 3.4:
> 3.4-alpha1. Although 3.4 development started well over a year ago, this
> version marks the beginning of the alpha series: we plan to release an alpha
> version every month or so, the exact release schedule depends highly on the
> changes and bugs we encounter.
> Since this is an alpha version, and in fact the very first one, we strongly
> discourage you to run 3.4-alpha1 on a production network.
> However, if you are curious and want to help us by testing and reporting
> bugs at http://bugs.unrealircd.org/ then please go ahead and download it.
> Just don't be (too) surprised by the bugs you will encounter and if it
> crashes from time to time.
> 
> Major enhancements in 3.4-alpha1 compared to 3.2.x are:
> * We moved a lot of channel and user modes to modules, while at the same
> time improving the module system as a whole. This means A) You can now
> easily choose not to load a particular feature if you don't like it (we will
> be moving more in next few versions!), B) It makes it easier for coders to
> see all source code related to a specific feature, C) Enables you to fix /
> "patch" something and reload (the module) rather than needing to restart the
> entire IRCd.
> * The I/O engine has been rewritten. This makes the IRCd feel a lot more
> 'responsive' and can potentially accept a lot more users. Still, the entire
> system is not as stable as 3.2.x yet.
> * The SSL version of the IRCd will now boot even if you have no SSL
> certificates. Naturally SSL won't work then, but this means you can safely
> compile with SSL support even if you don't intend to use it straight away.
> This also means for 3.4.x we only provide the SSL version of Windows
> downloads, if you insist on not using SSL then simply don't make a
> server.*.pem certificate.
> * A new channel mode +d which hides joins/parts for users who don't say
> anything in a channel. Whenever a user speaks for the first time they will
> appear to join. Channel ops will still see everyone joining normally as if
> there was no +d set.
> * Behind-the-scenes: A lot of source code cleanups, enhancements, memory
> pooling, simplifying the code, all to make the source better and also more
> readable for (new) developers. This should make it easier for the community
> to contribute patches.
> * There have been some configuration changes, Unreal 3.4 will not boot with
> your existing 3.2.x unrealircd.conf! Be sure to read the section
> CONFIGURATION CHANGES in the Release Notes. In later alpha versions more
> configuration changes may be necessary.
> 
> This first alpha version contains by no means all of the changes and
> features we would like to see in the final version of UnrealIRCd 3.4. There
> will be many major changes to come.
> 
> UnrealIRCd 3.2
> ===============
> I forgot to send out an announcement to this mailing list for 3.2.10.3 which
> was released on the 31st of May.
> 3.2.10.3 has the following bugs fixed:
> * Crash when SASL is enabled and ping-cookie is disabled (a rare combination)
> * Compile issue with remote include
> * OS X compile problems
> * ./unreal backtrace not always working well
> Two days ago I released another update: 3.2.10.4. This fixes the following
> two major issues:
> * Compile problems with clang, which is the default compiler on a number of
> systems nowadays.
> * Newer services like anope 2.0 allow you to log in by account name, this
> means you don't necessarily get user mode +r (registered nick). Previously
> even if you logged in to anope you could still not join +R channels
> ("registered only") or speak in +M channels ("only registered users may
> speak"). Now this has been fixed.
> 
> In addition to these two issues, the OpenSSL/curl/.. libraries for the
> Windows build have also been updated to the latest versions. Plus an update
> to the shipped curl-ca-bundle.crt, which now contains the latest certificates.
> 
> If you are not encountering any of the issues from above then there's little
> reason to upgrade from 3.2.10.2 or 3.2.10.3.
> 
> Move to GitHub
> ===============
> To give UnrealIRCd development more exposure and make it easier for people
> to contribute we decided to move our source code over to GitHub. This was
> actually one of the suggestions that came out of the UnrealIRCd survey.
> This means from now on the Mercurial repository is no longer functional.
> See this FAQ item http://www.unrealircd.com/faq.php#82 for more information
> on how to access the 'bleeding edge' source code.
> Or go directly to our GitHub page on
> https://github.com/unreal-ircd/unrealircd
> 
> Note that the bug tracker, downloads, and all the rest of the project will
> stay at www.unrealircd.com. It is only our repository (source code) which
> moved to GitHub.
> 
> GitHub/Twitter account
> =======================
> We are searching for the owner of the 'unrealircd' account on GitHub, and
> similarly the owner of @unrealircd on Twitter. We already sent a message to
> both accounts but received no response.
> Presumably these accounts were registered in advance with good intentions,
> ensuring nobody else could take them, as a placeholder until the project
> needs it.
> That moment is now, if you are the owner of one of these accounts (or know
> who is) then please contact sy...@un...
> 
> Finally
> ========
> I'm really glad to see all the activity on the UnrealIRCd project as a whole
> and on 3.4.x in particular. I hope more people will jump in to help out,
> either as a developer or simply by testing the 3.4.x releases and reporting
> bugs or giving suggestions.
> Since there's a lot more activity now, especially on 3.4.x, this newsletter
> and release announcements is likely to be sent out more often than before. I
> hope everyone sees this as a positive sign, but if not then you can always
> unsubscribe.
> 
> Finally, as always..
> * You can download UnrealIRCd from www.unrealircd.com - Downloads
> * All our releases are signed with our release key 0x9FF03937
> * Thanks everyone for their continued support!
> 
> 

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlPanegACgkQbmdtRX/hmaa33QD8DcVrDy06RwpltKXeMRmlz0Bi
jjcW+fmpe38Tpa/raegA/R2+mlP24Umk4FVNey29j0hFu5/UBwdxUVEAsQg631Gl
=R3Oe
-----END PGP SIGNATURE-----

Unreal3.4-alpha1 & Unreal3.2.10.4 released, help us, move to GitHub, ..

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

There has been a lot of activity on the UnrealIRCd project past few months!

Index
======
* UnrealIRCd 15 years!
* New website
* Survey results
* Help us with development
* UnrealIRCd 3.4
* UnrealIRCd 3.2
* Move to GitHub
* GitHub/Twitter account
* Finally

UnrealIRCd 15 years!
=====================
In May of this year UnrealIRCd celebrated its 15th birthday.
See http://forums.unrealircd.com/viewtopic.php?t=8271 where I thanked all
past coders, contributors and the community (you!) for all the support.
In the same article I also wrote about the past and future development of
UnrealIRCd, openly speaking about the difficulties we have encountered and
the challenges in moving forward.

New website
============
On UnrealIRCd's 15th birthday www.unrealircd.com got a new design as well.
The new website is easier to navigate and just looks a lot more 'clean'.
Thank n0kS for all the work on this.

Survey results
===============
I've made a document summarizing the results of the UnrealIRCd survey. In
total 342 people completed the survey, (almost) all of them were admins
running UnrealIRCd. Thanks *a lot*! This was really useful. The survey
results are (already) used to guide future 3.4.x development.
In general people are really satisfied with UnrealIRCd (49% even gave us a 9
or 10 out of 10), but we can always do better and we got many suggestions.
The UnrealIRCd survey results are available from:
http://www.unrealircd.com/files/UnrealIRCd%20Survey%20results.pdf
(apologies in advance for the lack of fancy graphics)

Help us with development
=========================
I welcome Travis McArthur (Heero) who recently joined as an UnrealIRCd 3.4.x
developer. Travis has already worked on channel mode +d, improving the
module API and modularizing modes and is - besides many other things -
working on documenting the 3.4 Module API to make the source code more
understandable for new (module) coders.

If you are a C programmer and interested in helping out with 3.4.x
development then send an e-mail to sy...@un... and we can discuss.
Even if it's just for the summer vacation you're more than welcome to help.

UnrealIRCd 3.4
===============
This weekend I released the first alpha version of UnrealIRCd 3.4:
3.4-alpha1. Although 3.4 development started well over a year ago, this
version marks the beginning of the alpha series: we plan to release an alpha
version every month or so, the exact release schedule depends highly on the
changes and bugs we encounter.
Since this is an alpha version, and in fact the very first one, we strongly
discourage you to run 3.4-alpha1 on a production network.
However, if you are curious and want to help us by testing and reporting
bugs at http://bugs.unrealircd.org/ then please go ahead and download it.
Just don't be (too) surprised by the bugs you will encounter and if it
crashes from time to time.

Major enhancements in 3.4-alpha1 compared to 3.2.x are:
* We moved a lot of channel and user modes to modules, while at the same
time improving the module system as a whole. This means A) You can now
easily choose not to load a particular feature if you don't like it (we will
be moving more in next few versions!), B) It makes it easier for coders to
see all source code related to a specific feature, C) Enables you to fix /
"patch" something and reload (the module) rather than needing to restart the
entire IRCd.
* The I/O engine has been rewritten. This makes the IRCd feel a lot more
'responsive' and can potentially accept a lot more users. Still, the entire
system is not as stable as 3.2.x yet.
* The SSL version of the IRCd will now boot even if you have no SSL
certificates. Naturally SSL won't work then, but this means you can safely
compile with SSL support even if you don't intend to use it straight away.
This also means for 3.4.x we only provide the SSL version of Windows
downloads, if you insist on not using SSL then simply don't make a
server.*.pem certificate.
* A new channel mode +d which hides joins/parts for users who don't say
anything in a channel. Whenever a user speaks for the first time they will
appear to join. Channel ops will still see everyone joining normally as if
there was no +d set.
* Behind-the-scenes: A lot of source code cleanups, enhancements, memory
pooling, simplifying the code, all to make the source better and also more
readable for (new) developers. This should make it easier for the community
to contribute patches.
* There have been some configuration changes, Unreal 3.4 will not boot with
your existing 3.2.x unrealircd.conf! Be sure to read the section
CONFIGURATION CHANGES in the Release Notes. In later alpha versions more
configuration changes may be necessary.

This first alpha version contains by no means all of the changes and
features we would like to see in the final version of UnrealIRCd 3.4. There
will be many major changes to come.

UnrealIRCd 3.2
===============
I forgot to send out an announcement to this mailing list for 3.2.10.3 which
was released on the 31st of May.
3.2.10.3 has the following bugs fixed:
* Crash when SASL is enabled and ping-cookie is disabled (a rare combination)
* Compile issue with remote include
* OS X compile problems
* ./unreal backtrace not always working well
Two days ago I released another update: 3.2.10.4. This fixes the following
two major issues:
* Compile problems with clang, which is the default compiler on a number of
systems nowadays.
* Newer services like anope 2.0 allow you to log in by account name, this
means you don't necessarily get user mode +r (registered nick). Previously
even if you logged in to anope you could still not join +R channels
("registered only") or speak in +M channels ("only registered users may
speak"). Now this has been fixed.

In addition to these two issues, the OpenSSL/curl/.. libraries for the
Windows build have also been updated to the latest versions. Plus an update
to the shipped curl-ca-bundle.crt, which now contains the latest certificates.

If you are not encountering any of the issues from above then there's little
reason to upgrade from 3.2.10.2 or 3.2.10.3.

Move to GitHub
===============
To give UnrealIRCd development more exposure and make it easier for people
to contribute we decided to move our source code over to GitHub. This was
actually one of the suggestions that came out of the UnrealIRCd survey.
This means from now on the Mercurial repository is no longer functional.
See this FAQ item http://www.unrealircd.com/faq.php#82 for more information
on how to access the 'bleeding edge' source code.
Or go directly to our GitHub page on
https://github.com/unreal-ircd/unrealircd

Note that the bug tracker, downloads, and all the rest of the project will
stay at www.unrealircd.com. It is only our repository (source code) which
moved to GitHub.

GitHub/Twitter account
=======================
We are searching for the owner of the 'unrealircd' account on GitHub, and
similarly the owner of @unrealircd on Twitter. We already sent a message to
both accounts but received no response.
Presumably these accounts were registered in advance with good intentions,
ensuring nobody else could take them, as a placeholder until the project
needs it.
That moment is now, if you are the owner of one of these accounts (or know
who is) then please contact sy...@un...

Finally
========
I'm really glad to see all the activity on the UnrealIRCd project as a whole
and on 3.4.x in particular. I hope more people will jump in to help out,
either as a developer or simply by testing the 3.4.x releases and reporting
bugs or giving suggestions.
Since there's a lot more activity now, especially on 3.4.x, this newsletter
and release announcements is likely to be sent out more often than before. I
hope everyone sees this as a positive sign, but if not then you can always
unsubscribe.

Finally, as always..
* You can download UnrealIRCd from www.unrealircd.com - Downloads
* All our releases are signed with our release key 0x9FF03937
* Thanks everyone for their continued support!

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlPXiQUACgkQbmdtRX/hmaa8IwD+J9q33qqkJZDZyTTwh0wrdV+E
GGJ/QslQQSiMWfDrwwAA/iEdS2glthzCqfVz6LC6ubzL5yBOMfbtQ0xQWCcOi1Fc
=cRML
-----END PGP SIGNATURE-----

Re: SSL Heartbleed security issue & UnrealIRCd

[Bram M. <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Below are some very important additions to previous advisory:

With regards to *NIX:
Some Linux distros (including Debian and Ubuntu) fixed the issue but didn't
update their OpenSSL version. This means they won't show up as the safe
'1.0.0g' version even though they are indeed fixed. So, if you installed the
OpenSSL security update, restarted the IRCd, and still see the old version
in UnrealIRCd then you'll simply have to assume you're safe now.

Regarding the exploit:
The exploit was already out there, it is unknown for how long, but the bug
itself has been in OpenSSL since March 2012. The exploit I found only needed
some minor modifications to work with UnrealIRCd.
When testing the exploit I can indeed see server memory being exposed. This
includes memory of OpenSSL and possibly (likely) some key material. On some
servers I could also see short phrases of text that other users had been
saying. This is all possible without actually getting online as a user on
IRC. And again, this issue exists on any SSL-capable server, not just
UnrealIRCd.

This brings us to a (rather drastic) recommendation:

AFTER YOU HAVE UPGRADED ALL YOUR SERVERS WE RECOMMEND YOU TO GENERATE A NEW
SSL CERTIFICATE & KEYS. I highly recommend this because there's no way to
tell if your private key has been retrieved by someone due to this
vulnerability.
This recommendation is not unique to UnrealIRCd or even IRC, the same
applies to apache, exim, and any other service that was using a vulnerable
OpenSSL. That's why other software makers are actually recommending the same.

HOW TO GENERATE A NEW SSL CERTIFICATE & KEYS
=============================================
If you are using a self-signed certificate, like most people, then see
below. Otherwise, if you are using an SSL certificate that has been signed
by a Certificate Authority then you should already know how to make and get
a new one.

Windows:
Start -> Programs -> UnrealIRCd -> Make Certificate

*NIX:
Run 'make pem' in your Unreal3.2.x directory. After that use 'make install'
if you installed UnrealIRCd in a different directory.

HOW TO ACTUALLY USE THE NEW SSL CERTIFICATE & KEYS
===================================================
Once you have made/installed the new certificate and keys, /OPER up on your
server and run:
/REHASH -ssl
You should see:
*** Notice -- [SSL rehash] XYZ (none@some.host) requested a reload of all
SSL related data (/rehash -ssl)
That's it. You should not see any errors.

There's no need to restart UnrealIRCd (again) if you only want to reload the
certificate and keys. This can be reloaded on the fly with /REHASH -ssl.


Bram Matthys wrote, on 8-4-2014 18:56:
> Hi all,
> 
> A serious issue in OpenSSL was reported yesterday, the so called
> 'Heartbleed' bug (CVE-2014-0160).
> This bug is very serious because it gives remote users the ability to read
> highly sensitive data from memory from programs using OpenSSL. This includes
> private SSL keys, passwords, etc.
> 
> There's a lot of media attention regarding this bug, and a lot of attention
> from hackers. It's likely that there is or very soon will be an active
> exploit available. We therefore suggest to take this matter seriously and
> not delay fixing it (IF you are affected, read on..).
> 
> UNREALIRCD & HEARTBLEED
> ========================
> UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So
> if you are using an UnrealIRCd version with SSL support then you may be
> vulnerable to this serious security issue.
> 
> Note that even if you are not actively using SSL/TLS, even if you have no
> SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL
> support means you may be affected.
> 
> In fact, even if your server is completely password protected, like a hub.
> Even then, if you are running a vulnerable version of OpenSSL then you are
> still affected.
> 
> HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION
> ========================================================
> Windows users who already know they are using the SSL version of UnrealIRCd
> can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all
> vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'.
> 
> Best way to check if you are vulnerable is to execute '/VERSION' as an IRC
> Operator (IRCOp) on your server and verify the OpenSSL version.
> 
> As IRCOp you can also check other servers for OpenSSL on your network by using:
> /VERSION [remote server name]
> 
> This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more:
> 
> 1) If you have SSL enabled then you will see something like:
> [17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date]
> Continue reading under 'I AM USING SSL - AM I VULNERABLE?'...
> 
> 2) If you are an IRCOp, you did /VERSION, and you did not see any line with
> 'OpenSSL' in it, then this means OpenSSL support is not compiled in and you
> are safe. You don't need to take any action and can stop reading.
> 
> Note that if you are NOT an IRCOp then no OpenSSL version information will
> be displayed. Therefore it's important you execute the /VERSION command as
> IRCOp.
> 
> I AM USING SSL - AM I VULNERABLE?
> ==================================
> The following OpenSSL versions have the security issue:
> * 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..)
> * 1.0.2-beta1
> 
> The following versions are safe:
> * Any version before 1.0.1, so 1.0.0x or 0.9.8etc...
> * 1.0.1g (which has just been released on April 7, 2014)
> 
> If you are using any such 'safe' version, then you don't need to take any
> action.
> 
> I AM VULNERABLE - WHAT TO DO?
> ==============================
> If you are indeed using 1.0.1-1.0.1f then you are affected by this security
> issue.
> 
> Windows
> --------
> Simply re-download the package from http://www.unrealircd.com/
> The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once
> installed you will see (by using /VERSION as IRCOp) the OpenSSL version is
> 1.0.1g.
> 
> Linux / *NIX
> -------------
> Update your system the usual way. This depends on your OS and distribution.
> On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on
> Redhat-based systems 'yum' is used, etc...
> If you don't have root on your system, consult your (shell) provider.
> 
> You normally don't need to recompile UnrealIRCd. But once you installed an
> updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is
> not sufficient.
> After UnrealIRCd has been restarted, verify that your OpenSSL version is
> indeed safe now. You can see the OpenSSL version in the boot screen of
> ./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier.
> 
> TIMELINE
> =========
> [2014-04-07 18:39 GMT] OpenSSL Security advisory
> [2014-04-08 15:39 GMT] UnrealIRCd windows download replaced
> [2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out
> 
> UPDATES
> ========
> The following URL contains a copy of this advisory, and any updates to it:
> http://forums.unrealircd.com/viewtopic.php?f=1&t=8265
> 
> 

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlNE8JkACgkQbmdtRX/hmaaT6QD/YxbkLo/vZ/6Acpxy+MR0vusM
fzXdJHSuQHkkwdIuv2MA/1O8P1GwpvRtNNV4/6Co/+8ZdzXkHmImQYG9dU6G4dLw
=/G8k
-----END PGP SIGNATURE-----

SSL Heartbleed security issue & UnrealIRCd

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

A serious issue in OpenSSL was reported yesterday, the so called
'Heartbleed' bug (CVE-2014-0160).
This bug is very serious because it gives remote users the ability to read
highly sensitive data from memory from programs using OpenSSL. This includes
private SSL keys, passwords, etc.

There's a lot of media attention regarding this bug, and a lot of attention
from hackers. It's likely that there is or very soon will be an active
exploit available. We therefore suggest to take this matter seriously and
not delay fixing it (IF you are affected, read on..).

UNREALIRCD & HEARTBLEED
========================
UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So
if you are using an UnrealIRCd version with SSL support then you may be
vulnerable to this serious security issue.

Note that even if you are not actively using SSL/TLS, even if you have no
SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL
support means you may be affected.

In fact, even if your server is completely password protected, like a hub.
Even then, if you are running a vulnerable version of OpenSSL then you are
still affected.

HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION
========================================================
Windows users who already know they are using the SSL version of UnrealIRCd
can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all
vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'.

Best way to check if you are vulnerable is to execute '/VERSION' as an IRC
Operator (IRCOp) on your server and verify the OpenSSL version.

As IRCOp you can also check other servers for OpenSSL on your network by using:
/VERSION [remote server name]

This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more:

1) If you have SSL enabled then you will see something like:
[17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date]
Continue reading under 'I AM USING SSL - AM I VULNERABLE?'...

2) If you are an IRCOp, you did /VERSION, and you did not see any line with
'OpenSSL' in it, then this means OpenSSL support is not compiled in and you
are safe. You don't need to take any action and can stop reading.

Note that if you are NOT an IRCOp then no OpenSSL version information will
be displayed. Therefore it's important you execute the /VERSION command as
IRCOp.

I AM USING SSL - AM I VULNERABLE?
==================================
The following OpenSSL versions have the security issue:
* 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..)
* 1.0.2-beta1

The following versions are safe:
* Any version before 1.0.1, so 1.0.0x or 0.9.8etc...
* 1.0.1g (which has just been released on April 7, 2014)

If you are using any such 'safe' version, then you don't need to take any
action.

I AM VULNERABLE - WHAT TO DO?
==============================
If you are indeed using 1.0.1-1.0.1f then you are affected by this security
issue.

Windows
- --------
Simply re-download the package from http://www.unrealircd.com/
The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once
installed you will see (by using /VERSION as IRCOp) the OpenSSL version is
1.0.1g.

Linux / *NIX
- -------------
Update your system the usual way. This depends on your OS and distribution.
On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on
Redhat-based systems 'yum' is used, etc...
If you don't have root on your system, consult your (shell) provider.

You normally don't need to recompile UnrealIRCd. But once you installed an
updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is
not sufficient.
After UnrealIRCd has been restarted, verify that your OpenSSL version is
indeed safe now. You can see the OpenSSL version in the boot screen of
./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier.

TIMELINE
=========
[2014-04-07 18:39 GMT] OpenSSL Security advisory
[2014-04-08 15:39 GMT] UnrealIRCd windows download replaced
[2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out

UPDATES
========
The following URL contains a copy of this advisory, and any updates to it:
http://forums.unrealircd.com/viewtopic.php?f=1&t=8265

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlNEKlcACgkQbmdtRX/hmaYVOAD9GTCVWHtoBEGorShJ/7EViC2k
AIpbUcBKl12HGEQY7+0A/RF/4rJDRkd/ErSMudaarWKzPCkkLfRcQ2ZmmeBIKhTS
=lY4b
-----END PGP SIGNATURE-----

Unreal3.2.10.2 released

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello everyone,

We have released a second update to latest stable: UnrealIRCd 3.2.10.2

This version contains a number of important fixes. In particular:
* A remote crash issue when compiled with SSL (NULL pointer dereference)
* A second issue that can potentially lead to a crash (read-after-free)

These bugs are present in UnrealIRCd 3.2.10 and 3.2.10.1.
Previous versions, such as 3.2.9, are unaffected.

Other than that, there are also improvements in the area of server linking
and some flood hardening.

Unfortunately the upgrade will require an IRCd restart, as part of the
problem lies in the core.

We recommend all 3.2.10 & 3.2.10.1 users to upgrade somewhere in the next
few weeks, especially if you have SSL/TLS enabled.

This release announcement (and any updates to it) can be found at
http://forums.unrealircd.com/viewtopic.php?t=8221

Full release notes can be found at
http://www.unrealircd.com/txt/unreal3_2_10_2_release_notes.txt

As always, you can download UnrealIRCd from http://www.unrealircd.com/

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlKQoU4ACgkQbmdtRX/hmaa5aAD/W7gyG5jX0B1K5hIe3ALPPyv1
w3iwlmiWgk+9X2DXcBIBAIClgVbkwV8Y40U2KgFmlnon0NYU1wKhNxDMHxHqU45t
=JeeK
-----END PGP SIGNATURE-----

UnrealIRCd survey - give your feedback, and help us decide where to work on

[Bram M. <sy...@un...>]

Hi everyone,

We've launched an UnrealIRCd survey at http://survey.unrealircd.com/

The purpose of this survey is to give us a good idea of what people think
about UnrealIRCd, how it's being used, and - even more important - in what
areas we should improve.

The results of the survey will help us decide where to work on, mainly with
regards to the development of the new Unreal3.4.x series, but also in other
areas.

If you're satisfied with UnrealIRCd, not satisfied at all, or anywhere in
between, now is the time to tell us.

Thanks a lot in advance for your time!

Bram Matthys (Syzop) / The UnrealIRCd team.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

Unreal3.2.10 released & Unreal3.4 development

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Happy Holidays everyone!

We have released UnrealIRCd 3.2.10. This release contains quite a number of
new features, but also a couple of minor bugs have been fixed. For a summary
of the changes, see the Release Notes below.

I would also like to announce that we have started development on UnrealIRCd
3.4. This means we now have two branches:
Unreal3.4 is where all (experimental) development takes place. The goal is
to have a lot of major changes and new features in 3.4, and after a while
start releasing beta's so we can have a 3.4 stable release somewhere in 2014.
Until then, Unreal3.2 will remain our stable branch, and bugfixes from 3.4
will be backported to 3.2.
The UnrealIRCd 3.2.x series will continue to be maintained until the 3.4
version has been declared stable, and for some time after that too.

To help us actually achieve this, nenolod has been added as a developer for
3.4.x. Other developers will hopefully hop in later. If you are a C
developer and interested in helping out, then send an e-mail to
sy...@un... or hop by in #unreal3-devel @ irc.unrealircd.com.

As always, you can download UnrealIRCd from http://www.unrealircd.com/

Release Notes:

==[ NEW ]==
* Improved socket engine. This brings some performance improvements and
  also makes it easier to configure a system to hold more than 1024
  clients (no more editing of header files on Linux!).
* ESVID support: services can communicate the account name of the user
  back to the IRCd. This only works on ESVID-capable services:
  * Extban ~a:<accountname>: matches users who are logged in to services
    with that account name.
  * Show account name in /WHOIS
* CAP support: this enables clients to enable certain features more easily.
  Can be disabled through set::options::disable-cap.
* Now that STARTTLS is advertised in CAP it is likely to be used more often.
* away-notify: informs clients of AWAY state changes of users on the same
  channels, for clients that support this.
* account-notify: similar to away-notify, inform clients of changes in the
  login status and account name used by other clients on the same channels.
* SASL support. To use this, and if your services support this, you point
  set::sasl-server to your services server.
* Server-side MLOCK support: the IRCd will prevent channel mode changes
  depending on the MLOCK setting in services. Requires special support
  from services for this feature.
* User Mode +I (IRCOp only): hide idle time
* auth-method 'sslclientcertfp': authenticate users using an SSL client
  certificate by the SHA256 fingerprint of that certificate.
  The documentation has a new section (3.19) called 'Authentication Types'
  which contains an (improved) example of how to use SSL client certificate
  authentication instead of regular passwords.
* oper::require-modes: an optional setting, which can be used to require
  users to have certain user modes (such as 'z') before they can /OPER up.
* allow/deny channel: you can now optionally specify a class here as an
  extra filter.
* doc/example.es.conf: Spanish translation of example configuration file.
* There have also been some behavior changes, which can be considered NEW,
  see next section (CHANGED).

==[ CHANGED ]==
* Anti-spoof protection (ping cookies) can now be enabled/disabled at
  run-time through set::ping-cookie [yes|no]. The default is 'yes' (enabled)
* A quit with 'Ping timeout' now shows the number of seconds since the ping.
* Print out a warning if we can't write to a log file.
* Refuse to boot if we can't write to ANY log file.
* Windows: if an SSL certificate exists, then uncheck the 'generate SSL
  certificate' checkbox by default.
* *NIX with SSL: We now ask in ./Config if you want to generate an SSL
  certificate. The certificate is then copied when you run 'make install'.

==[ MAJOR BUGS FIXED ]==
* Windows SSL crash (this issue was already fixed in 3.2.9-SSL-fix)
* Other than that, none?

==[ MINOR BUGS FIXED ]==
* Various compile problems, in particular with remote includes enabled.
* Windows: the installer sometimes insisted that the Visual C++ 2008
  redistributable package was not installed, when it actually was there.
* Windows: MOTD file date/time was always showing up as 1/1/1970.
* And more... see Changelog

==[ REMOVED / DROPPED ]==
* Windows 9X is no longer supported
* The networks/ directory has been removed

==[ FULL CHANGELOG ]==
For the full list of changes, see 'FULL CHANGELOG' at
http://www.unrealircd.com/txt/unreal3_2_10_release_notes.txt


- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlDcTR8ACgkQbmdtRX/hmaYMggD8DlYWqh4DhqYnd4dNRo4jaE9z
odRmXcD9+2iogjhrsV8A/Anpw7ND5KydRAPIVTHO2KbZIugOtx8r5NVf5XBvZgYi
=bHtO
-----END PGP SIGNATURE-----

Security: DoS issue in UnrealIRCd 3.2.9 Windows SSL version

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

A serious issue has been found in the Windows SSL versions of UnrealIRCd
3.2.9 and 3.2.10-rc1. This issue allows someone to remotely crash the server.

Admins of affected systems should upgrade immediately.

Note that only Windows versions with SSL support are affected.

==[ AFFECTED VERSIONS ]==
Vulnerable versions:
* 3.2.9 on Windows with SSL support
* 3.2.10-rc1 on Windows with SSL support
Not vulnerable:
* 3.2.9 and 3.2.10-rc1 on *NIX (Linux, FreeBSD, ..)
* 3.2.9 and 3.2.10-rc1 on Windows without SSL support
* 3.2.9-winsslfix and 3.2.10-rc1-winsslfix
* 3.2.8.1 and earlier

If you are unsure which version you are using, then follow this procedure:
Type /VERSION on IRC (on some clients you might have to type /QUOTE VERSION)
This should return a string like:
Unreal3.2.9. server.name FhinWXeOoZE
This contains the version number, the server name, and the compile flags.
You are vulnerable if ALL these three conditions are met:
* The version is 'Unreal3.2.9' or 'Unreal3.2.10-rc1'
* The compile flags contain a 'W' (this means you're on Windows)
* The compile flags contain a lower case 'e' (this means you're using the
SSL version)

Fixed Windows SSL versions can be identified by having 'winsslfix' in their
version name.

==[ SHOULD I UPGRADE? ]==
If you are using any of the vulnerable versions then you should upgrade
immediately as this is a serious issue.
Unfortunately there are no mitigating factors: even if you don't actually
use SSL, or if you have password-protected your server or hub, then you are
still vulnerable to this particular attack.

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from:
http://www.unrealircd.com/

There's no update for *NIX or the non-SSL Windows version, as these are safe
and thus do not require any update.

==[ IMPACT ]==
This issue will result in a direct server crash.
There's no possibility to execute any code, nor is there any information
disclosure.

==[ CVSS ]==
CVSS v2.0 report:

Confidentiality Impact:  None
Integrity Impact:        None
Availability Impact:     Complete

Access Vector:           Network
Access Complexity:       Low
Authentication:          None

CVSS Base Score:         7.8

Availability of exploit: Proof of concept code[*]
Type of fix available:   Official fix

CVSS Temporal Score:     6.1

[*] Proof of concept / exploit is currently not public. This is expected to
change soon after the release of this security bulletin.

==[ TIMELINE ]==
Times are in UTC
2012-11-11 19:20    Bug reported
2012-11-12 11:03    Bug confirmed by developer
2012-11-12 11:22    Bug traced
2012-11-12 13:45    Fixed versions compiled and packaged
2012-11-12 14:00    Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20121112.txt


- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlChAioACgkQbmdtRX/hmaaJagD/SeYBCHWPLYKsCVnrQXCFZ6Kh
AKiFc9rTkZQlo1O3lw4A/0eBASkAWWiaBVTGw1oOiwUk44vzRYO3KSbD3cuv0mBk
=JKvV
-----END PGP SIGNATURE-----

Unreal3.2.10-rc1 released for testing & help wanted (translators, PHP dev)

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

We have released our first Release Candidate for 3.2.10 (3.2.10-rc1).
Everyone is welcome to test this version, and check if there are any major
release critical bugs (such as crash bugs) present, so they can be corrected
before the real 3.2.10 stable release.
Note that we do NOT recommend running this version on production servers.
Several Release Candidates may follow (-rc2, -rc3, and so on). We have no
set date for a final 3.2.10 release.
More details on the 3.2.10-rc1 release can be found at:
http://forums.unrealircd.com/viewtopic.php?f=2&t=7675
Or you can download it straight away from www.unrealircd.com.

We are also looking for help in the following areas:

Translations:
People who are willing to create and maintain unreal32docs.html translations
in any of the following languages: Greek, Spanish, Dutch, and German. The
translated documents in these languages are currently out of date.
Naturally, other (new) languages are also welcome.
For more information (such as on how to apply), go to:
http://forums.unrealircd.com/viewtopic.php?f=1&t=7676

PHP developer:
We need a new www.unrealircd.com website. We held a design contest a while
ago, and a winner was chosen. We now need someone to do the actual PHP coding.
More information can be found at:
http://forums.unrealircd.com/viewtopic.php?f=16&t=7677

Previously, we didn't send out an announcement for release candidates, but
history has learned us that this resulted in too little testing and thus a
long time between the first Release Candidate and the final stable release.

If you have no time to test this 3.2.10-rc1, no problem, you can just wait
for the 3.2.10 stable release. Otherwise: thanks in advance for your help!

	Syzop / The UnrealIRCd team.

PS: This e-mail does not contain MD5 and SHA1 checksums of the download
files. If you want to verify the integrity of the files, then you can do so
with the help of PGP/GPG. Current and past releases are signed with the
rel...@un... key (0x9FF03937). Full instructions on how to verify
the files can be found on the final download screen at the website.

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlCBoMAACgkQbmdtRX/hmaa4OAD/QnO2CYz+TH2GzUOGbvY5hh6w
uFkC/npeZ1ofDOcORdoA/R3FYdXlZgscoWgKhWdgAh5bMc98bYZYi6FK2LWbBaVM
=uWhb
-----END PGP SIGNATURE-----

Unreal3.2.9 released

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

It has been more than 2 years since last stable release (3.2.8.1) and
4 months since last release candidate. Now, finally, UnrealIRCd 3.2.9 is out!
There have been 212 changes since previous release which is almost the same
as previous THREE stable releases combined.
The changes consist of the usual amount of bugfixes, however also a
substantial amount of new features have been added.
See the Release Notes below for a summary of the changes.

As usual, you can download UnrealIRCd from http://www.unrealircd.com/

MD5 checksums:
520df93a0f82b33a21f650ad7a8a2eda  Unreal3.2.9-SSL.exe
fb10daa6d4b37cba2e57ecae4b4fdec3  Unreal3.2.9.exe
bde023695347969f545ce5f2a9ac9aed  Unreal3.2.9.tar.gz

SHA1 checksums:
1ab39b4166bb796fc22a0bd0bff300142592372a  Unreal3.2.9-SSL.exe
1d5704e44182d35849fbca498e2aa72b40286fec  Unreal3.2.9.exe
0bb9d84ce6e4a395fda86e7d6250b7016cfeb913  Unreal3.2.9.tar.gz

Special thanks go to binki, who did a considerable amount of work to
make this release possible.

Also thanks to everyone who contributed to UnrealIRCd, whether it is
by doing support, reporting bugs, or just by using our software,
helping us to maintain our position as the most widely used IRCd.

Thanks,

	Syzop / The UnrealIRCd Team.

Unreal3.2.9 Release Notes
==========================

==[ GENERAL INFORMATION ]==
* If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
  first, before doing 'make'
* The official UnrealIRCd documentation is doc/unreal32docs.html
  online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
  FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
  Read them before asking for help.
* Report bugs at http://bugs.unrealircd.org/
* When upgrading a network, we assume you are upgrading from the previous
  version (3.2.8/3.2.8.1). Upgrading from 3.2.6 or 3.2.7 should also be no problem.
* The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY
  of the changes in this release. There have been 160+ changes, twice as much
  as usual for a release, hence this summary is a bit long too.
  For the FULL list of changes, see the Changelog.
* If you previously used CVS to access the development version of UnrealIRCd,
  you now need to use Mercurial, see see http://www.unrealircd.com/hgmove

==[ NEW ]==
* Extban ~j: this only prevents a user from joining, once in he can speak freely.
* Extban ~R:<nick>: this ban only matches if <nick> is a registered user (has
  identified to services). Especially useful in cases like: +e ~R:TrustedUser.
* Stacked Extended Bans:
  * Extbans are now split in two groups:
    * Ones that specify which user actions are affected (group 1):
      ~q (quiet), ~n (nick change), ~j (join)
    * Ones that introduce new criteria that can be used (group 2):
      ~c (channel), ~r (realname), ~R (registered)
  * With stacked extbans you can combine an extban of the first group with the second
    For example: ~q:~c:#lamers would quiet all users who are also in #lamers
* Extended Invex: very much like extended bans, but for +I (Invite Exception).
  Currently supported are: ~c (channel, ~r (realname) and ~R (registered) [=group 2]
  Possible useful uses are setting a channel +i (invite only) and then setting
  +I ~c:#trustedchan (or even: +I ~c:+#trustedchan) while still retaining the ability
  to easily ban users through +b.
* Channel Mode +Z: indicates whether a channel is 'secure' or not.
  This channel mode works in conjunction with +z (lower case z).
  While +z (normally) prevents new non-SSL users from joining, sometimes they
  can still join, like when after a netsplit the channels merge again.
  When all users on the channel are connected through SSL, the channel is set +Z
  by the server. Whenever an insecure user joins, the channel is put -Z.
* Remote MOTD support: you can now specify an URL instead of a file
* Automatic installation of curl (w/c-ares) if you answer 'Yes' to remote includes
* One can now rehash ALL servers with the command '/REHASH -global'. This can be
  particularly useful if you use remote includes or MOTD's. NetAdmin only command.
* files { } block by which you can configure the location of the tune file, pid, etc
* STARTTLS: On an IRCd compiled with SSL support this allows a client to start a SSL
  session on a regular non-SSL port (like 6667). Only supported by a few IRC clients.
  Can be disabled by setting set::ssl::options::no-starttls
* set::uhnames: this allows one to turn UHNAMES off ('no'), which can be a good idea
  if you have channels with more than 1000 users, as otherwise the nicklist can take
  several seconds to load. Defaults to on ('yes').
* IPv6 clones detection support: allow::ipv6-clone-mask determines the number of bits
  used when comparing two IPv6 addresses to determine if allow::maxperip is exceeded.
  This allows an admin to recognize that most IPv6 blocks are allocated to individuals,
  who might each get a /64 IPv6 block. set::default-ipv6-clone-mask defaults to 64 and
  provides default value for the allow blocks.
* The m_nopost module is now part of Unreal: this defends against the Firefox/
  Javascript 'XPS attack' which uses HTTP POST to create dummy IRC bots.
* There have also been some behavior changes, which can be considered NEW, see
  next section (CHANGED).

==[ CHANGED ]==
* Channel Mode +z: due to the +z/+Z changes, some things have changed:
  * +z can now be set even when insecure users are present
    (the channel will then be set +Z when the last insecure user leaves)
  * An oper previously had to invite himself and then join the channel
    with the key 'override' to set -z. This is no longer needed.
    The channel stays +z, but will be set -Z when the oper joins.
* Remote includes: if a remote include fails to load (eg: webserver down) then
  the most recent (cached) version of that remote include will be used, and the
  IRCd will still boot and be able to REHASH. This means it is now 'safe' to
  use remote includes on a network, without risking problems like unable to
  rehash in case of webserver problems.
* set::level-on-join now supports voice/halfop/protect/owner
* Backslashes (\) in MOTD/RULES files are no longer considered special, this
  might mean that you have to change some escaped backslashes (\\) to \.
* '/REHASH -motd' really rehashes ALL MOTD/OPERMOTD/BOTMOTD/RULES files, both
  the 'normal' files and the ones in tld { } blocks.
* The 'Compile as hub/leaf' choice is now gone, as it didn't do anything.
* Better document 'sslclientcert' in the Oper Block documentation.
  This allows one to authenticate against a SSL certificate for /OPER, instead
  of using a password.

==[ MAJOR BUGS FIXED ]==
* If you have autoconnect with a low connfreq, previously you often risked getting
  'Server exists' errors and 'breaking' the network. Now, the server handshake has
  been redesigned which means this will no longer happen. You can now safely have
  a low connfreq of - for example - 10 seconds.
* Windows: 'Permission denied' errors when starting Unreal
* A crash on some new Linux systems when replacing .so files
* Solaris & QNX: Compile problems
* IPv6: admins no longer have to tweak sysctl, like on FreeBSD & newer Linux systems
* IPv6: IPv4 ip's in link::bind-ip did not work properly which made the IRCd either
  not bind to the correct IP, or - like on FreeBSD - made it unable to link at all.
* A very rare crash on outgoing connect

==[ MINOR BUGS FIXED ]==
* autoconnect not working if TS offset was negative (for the duration of the offset)
* CGI:IRC & IPv6: sometimes a users' IP was incorrectly formatted, causing 'ghosts'
* Mac OS X: permission problems
* Several installation issues with curl
* SSL: No more 'Underlying syscall error', the actual error is now shown
* And many more... see Changelog

==[ KNOWN ISSUES ]==
* Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the
  IRCd down considerably and even bring it to a near-halt. In the spamfilter user
  target it's usually safe though. Slow spamfilter detection can help prevent the
  slowdown/freeze, but might not work in worst-case scenario's.
* Regexes: Possessive quantifiers such as, for example, "++" (not to be confused
  with "+") are not safe to use, they can easily freeze the IRCd.

==[ CHANGELOG ]==
Full list of changes since previous release (3.2.8.1):
* Fixed compile issue on Solaris regarding c-ares (-lrt), reported and
  test shell provided by fraggeln (#0003854).
* Improved automatic SSL detection on Solaris (/usr/sfw), reported by
  fraggeln (also #0003854).
* Don't do show-connect-info on serversonly ports
* Fixed crash on Linux (with a 'new' dynamic linker) when a module has
  been updated and then reloaded. From now on we just copy to a tempfile,
  and never hardlink. (bug #3557).
* Print out an error if a user uses standard ./configure stuff instead of
  ./Config. Won't catch all cases, but will definitely catch most problems.
* Update some urls
* Added ./configure option called --with-system-tre by which you can specify
  a path to the TRE library (instead of using the TRE we ship with Unreal).
  Patch provided by ohnobinki (#0003842).
* Applied another patch from ohnobinki which adds --with-system-cares
  (#0003847).
* Comitted Windows Installer fix that was put in 3.2.8.1, fixing
  #0003845 and #0003809 (MS Visual Studio Redistributable package automatic
  installation).
* Fix /VERSION output on Windows, especially for Vista and newer Windows,
  patch from BuHHunyx and Bock (#0003846).
* Fixed issue where a negative time offset (either caused by ircd.tune or
  timesynch) made autoconnect not work for the duration of the offset
  (eg: -60 would make autoconnect wait 60 seconds after boot, instead of
  autoconnecting almost immediately). Reported by aragon (#0003853).
* class name 'default' is reserved. Using it caused the ircd to crash
  on-boot, reported by Dragon_Legion (#0003864).
* Fixed IPv4 ip's in link::bind-ip on IPv6 builds. This caused issues ranging
  from not binding to that ip when linking, to not being able to link at
  all. Also fixed a very small memory leak upon /REHASH. Bug reported by
  Mr_Smoke (#0003858).
* Applied patch from k4be (#0003866) which introduces a new packet hook
  (HOOKTYPE_PACKET). Replacing the 'text to be sent' to a client is
  supported, which allows character(set) conversion in a module.
  Note that modifying an incoming message by the hook is not supported.
* Applied patch from ohnobinki (#0003863) which makes run-time configuration
  of files (tune, pid, motd) possible.
* Fixed bug reported by mut80r (#0003867) where locops didn't get a
  proper vhost when set::hosts::local had a 'user@host' syntax instead of
  just 'host'. Also fixed a bug with regards to +x on-oper with locops.
* When an incorrect command line argument is passed, the IRCd will no longer
  boot. Previously it said 'Server not started' but started anyway.
  Reported and patch provided by ohnobinki (#0003870).
* Added special caching of remote includes. When a remote include fails to
  load (for example when the webserver is down), then the most recent
  version of that remote include will be used, and the ircd will still boot
  and be able to rehash. Even though this is quite a simple feature, it
  can make a key difference when deciding to roll out remote includes on
  your network. Previously, servers would be unable to boot or rehash when
  the webserver was down, which would be a big problem (often unacceptable).
  The latest version of fetched urls are cached in the cache/ directory as
  cache/<md5 hash of url>.
  Obviously, if there's no 'latest version' and an url fails, the ircd will
  still not be able to boot. This would be the case if you added or changed
  the path of a remote include and it's trying to fetch it for the first time.
  To disable this new behavior, check out REMOTEINC_SPECIALCACHE in
  include/config.h.
* set::level-on-join now also supports voice, halfop, protect and owner.
  Requested by katsklaw (#0003852). Partial patch provided by katsklaw and
  morpheus_pl.
* Added initial support for "stacked" extbans. Please see the Changelog item
  further down (250 lines or so) for more information, as it was heavily
  reworked later on and the API was changed.
* Misc fix for disabling stacked extbans, should've done stuff in our autoconf
  stuff instead of hacking configure directly :P .
* Made the timesynch log output more clear and understandable.
* Added an 'UnrealIRCd started' log message on startup.
* Added support for STARTTLS. This allows users to switch to SSL without
  having to use a special SSL-only port, they can simply switch to SSL on
  any port. This is currently only supported by few clients (such as KVIrc 4).
  This functionality can be disabled by setting set::ssl::options::no-starttls,
  for example if you don't want to offer SSL to your users and only want it
  to be used for server to server links.
  Naturally, the IRCd must be compiled with SSL support for STARTTLS to work.
* Fixed SSL_ERROR_WANT_READ in IRCd_ssl_write()
* Use RPL_STARTTLS/ERR_STARTTLS numerics
* Removed log target 'kline' from documentation, as it didn't do anything
  (use 'tkl' instead). Reported by nephilim and Stealth (#0003849).
* Server protocol: added PROTOCTL EAUTH=servername, which allows us to
  authenticate the server very early in the handshake process. That way,
  certain commands and PROTOCTL tokens can 'trust' the server.
  See doc/technical/protoctl.txt for details.
* Server protocol: between new Unreal servers we now do the handshake a
  little bit different, so it waits with sending the SERVER command until
  the first PROTOCTL is received. Needed for next.
* Server protocol: added PROTOCTL SERVERS=1,2,3,4,etc by which a server can
  inform the other server which servers (server numeric, actually) it has
  linked. See doc/technical/protoctl.txt and next for details.
* When our server was trying to link to some server, and at the same time
  another server was also trying to link with us, this would lead to a
  server collision: the server would link (twice) ok at first, but then a
  second later or so both would quit with 'Server Exists' with quite some
  mess as a result. This isn't unique to Unreal, btw.
  This happened more often when you had a low connfreq in your link blocks
  (aka: quick reconnects), or had multiple hubs on autoconnect (with same
  connfreq), or when you (re)started all servers at the same time.
  This should now be solved by a new server handshake design, which detects
  this race condition and solves it by closing one of the two (or more)
  connections to avoid the issue.
  This also means that it should now be safe to have multiple hubs with low
  connfreq's (eg: 10s) without risking that your network falls apart.
  This new server handshake (protocol updates, etc) was actually quite some
  work, especially for something that only happened sporadically. I felt it
  was needed though, because (re)linking stability is extremely important.
  This new feature/design/fix requires extensive testing.
  This feature can be disabled by: set { new-linking-protocol 0; };
* Made ./Config description about remote includes a bit more clear.
* When you now answer Yes to Remote includes in ./Config and $HOME/curl does
  not exist, it now asks you if you want to automatically download and
  install curl (which is done by ./curlinstall).
  This has been tested on Linux, further testing on f.e. FreeBSD is required.
* Fixed a /RESTART issue on Linux: Unreal did not properly close all file-
  descriptors. Because of this, Unreal did not restart properly as you would
  get an "Address already in use" error. This only seemed to happen when
  logging to syslog, or when there was something wrong with syslogd.
  Reported by Mouse (#0003882).
* Fixed a similar issue with syslog (and debugmode) and closing fd's as well:
  the first port we listened on would not open up, ircd did not log any error.
* Added set::uhnames setting which can be used to disable uhnames by setting
  it to 'no', the default is 'yes' (on). Requested by Robin (#0003885) as
  UHNAMES may increase the time of the nick list being loaded from 1 to 4
  seconds when joining several channels with more than 1000 users. As this
  problem is only present on some networks, we keep UHNAMES enabled by default.
* Added patch from ohnobinki (#0003888), only slightly edited, which improves
  curl detection, added checks to see if curl actually works (print out a
  clear curl error during configure, instead of getting an error during
  'make'), and we now error when using --enable-libcurl without
  --with-system-cares if the system curl depends on c-ares. This is because
  this can cause ABI incompatability between curl's c-ares and our c-ares,
  which leads to odd issues such as:
  Could not resolve host: www.example.net (Successful completion)
  And possibly other weird issues, perhaps even crashes.
* Patch from above is (temp.) reverted, Unreal wouldn't compile without curl.
* Reverted the revert and updated one line to fix the fix.
* Fix for --with-system-cares, reported and patch provided by ohnobinki
  (#0003890).
* Another c-ares fix for Solaris 10, this time it had to do with
  PATH_SEPARATOR, the exact error was: error: PATH_SEPARATOR not set.
  Reported by j0inty, patch provided by ohnobinki (#0003887).
* Updated pkg-config m4 macro (now 0.23) for configure, patch from ohnobinki
  (#0003889).
* Better document /REHASH flags. No longer document some flags as they are
  redundant and confusing. Also removed an old statement saying k-lines would
  be erased on rehash which is not true. Documented '/rehash -dns'.
  Reported by ohnobinki (#0003881).
* We now no longer treat \ (backslash) in *MOTD and RULES files as special.
  Previously this caused some really odd behavior. Backslashes are now
  treated as-is, so no special escaping is necessary. Reported by DelGurth
  (#0003002).
* Removed old dgets() and crc32 function (code cleanup)
* Updated ./Config description for NOSPOOF, it already said it protects
  against HTTP POST proxies, now added some extra text to say it also
  protects against the Firefox XPS IRC Attack. Also made NOSPOOF enabled by
  default on *NIX (this was already the case on Windows).
* Updated ./Config description for DPATH. Seems quite some people answer
  this question wrong, and when that happens, you only get some obscure
  error when running './unreal start'.
* Fixed 'unreal' script to give a better error if it cannot find the IRCd
  binary.
* Made '/REHASH -motd' really rehash *all* MOTD, OPERMOTD, BOTMOTD and RULES
  files. Reported by bitmaster (#0003894).
* IPv6: it seems some recent Linux dists decided to make IPv6 sockets
  IPv6-only, instead of accepting both IPv4&IPv6 on them like until now.
  FreeBSD (and other *BSD's) already did that move a few years back,
  requiring server admins to sysctl.
  We now make use of a new option to explicitly disable "IPv6-only".
  This should work fine on Linux.
  Whether it provides a complete solution for FreeBSD, I don't know, testing
  is welcome! In theory setting net.inet6.ip6.v6only to 0 should no longer
  be needed, but you might still need to enable ipv6_ipv4mapping.
* Fix stupid issue where current CVS would no longer link TO an earlier
  Unreal server (eg: outgoing connect to a 3.2.8 hub). Reported by ohnobinki
  (#0003901).
* Update Unreal.nfo with information about new support network setup (#0003904)
* Remove the ``Compile as hub/leaf'' concept as I'm quite sure this doesn't
  actually do anything (#0003891)
* Clarify/expand alias block documentation, especially for alias::type=command;
  (#0003902)
* Fix -DDEFAULT_PERMISSIONS=0 support. Previously, support.c:unreal_copyfile()
  would create files with no permissions, breaking loadmodule. (#0003905)
* Remove m_addline from commands.so
* Removed ugly ``files {} got initialized!'' message.
* SVSMODE now triggers HOOKTYPE_UMODE_CHANGE and HOOKTYPE_REMOTE_CHANMODE.
* Added chmode +r to HTML documentation.
* ./Config now remembers extra/custom ./configure parameters.
* Fixed bug in CVS where the ban exempt (+e) handling was reversed: if a
  non-matching +e was present, one could walk through bans. Reported by
  tabrisnet (#0003909). Bug was caused by stacked extbans.
* Partially fixed bug where IPv4 addresses were randomly mishandled by the
  cgiirc code, resulting in the sockhost/hostmask being set to something like
  ::ffff:127.0.0.1, which confused the s2s protocol. Reported by tabrisnet
  (#0003907). Also, reject incorrectly formed hostnames from WEBIRC command.
* More strict sockhost (hostmask) checking in m_nick.c:_register_user(). Fixed
  some bad string handling as well. See comments in bug (#0003907).
* Throw out old USE_POLL code which 1. has no buildsystem support and 2.
  has comments which claim it doesn't work.
* Removed extraneous apostrophe from a module loader error message.
* Added error message for unknown directives in the "files" block
* Remote MOTD support. Not adequately tested. Required restructuring of the
  asynchronous download callback and handler. (#)
* Added some consts throughout url.c, etc.
* Fix segfault where the an include directive specifies a URL and cURL follows
  redirects, resulting in a different resultant URL. The remote includes code
  would look for the an include block using the resultant URL and assume that
  it would be found. The new code searches differently, has new checks, and
  ignores the resultant URL.
* Removed duplicated m_motd() and friends that were both in modules and s_serv.c.
  The copies in s_serv.c (core) were overriding the in-module functions.
* Forgot to commit the REMOTEINC_SPECIALCACHE stuff to config.h which means
  it wasn't actually enabled until now...
* Fix typo
* Fix files::shortmotd to by accepted by unrealircd like the docs say it is.
* Fix remote includes download handling which I broke for remote includes ;-).
* Recursively add more consts.
* Rename configure.in to configure.ac and modernize AC_INIT.
* Handle bad flags in set::ssl::options better (#0003896).
* When removing a SHUN, check if users who were blocked by this SHUN are still
  blocked by another SHUN. Previously, if multiple shuns covered a single user,
  removing one of these shuns would mark the user as un-SHUN-ed. (#0003906)
* Fixed race condition / reference count issue where an outgoing server connect
  would cause the IRCd to crash. Reported by Monk (#0003913).
* Replaced some co...@li... references with bugs.unrealircd.org
* Fixed desynchronized prototype.
* Fixed a few trivial compilation warnings.
* Move configure.ac to the project's root.
* Separate m4 macros into *.m4 files (it is much easier to run aclocal now).
* Remove unused DOMAINNAME macro and --with-hostname= options as the DOMAINNAME
  macro isn't used anywheres and its use shouldn't be encouraged.
* autogen.sh to bootstrap the buildsystem. We now maintain setup.h with autoheader.
* --disable-blah now does the opposite of --enable-blah. The same for --with-blah
  and --without-blah. (This makes Gentoo users happier).
* Attempt to make up for Windows not having mode_t and not complying to POSIX.
* Fix references in src/win32 to aMotd to now be to aMotdFile.
* Fix references to motd and friends in src/win32. (#0003918)
* Remove include/nameser.h and reference to nameser.h from s_bsd.c. The associated
  functionality has been provided by c-ares for a long time.
* Remove remaining nameser.h references from Makfiles.
* Prevent stacked bans (like +b ~q:~q:~n:~c:#chanel) from crashing unrealircd due
  to over-recycling a static buffer. Discovered by syzop.
* helpop documentation for stacked extbans.
* Updated doc/coding-guidelines
* Fixed some odd behavior with SVSMODE and +z/-z, reported by TehRes (#0003498),
  fixed a strange SVSMODE +d <non-number> bug where it would act as a +x too.
* The patch from #0003888 made ./Config favor the curl in /usr, even if it
  was not compiled with c-ares, which is clearly a bad idea as then the
  entire IRCd can hang for several seconds or more...
  We now check if they support asynch DNS, and skip them if they don't.
* Remove extraneous `I' from configure.ac, run ./autogen.sh. (#3930)
* Added some checks in ./Config which (often) ensures that the self-compiled
  curl version is new enough and is not using a c-ares which is binary
  incompatible. If the self-compiled curl version is (too) outdated, then we
  now suggest to rename it and have the installer re-download and compile
  it automatically. This avoids some potential crashes.
* Give more clear error to users who use ``make custommodule'' without
  MODULEFILE. (#3935)
* Support compiling with a bundled c-ares again, the hacky way. (#3931)
* The configure.ac change silently changed the nospoof parameter in
  ./configure. This meant that the answer to NOSPOOF in ./Config was ignored
  and it was always enabled.
* Initialize ARG parameter properly in ./Config, otherwise everything fails.
* Fixed similar bug like nospoof with ./Config, but now with prefixaq.
* Same for IPv6
* Now define _SOLARIS, USE_LIBCURL, and ZIP_LINKS in setup.h instead
  of the Makefiles. This means better automatic rebuilds if the latter
  settings change.
* Updated unreal32docs:
  * Remove browser compatibility listing.
  * Added information about ``oper::password::auth-type sslclientcert''
    and the same for link::password-receive::auth-type.
  * A little bit more of interlinking and using id="" instead of a name=""
  * Some minor tweaks
* Fix the detection for curl-without-c-ares a little (#0003940).
* Add an extban of the schema +b ~j:*!*@* which _only_ prevents a user
  from joining a channel. (#3192)
* Fix src/Makefile's lack of depencencies for modules.c, related to
  #3938.
* Fix a few compiler warnings with some double-casting and another
  const. (#3939)
* Define intptr_t in win32's setup.h. (#3939)
* Upgraded c-ares to 1.7.3. API seems compatible with
  c-ares-1.6.0. (#3932)
* Force compilation with bundled c-ares to statically link using more
  sed hackery in configure.ac.
* Remove extras/c-ares before each time c-ares is compiled.
* Uniform naming for 'stacked extbans' in Changelog/etc.
* Make extended bans documentation more clear by splitting the extbans in
  two groups: one that specifies ban actions (~q/~n/~j) and one that
  introduces new criteria (~c/~r). Also added documentation for ~R which
  does not exist yet, but will soon...
* This is actually an update of earlier code from CVS, but now it works ok:
* Added support for "stacked" extbans. Put simply this allows extban combinations
  such as ~q:~c:#test to only silence users on #test, for example. This feature
  is enabled by default, but can be disabled during ./Config -advanced.
  This feature was suggested by Shining Phoenix (#0003193), was then coded
  by aquanight for U3.3, and later on backported and partially redone by Syzop.
  Module coders:
  In an extban ~x:~y:something where we call ~x the 1st, and ~y the 2nd extban:
  Since stacked extbans only makes sense where the 1st one is an action
  extended ban like ~q/~n/~j, most modules won't have to be changed, as
  their extban never gets extended (just like ~c:~q: makes no sense).
  However, you may still want to indicate in some cases that the extban your
  module introduces also shouldn't be used as 2nd extban.
  For example with a textban extban ~T it makes no sense to have ~n:~T.
  The module can indicate this by setting EXTBOPT_NOSTACKCHILD in
  the ExtbanInfo struct used by ExtbanAdd().
  For completeness I note that action modifier extbans are indicated by
  EXTBOPT_ACTMODIFIER. However, note that we currently assume all such
  extbans use the extban_is_ok_nuh_extban and extban_conv_param_nuh_or_extban
  functions. If you don't use these and use EXTBOPT_ACTMODIFIER, then things
  will go wrong with regards to stack-counting.
  Module coders should also note that stacked extbans are not available if
  DISABLE_STACKED_EXTBANS is defined.
* Added extended ban ~R:<nick>, which only matches if <nick> is a registered
  user (has identified to services). This is really only useful in ban
  exemptions, like: +e ~R:Nick would allow Nick to go through all bans if he
  has identified to NickServ. This is often safer than using +e n!u@h.
* Added Extended Invex. This is very much like extended bans, in fact it
  supports some of the same flags. Syntax: +I ~character:mask
  Currently supported are: ~c (channel), ~r (realname) and ~R (registered).
  This can be useful when setting a channel invite only (+i) and then
  setting invite exceptions such as +I ~c:#chan (or even ~c:+#chan), while
  still being able to ban users.
  Because action modifiers (~q/~n/~j) make no sense here, extended invex
  stacking (+I ~a:~b:c) makes no sense either, and is not supported.
  Suggested by DanPMK (#0002817), parts based on patch from ohnobinki.
  Module coders: set EXTBOPT_INVEX in the ExtbanInfo struct used by
  ExtbanAdd() to indicate that your extban may also be used in +I.
* Invex (+I) now always checks cloaked hosts as well. Just like with bans,
  it checks them also when the user is not currently cloaked (eg: did -x, or
  is currently using some VHOST).
* Fixed client desynch caused by (un)banning, reported by Sephiroth (#2837).
* IPv6 clones detection support (#2321). allow::ipv6-clone-mask determines
  the number of bits used when comparing two IPv6 addresses to determine if
  allow::maxperip is exceeded. This allows an admin to recognize that most
  IPv6 blocks are allocated to individuals, who might each get a /64 IPv6
  block. set::default-ipv6-clone-mask defaults to 64 and provides default
  value for the allow blocks.
* Upgrade to tre-0.8.0, adding hack similar to the one for c-ares to
  ensure that the bundled tre is compiled against even when a system
  libtre is installed. (#3916)
* Install ircdcron scripts. (#2620)
* Autogenerate ircdcron/ircd.cron based on ./configure settings.
* Get rid of any setsockopt(IPV6_V6ONLY) errors in ircd.log (#3944).
* Actually initialize m_starttls when it's included into commands.so.
* Prepend a `0' to the begining of --with-permission, working around a
  Mac OS X bug and hiding the fact that chmod()'s params are octal
  from users. (#3189)
* Warn users against running UnrealIRCd as root without setting
  IRC_USER. (#3053 reported by Stealth)
* Remove snomasks upon deopering when it seems like the user shouldn't
  have snomasks. (#3329)
* Fix /msg IRC WHOIS response for persons with secure connections. (#3947)
* Fix segfault by checking if RESTRICT_USERMODES is NULL in the code
  for bug #3329.
* Don't use sys/errno.h, as it's not POSIX and breaks on QNX-6.5.0. (#3955)
* Fixed another compile problem on QNX, reported by chotaire (#3955 too).
* Fixed incorrect messages regarding clock going backwards on QNX 6 and
  later, reported by chotaire (#0003956).
* Reverted an IPv6/Config fix I did on July 17. Reported by chotaire (#3958).
* Document the badword block more explicitly and clearly. (#3959)
* Add the m_nopost module written by syzop and compile it into
  commands.so. This module was written to help IRCd maintainers deal
  with some sort of ``XPS'' attack in which javascript-initiated HTTP
  POST form submissions were able to act as dummy IRC bots. These
  simple bots were the cause of much spam. Note that enabling NOSPOOF,
  which was the default on Windows and is now also the default on *NIX,
  already stops the troublemakers from getting on IRC. However, the nopost
  module kills them right away, rather than have them idle for 30 seconds
  which could consume all your connections, preventing (legit) users
  from being able to connect (#3893).
* Add a modules section to the documentation. This was created to put
  all documentation specific to the m_post module in one, easy to find
  place. The documentation on m_post is likely incomplete, however.
* Fixed notices to opers about server delinks not being broadcasted to all
  other servers if they were on SSL links. Reported by chotaire (#0003957).
* SSL errors are now more descriptive. In some cases, like server to server
  links it was still showing 'Underlying syscall error', this has now been
  replaced to show the actual (surprise!) underlying syscall error instead.
  Reported by vonitsanet, patch from ohnobinki (#0003157).
* Fix ordering of ``9. FAQ'' and ``10. Modules'' in HTML docs.
* Always display the real host of successful OPERing up. Reported by
  Josh. (#3950)
* Fixed braindamage in stacked bans.
* Add m_nopost to makefile.win32 in the hopes that it may work (#3961).
* Document spamfilter 'warn' action in unreal32docs.
* Fix missing OperOverride notices for +u and +L if not chanowner, reported
  by Mareo (#0003358), partial patch from goldenwolf.
* Updated doc/compiling_win32.txt with current free MS SDK information,
  patch from goldenwolf.
* And another m_nopost makefile.win32 fix.
* Some small updates to the extended channel mode system: it now has minimal
  support for 'local channel modes'. This is really only meant for channel
  mode +Z (upcase z), see next.
* Added Channel Mode Z which indicates if a channel is 'secure' or not.
  This mode works in conjunction with +z (lower case z).
  If +z is set ('only secure users may join'), then the IRCd scans to see
  if everyone in the channel is connected through SSL. If so, then the
  channel is set +Z as well ('channel is secure').
  Whenever an insecure user manages to join, the channel is -Z. And whenever
  all insecure users leave, the channel is set +Z.
  The 'insecure user being present in a +z channel' can be because:
  - An IRCOp joined the channel, and he's not secure
  - When servers link together and a user on the other side is not secure
    This only happens on net merge (equal time stamp).
    On different time stamp, we still kick insecure users on the new side.
  - At the time when +z is set, there are insecure users present.
  This feature was implemented after a heavy discussion in bug #3720 by fez
  and others, and was suggested by Stealth.
  Tech note: +Z/-Z is handled locally by each server. Any attempt to
  remotely set +Z/-Z (eg: by services) will be ignored.
* As mentioned above, +z can now be set even if any insecure users are
  present. Previously, this was not permitted. Now, as soon as the last
  non-SSL user leaves, the channel will be set +Z.
* An oper not connected through SSL previously had to /INVITE himself
  to a channel and then /JOIN the channel with the key 'override'.
  This 'override' key is no longer required, a simple JOIN will suffice.
* Sorted channel modes in /HELPOP ?CHMODES
* Re-enabled 'fishy timestamp' errors in MODE. For some reason this was
  commented out, even though the (more annoying and less useful) code in
  JOIN was enabled so that did not make a lot of sense. It also now logs to
  ircd.log (or whatever you configure). This enables people to easier find
  the cause of any timestamp issues (which usually is badly coded services).
* Win32 installer: Make it so a user can no longer accidentally check both
  'install as service' and 'encrypt SSL certificate', as they are
  incompatible (a service cannot ask a user to enter a password).
  Reported by HotFusionMan (#0003848).
* Win32 installer: Fixed long outstanding problem with some Vista / Windows 7
  installations, which has to do with file permissions of the Unreal3.2
  folder. Symptoms were error messages such as:
  Unable to create file 'tmp/10D9D743.commands.dll': Permission denied
  But also failing to create SSL certificates, nothing being logged, etc.
  This is now fixed by setting write access on the Unreal3.2 folder to the
  user running the install, unless the user chooses not to use this new
  option (it can be unchecked), in which case the user is warned that he
  should take care of this himself.
  Reported by various persons, special thanks to Bock and goldenwolf for
  helping us to track down this issue (#0003943).
* Little tweak to +Z: when the last insecure user parts and the channel is
  set +Z (secure), the parting user saw the MODE too, which was silly.
  Reported by Robby22 (#0003720).
* Added '/REHASH -global' command which will rehash all servers on the
  network. You can also specify options like '/REHASH -global -motd' to
  rehash only the MOTD/RULES/etc. Just like /REHASH <servername> this is a
  NetAdmin-only command. This command is fully backwards compatible with
  older UnrealIRCd version in the sense that it will also REHASH old
  Unreal's. Suggested by 'P' in #0001522.
* Clarified the difference between 'except ban' (which exempts from KLINE
  and ZLINE) and 'except tkl' (which can exempt from GLINE, GZLINE, SHUN,
  QLINE and GQLINE). Reported by Digerati (#0002535).
* Added except tkl::type 'all', which exempts from all TKL types (except
  KLINE).
* Added set::options::allow-insane-bans which makes it possible to set
  really broad bans such as *@*.xx. Needless to say this can be very
  dangerous. Reported and patch provided by Stealth (#0003963).
* Windows: When trying to load a module (DLL) windows can give us the
  mysterious error 'The specified module could not be found' even though the
  file exists. This usually means that it depends on another DLL, but
  apparently Microsoft decided not to mention that in the error message.
  We now append some small text when such an error happens, saying that it
  could be because of a missing dependency. Reported by Phil.
* Fixed Windows compile problem with current CVS due to m_issecure,
  reported and fix provided by therock247uk (#3970).
* Added release notes.
* Error on zero sendq in class::sendq, reported by jonbeard.
* Fix return values in src/auth.c on Win32.
* Win32: Attempt to move to 100% winsock2 (the include, to be precise),
  this means includes have to be in a very particular order (!)
* Win32: #define _WIN32_WINNT 0x0501 and force our own inet_ntop/pton,
  otherwise you get an ntop runtime error on XP and earlier.
* Win32: Get rid of c-ares includes and library in our tree, and use the
  DLL instead of static LIB, just like we do for ssl and zlib.
* Win32: Get rid of TRE lib and includes
* Win32: reorder includes to fix winsock errors with curl
* Win32: show missing /INFO in GUI
** 3.2.9-rc1 release **
* Enable parallel building of modules.
* Fixed bug with curl not finding libcares, reported by katslaw.
* Added workaround for 'curl-config' depending on 'bc'.
* Fix typo 'alias::spampfilter' in German docs, reported by seraphim (#3978).
* Fix missing #include <stdint.h>. Fixes compile error on OpenBSD
  reported by CuleX (#3977).
* Fix invalid use of 'wc -l' when detecting the AsynchDNS feature of
  libcurl which breaks compilation on FreeBSD; instead use 'grep
  -q'. Reported by Jobe (#3981), solution proposed by satmd.
* Fix bundled TRE compilation error on OpenBSD with pkg-config-0.21
  where pkg-config can't find 'tre.pc'. Reported by CuleX. (#3982)
  Also properly escape the sed expression used in the pkg-config call.
* Fix remote MOTDs for URLs whose path components contain
  subdirectories, in the process much simplifying my remote MOTD
  code. Reported by goldenwolf (#3986).
* Windows installer: if an SSL certificate already exists, then don't check
  the 'create SSL certificate' by default. Patch from goldenwolf (#3965).
* Update doc/compiling_win32.txt a bit (#3975).
* Updated credits a bit (#3980).
* Fix set::ssl::options::no-starttls not being recognized.
* Fix pointer handling in remote MOTD code, fixing a crash on REHASH
  reported by goldenwolf (#3992).
* Bump server protocol version to 2310, due to the various changes and so
  you can use deny link { } blocks if you want to deny older versions than
  this release.
* Fix documentation about channel mode +t and halfops, thanks warg (#4007).
* Fix empty/nonexistent short MOTD being shown instead of the full
  MOTD on user registration. Thanks WakiMiko (#4011).
* Module coders: Added HOOKTYPE_HANDSHAKE which is called before the client
  handshake, IOTW: as soon as the connection is established. This can be used
  to do things prior to accepting any commands, such as sending some text.
* Moved from cvs to hg (thanks binki!), this means cvs from this point in
  time should no longer be used (the lastest CVS version will not compile,
  this has been done on-purpose).
  The new way to access the development version of UnrealIRCd is:
  hg clone http://hg.unrealircd.org/unreal
  If you get something like 'hg: command not found' then you need to
  install mercurial. Most *NIX systems have such a 'mercurial' package,
  but if you don't, or you are on Windows or Mac OS X, then grab it at
  http://mercurial.selenic.com/
* Updated doc/compiling_win32.txt a bit.
* The unreal32docs translations in Greek, Spanish and Dutch are marked as
  out of date.
* CRLF conversion of unreal32docs.gr.html
* Zip links: once a link was zipped, the error message when closing the
  connection was never actually sent (due to buffering). Hence, things like
  the /SQUIT reason was never seen on the other side (just 'server closed
  the connection'). This has now been fixed.
* Fix compile failure introduced by last change when zip links are
  disabled.
* Check that the automatically-generated cloak keys fit unrealircd's
  own criteria before printing them out. (#4017)
* Added aliases/atheme.conf, provided by katsklaw (#0003990).
* Support installing the ircd binary for people who set
  --with-spath=<dpath>/bin/ircd.
* Add missing quotation to doc/help.fr.conf (#4026 by MewT).
* Remove temporary message (Unreal3.2.1) regarding cloaking modules.
* Add a self-documented and commented files {} block to example.conf.
* Another fix-for-fix of zip links buffering from a few weeks ago.
  Reported by fbi (#0004030).
* Win32: fix rehash from the command line not working, reported by Platzii
  (#0004028).
* Update curl-ca-bundle.crt
** 3.2.9-rc2 release **
* Updated credits (donations)
* Updated credits (supporters, coders)
** 3.2.9 release **

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: BBBC E14E 3D9B 3655 7BE1 24A0 E3A8 A873 9DF4 E5AF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFOtVEX46ioc5305a8RAjPOAKDgvJwR0i2l0PAoSH9UEziPngnjiwCff6YA
Uy485DnKUbJmub3X6eCICeo=
=ZPW8
-----END PGP SIGNATURE-----

countermeasures

[Bram M. (Syzop) <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

After receiving many questions of what we are doing with regards to the hack
incident, here's my reply:

First, we now PGP/GPG sign releases. Our GPG key is rel...@un...
(0x9FF03937). When downloading UnrealIRCd you will be given instructions on
how to verify the integrity of the file.

Second, we're now isolating/shielding the main site from the rest, and making
parts unmodifiable, to prevent catastrophes in case of a break-in.

Third, we added several methods of detection when files and other data is
modified.

Fourth, we'll only serve the files from the main site for now. While the
mirror admins did not have any blame in this, it does mean we only have to
protect our own site(s).

And finally we did some other things which I won't mention here.

In short: we've really tightened security since the break-in to make sure this
will never ever happen again. As you may understand, we really can't afford a
repeat of this incident.

On an unrelated side note, I find the claims in various media that this
security incident indicates that Linux and Open Source cannot be trusted and
that Microsoft and closed-software is better really silly. It lacks any
foundation. A hacker, once in, could just as easily have inserted the backdoor
in Windows software. In fact, it is *THANKS* to it being Open Source that this
backdoor got noticed, though - I fully agree - much too late.

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: BBBC E14E 3D9B 3655 7BE1 24A0 E3A8 A873 9DF4 E5AF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFMFosK46ioc5305a8RAmDEAKDTuw29yKIBaX5d0ps8HZWh+SZ11ACgwEES
3YAEvVlHmpWtxDSMHlbpvyI=
=1guj
-----END PGP SIGNATURE-----

Security: some versions of Unreal3.2.8.1.tar.gz contain a backdoor (trojan)

[Bram M. (Syzop) <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

This is very embarrassing...

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of
the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn't allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at least
on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we're taking precautions so this
will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice
(very) few people verify files, it will still be useful for those people who do.

Safe versions
==============

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE October 11 2009 should be safe, but
you should really double-check, see next.

How to check if you're running the backdoored version
======================================================
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by running
'md5sum Unreal3.2.8.1.tar.gz' on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you're running the backdoored/trojanized version.
If it outputs nothing, then you're safe and there's nothing to do.

What to do if you're running the backdoored version
====================================================
Obviously, you only need to do this if you checked you are indeed running the
backdoored version, as mentioned above. Otherwise there's no point in
continuing, as the version on our website is (now back) the good one from
April 13 2009 and nothing 'new'.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to 'clean' UnrealIRCd without
a restart or through a module.

How to verify that the release is the official version
=======================================================
You can check by running 'md5sum Unreal3.2.8.1.tar.gz', it should output:
7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18  Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3  Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the initial
3.2.8.1 announcement to the unreal-notify and unreal-users mailing list.
<http://sourceforge.net/mailarchive/forum.php?thread_name=49E341E0.3000702%40vulnscan.org&forum_name=unreal-notify>

Finally
========
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Hope you'll all continue to support UnrealIRCd.

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: BBBC E14E 3D9B 3655 7BE1 24A0 E3A8 A873 9DF4 E5AF

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFME09+46ioc5305a8RApKHAKCWZNS0tDToLXBZdpQni2VmDq+N3ACgjh5R
MkQ3RNlvQQy0J4gmpBgS0YQ=
=i+W6
-----END PGP SIGNATURE-----

Security: Buffer overflow in UnrealIRCd when using allow::options::noident

[Bram M. (Syzop) <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY ADVISORY
==================

A serious buffer overflow issue has been discovered in UnrealIRCd. This
issue can cause the IRC server to crash. It is not clear if this issue can
lead to remote code execution.

==[ AFFECTED VERSIONS ]==
This bug can ONLY be triggered if allow::options::noident is in use. By
default, this is not the case, and it's not a very common option to use.
To check for this, you can search for "noident" (without quotes) in your
config files (such as unrealircd.conf). If you don't use this option, you
are safe, and there's no need to upgrade.
If you use the noident option, and you're using Unreal3.2.8 or earlier (this
issue goes back to 3.2beta11), then you are affected.

==[ PROBLEM ]==
A buffer in the code which handles user authorization is copied without
sufficient length checks, causing a buffer overflow.
This bug happens BEFORE the user is online. In other words: even if you have
a password protected server, or only allow certain ip/hosts in, and you use
allow::options::noident, then this bug can still be triggered.

There has been one report of this bug being abused by "bad guys" to crash
the server, so if you're using allow::options::noident then it's highly
recommended to either implement the WORKAROUND or FIX as soon as possible.

==[ WORKAROUND ]==
The workaround is simply to remove noident from the allow::options and /REHASH.
For example, if you have:
allow {
        ip "*abc@*";
        hostname "*abc@*";
        class clients;
        maxperip 3;
        options { noident; }; // MARK
};
Then simply remove the line marked with MARK, and /REHASH the IRCd.

Naturally, if you rely on the noident feature on your network/IRCd, then
this may not be an option for you. Check out the FIX in next section, instead.

==[ FIX ]==
Thanks to having a (partially) modular IRC server, we have created a "hot
fix" utility that will fix the issue WITHOUT requiring a server restart. All
you will have to do is install it and rehash.
This patch can be used on UnrealIRCd versions 3.2.3 - 3.2.8.
If you are using any older version (unsupported), then we suggest you to
upgrade to the latest version or implement the workaround.

*NIX:
 Download and run the hotfix utility, available from these locations:
 http://www.unrealircd.com/upd/unrealpatch328
 http://www.vulnscan.org/unr/unrealpatch328

 EXAMPLE:
 cd ~/Unreal3.2 && wget http://www.unrealircd.com/upd/unrealpatch328 && \
 chmod +x unrealpatch328 && ./unrealpatch328
 (or use 'fetch' instead of 'wget', or any other download utility)

 Alternatively if that did not work, try this .tar.gz:
 http://www.unrealircd.com/upd/qpatch.tar.gz  OR
 http://www.vulnscan.org/unr/qpatch.tar.gz

 Extract it, cd to the qpatch directory and run ./doinstall

Windows:
 Unfortunately, we did not have the resources to make a hotfix utility for
 Windows, so you will have to either implement the workaround or upgrade
 your UnrealIRCd to 3.2.8.1:
 http://www.unrealircd.com/downloads/unreal/win     (Windows)
 http://www.unrealircd.com/downloads/unreal/winssl  (Windows SSL)

==[ NEW VERSION ]==
While for existing installations you can use the FIX as explained above.
For fresh installs, we've released a new Unreal version called 3.2.8.1,
which can be downloaded from http://www.unrealircd.com/

MD5 checksums:
86212ebf6feab6cc57a4ebba99632db2  qpatch.tar.gz
c855fd1fe1cb2f08095bf7cd8f2f1120  unrealpatch328
7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18  Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3  Unreal3.2.8.1-SSL.exe

SHA1 checksums:
6654bccd941ea038e9bef847703b25450b739ba1  qpatch.tar.gz
766118e3cdad454dc189a8bb06cbc8ff55cdb7f7  unrealpatch328
363c3c995bb38cf601f409610ce1937a0002c419  Unreal3.2.8.1.tar.gz
d2e73094149bbcc9238b111f12f30fa8f8a463cc  Unreal3.2.8.1.exe
336972a8201a67be2bcbb012f66abd11d19ade46  Unreal3.2.8.1-SSL.exe

==[ TIMELINE ]==
Times are UTC
2009-04-10  Bug reported
2009-04-11  Additional information requested
2009-04-12  Information provided
2009-04-12  Bug traced, working on fix
2009-04-13  Fix & binaries ready. Public announcement

==[ SOURCE ]==
A copy (and any updates) of this advisory is available at:
http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFJ40Hg46ioc5305a8RAtJ8AJ93VqLlPO4mG/Cpd2oTTQLp0y1O9wCgrDWP
Y05KNA9Z/Qahog8dR9SrAlQ=
=27vA
-----END PGP SIGNATURE-----

Unreal3.2.8 released

[Bram M. (Syzop) <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It has been 1.5yrs since last release, and quite some things have changed.
Stskeeps has left the UnrealIRCd project [1], and Unreal4 (and it's
based-on-InspIRCd idea) is dead.
The story of Unreal3.2, however, continues (at a slow pace): we bring you a new
UnrealIRCd version, 3.2.8, in which we have added a few new features, some
innovative like watch away notification, and have fixed some major bugs / added
some important workarounds such as slow spamfilter detection(&removal) and
detection of time shifts. In total this release consists of over 70 changes.
See the Release Notes below for more information.

 Unreal3.2.8 Release Notes
 ==========================

 ==[ GENERAL INFORMATION ]==
 - If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
   first, before doing 'make'
 - The official UnrealIRCd documentation is doc/unreal32docs.html
   online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
   FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
   Read them before asking for help.
 - Report bugs at http://bugs.unrealircd.org/
 - When upgrading a network, we assume you are upgrading from the previous
   version (3.2.7). Upgrading from 3.2.6 or 3.2.5 should also be no problem.
   However, if you have a network running with servers that are several versions behind
   (eg: 3.2.1) then you might experience small (desynch) problems.
   Please also minimize the time you have multiple versions running, a few days or
   one week is generally not a problem, but having mixed versions on a network for several
   weeks or months is not recommended.
 - The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY of
   the changes in this release. There have been 70+ changes, and trying to mention them
   all would be useless, see the Changelog for the full list of changes.

 ==[ NEW ]==
 - set::level-on-join: this defines which privileges a user receives when creating a
   channel, default is 'chanop', the only other available setting is 'none' (opless).
 - Away notification through WATCH: This allows clients to receive a notification
   when someone goes away or comes back, along with a reason, a bit like IM's.
   There's probably no current client supporting this but it would be a nice feature
   in notify lists. Client developers: see Changes file for full protocol details.
   This feature can be disabled by setting set::watch-away-notification to 'no'.
 - Spamfilter: Slow spamfilter detection: For each spamfilter, Unreal will check,
   each time it executes, how long it takes to execute. When a certain threshold is
   reached the IRCd will warn or even remove the spamfilter. This could prevent a
   spamfilter from completely stalling the IRCd. Warning is configured through
   set::spamfilter::slowdetect-warn (default: 250ms) and automatic deletion is
   configured by set::spamfilter::slowdetect-fatal (default: 500ms).
   You can set both settings to 0 (zero) to disable slow spamfilter detection.
   This feature is currently not available on Windows.
 - SSL: set::ssl::server-cipher-list can be used to limit the allowed ciphers
 - SSL: To specify when an SSL session key should be renegotiated you can use
   set::ssl::renegotiate-bytes <bytes> and set::ssl::renegotiate-timeout <seconds>.
 - UHNAMES support: This sends the full nick!ident@host in NAMES which can be
   used by clients for their IAL. mIRC, Klient, etc support this.
 - There have also been some behavior changes, which can be considered NEW, see
   next section (CHANGED).

 ==[ CHANGED ]==
 - IPv6: On IPv6 servers you no longer have to use ::ffff:1.2.3.4 IP's for IPv4 in the
   config file, you can use the simple 1.2.3.4 form, as they are converted automatically.
 - When someone is banned and /PARTs, the part reason (comment) is no longer shown
 - ChanMode +S/+c: now strips/blocks 'reverse' as well
 - Smart banning is now disabled by default because it was too annoying, this means that
   f.e. if there's a ban on *!*@*.com then you can still add a ban on *!*@*.aol.com
 - except ban { } now also protects against ZLINEs and ban ip { }
 - Modules: user modes and channel modes without parameters (eg: +X) no longer have
   to be PERManent, this means they can be upgraded/reloaded/unloaded on-the-fly.

 ==[ MAJOR BUGS FIXED ]==
 - Zip links issue (Overflowed unzipbuf)
 - Crash issue with 3rd party modules that introduce new channel modes w/parameters
 - Mac OS X: Various issues which prevented the IRCd from booting up
 - Remote includes (constant) crash with new curl/c-ares versions
 - A few rare crash issues, including a crash when linking to another server
 - In case of clock adjustments, the IRCd will no longer freeze when the time is
   adjusted backwards, nor will it incorrectly throttle clients when adjusted forward.
   However, because clock adjustments (time shifts) of more than xx seconds are
   so dangerous (and will still cause a number of issues), big warnings are now
   printed when they happen.
   Morale: synchronize your system clock, or use the built-in timesync feature.

 ==[ MINOR BUGS FIXED ]==
 - CGI:IRC: Several IPv6 issues, both on IPv6 IRCd's and CGI:IRC gateways
 - IP masks in oper::from::userhost sometimes didn't match when they should
 - (G)ZLINE's on IPv6 users were sometimes rejected
 - CHROOTDIR works again
 - OperOverride fixes
 - Throttling is now more accurate
 - And more... see Changelog

 ==[ KNOWN ISSUES ]==
 - Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the IRCd
   down considerably and even bring it to a near-halt. In the spamfilter user target it's
   usually safe though. Slow spamfilter detection can help prevent the slowdown/freeze,
   but might not work in worst-case scenario's.
 - Regexes: Possessive quantifiers such as, for example, "++" (not to be confused with
   "+") are not safe to use, they can easily freeze the IRCd.
 - Suse 10.3 in 64 bit mode (amd64, x64) is known to crash UnrealIRCd on-boot, this is
   likely to be a Suse 10.3 bug as over 3 people reported it with that exact OS / arch.

 ==[ CHANGELOG ]==
 - Fix aquanight's email
 - #0003351 reported by Mareo regarding m_addmotd.so and m_svslusers.so
   not being created
 - Fixed bug in SJOIN, possibly causing things like odd bans showing up in
   some circumstances. Reported by Hurga, patch provided by fbi.
 - Now allowing '1.2.3.4' ips again in IPv6 mode as well (instead of enforcing
   '::ffff:1.2.3.4' ips in the conf, they are now auto-converted to that).
   Based on patch from tabrisnet.
 - Fixed issue where the cgiirc block did not work with IPv6, reported by
   djGrrr, fixed by previous change.
 - Fixed CHROOTDIR, which was broken in 3.2.7: IRC_USER/IRC_GROUP did not work
   properly when CHROOTDIR was in use (#0003454).
 - Fixed oper block bug where ip masks in oper::from::userhost did not always
   work succesfully (ex: 192.168.* worked, but 192.168.*.* didn't). Issue was
   introduced in 3.2.7, reported by tabrisnet (#0003494).
 - CGI:IRC + IPv6: Fixed cgiirc block hostname never matching ipv4 cgiirc
   gateway properly (..again..), this was previously reported by pv2b.
 - CGI:IRC + IPv6: Fixed issue where all cgiirc ipv4 clients were rejected with
   the message 'Invalid IP address', reported by stskeeps (#0003311), nate
   (#0003533) and others.
 - Document CHROOTDIR in unreal32docs, reported by Beastie (#0002446).
 - Fixed Mac OS X issue where "access denied" errors were encountered when
   trying to read unrealircd.conf. All due to strange chmod() behavior. We now no
   longer try to set permissions on Mac OS X. Patch provided by Tibby (#3489).
 - Hopefully fixed 'Overflowed unzipbuf increase UNZIP_BUFFER_SIZE' issue,
   reported by Monk (#0003453). It should be large enough now. Also changed the
   way we deal with this when it happens (if it ever happens again..): we now
   close the server connection, instead of trying to continue, because continueing
   is too dangerous.
 - Remove part reason when user is banned, suggested by vonitsanet (#0003354).
 - Fixed set::modes-on-join: could crash or disfunction with certain
   parameter mode combinations.
 - Minor source cleanup in src/modules/m_map.c, suggested by fez (#0003540).
 - Usermode modules now no longer have to be permanent (#3174), this was
   simply a bug that was introduced when adding remote includes support years
   ago.
 - Channelmode modules without parameters (like: +X, but not: +X 1) no longer
   have to be permanent. Channelmodes with parameters still have to be PERM
   however, and there are currently no plans to change it.
 - Fixed bug (in all Unreal versions) with parameter channelmodes, any 3rd
   party module which adds an extra parameter chanmode could cause crashes.
 - Added set::level-on-join: which level should the user get when (s)he's is
   the first to enter a channel. Currently only 'none' and 'op' are supported.
 - unreal32docs.html: doubt it will help much but at least this makes it a
   little bit more clear (#3548), chatops vs globops.
 - ChanMode +S/+c: reverse is now stripped/blocked as well, because it's
   similar to color, and is just as annoying (..if not worse).
 - So called 'smart' banning is now disabled by default, this means you can
   now set a ban on *!*@*h.com and then later add one on *!*@*blah.com without
   any trouble. Previously the second one was rejected due to the former
   already matching it. To change it back edit the include/config.h setting
   SOCALLEDSMARTBANNING.
 - Fixed (G)ZLINE check.. it was incorrectly rejecting many IPv6 bans.
   Reported by guigui (#0003572).
 - Backport from 3.3 away notification from Oct 2006, this is v0, a further
   patch will follow soon and the numerics will be changed.
 - Ok, finished away notification in WATCH. It now shows the away reasons too.
   This new feature (away notify) is announced in 005 (ISUPPORT) as: WATCHOPTS=A

   Format is: WATCH A +UserOne +UserTwo

   New numerics to cope with away notification in WATCH are:
   RPL_NOWISAWAY: to indicate the user is away _when adding_ it to WATCH list
   RPL_GONEAWAY:  user was not away, but is now
   RPL_NOTAWAY:   user was away, but is no longer away
   RPL_NOWISAWAY: user was away, and still is, but the reason changed
   Example:

   WATCH A +Target
   Request to add user 'Target' to the watch list with away notification

   :maintest.test.net 609 MySelf Target ~blih test.testnet 1204309588 :not here atm
   Reply to watch add: user is online and away, reason is provided

   :maintest.test.net 599 MySelf Target ~blih test.testnet 1204309588 :is no longer away
   User is back (no longer away)

   :maintest.test.net 598 MySelf Target ~blih test.testnet 1204309722 :lunch
   State change: user is now away, reason is provided

   :maintest.test.net 597 MySelf Target ~blih test.testnet 1204309738 :shopping, bbl
   User is still away, but reason changed.

   The syntax for each numeric is:
   <nickname> <username> <hostname> <awaysince> :<away reason>
   In case of 599 (RPL_NOTAWAY) it is:
   <nickname> <username> <hostname> <awaysince> :is no longer away

   For the record, this is all based on a draft from codemastr from 2004, which was
   implemented in Unreal3.3 (devel branch) in 2006. Today, in 2008 it was updated
   with away reason support and backported to Unreal3.2. Because away notification
   hasn't been used until now (due to it only being in Unreal3.3) we felt it was
   safe to break some numerics.
 - Upgraded c-ares to 1.5.1, thanks to aegis for the partial patch (#0003671).
   This also fixed a curl compile/run issue, reported by static-x (#0003545).
 - Added slow spamfilter detection. For each spamfilter, Unreal will check,
   each time it executes, how LONG it takes to execute. When a certain threshold
   is reached the IRCd will warn or even remove the spamfilter. This will prevent
   a spamfilter (regex) from slowing down the IRCd too much, though it's still not
   a guarantee that it will never go to a halt (eg: in case it takes several
   minutes to execute a regex or loops forever).
   Warning can be configured via set::spamfilter::slowdetect-warn (default:
   250 milliseconds) and automatic deletion of spamfilters if it takes too
   long is set through set::spamfilter::slowdetect-fatal (default: 500 ms).
   NOTE: slow spamfilter detection is currently not available on Windows.
   NOTE 2: to disable slow detection you can set the warn and fatal settings
   to 0 (zero). OR to really disable all code, remove SPAMFILTER_DETECTSLOW
   from include/config.h and recompile.
 - Added another Mac OS X hack, such as one that should help against
   'error setting max fd's to 9223372036854775807' which prevents the ircd
   from booting up. Reported by btcentral and Bock. This hack might not be
   totally correct though ;).
 - Limit watch status requests to one per time, more will often flood you off
   and is stupid/useless. Reported by ash11.
 - The OS version output is now taken from uname() at runtime instead of
   'uname -a' at compile time. This fixes bug #1438 and #3320 reported by
   Mouse and Monk, where because of previous behavior the IRCd sometimes would
   not compile in certain environments.
 - configure script is now generated by autoconf 2.61 (was: 2.59), hopefully
   that won't cause any issues, perhaps it even helps to fix some bugs...
 - #0001740 reported by Trocotronic, making the IRCd send ERROR : to all
   links with possible reason for RESTART; like /die does it. [Backport, sts]
 - Added set::ssl::server-cipher-list, #002368 requested by Beastie
   [Backport, sts]
 - Added set::ssl::renegotiate-bytes, set::ssl:renegotiate-timeout, #0002971
   suggested by tabrisnet. Gets activated when >0. Please set sane values.
   [Backport, sts]
 - #0002475 reported by aquanight on detecting \'s in module filenames on
   win32 and not do ./module for it [Backport]
 - #0002172 reported by Stealth, patched by WolfSage, fixing if you have an
   admin block, and forget a semicolon on a line, Unreal will proceed to use
   the block with no error, but the information will be incorrect/incomplete.
   [Backport, WolfSage]
 - #0002833 reported and patched by tabrisnet, implementing UHNAMES
   [Backport, only slightly modified for speed]
 - #0001924 - requested by syzop: Added ./unreal gencloak, which generates
   random keys 10 ~ 20 characters in length (*NIX only). [Backport, aquanight]
 - #0003313 reported by Stealth, regarding not erroring/warning when me::name
   is bigger than HOSTLEN, from now it will error on config read. [Backport, sts]
 - /REHASH -all not case sensitive
 - Win32 makefile: removed /MAPINFO:LINES, since visual studio 2005 and up
   don't support this and will fail to compile UnrealIRCd. This fixes #3680,
   reported by therock247uk.
 - Upgraded c-ares to 1.6.0 (also now using pkg-config).
   If you get a "undefined reference to `clock_gettime'" error, then you
   might consider installing 'pkg-config' on your system, and then simply re-run
   ./Config and make, should fix things.
   TODO: testing! testing! i'd like to be sure this c-ares is stable!
 - Win32 compile fixes.
 - Upgraded c-ares on windows to 1.6.0 as well.
 - Win32: build w/manifest. Looks like Unreal@Win32 now actually works again :).
 - except ban { } is now also effective against Z:lines. It already protected
   when the user was connected, but not once he/she tried to reconnect, this
   is now fixed. Reported several times, last by Stealth in #0003377.
 - Fix crash if settime/expirytime is out of range in TKL, set by another server.
   Should never happen except when using faulty services or when something else
   got horrible wrong (like a date which is 40 years ahead). Reported by
   Darth Android (#0003738).
 - Fix NAMES with UHNAMES support, screwed it up at 'Win32 compile fixes' a
   few lines up...
 - Fix OOB read caused by UHNAMES support.
 - Added some countermeasures against crash-on-boot, #0003725 and #0003653,
   reported by Ablom2008 and mist26.
 - Win32: rebuild TRE for Vstudio 2008 (and ditch C++ / MSVCP... dependency).
 - Added release notes (not finished yet).
 - Added set::watch-away-notification which can be set to 'no' to disable
   WATCH away notification. The default is 'yes' (=enabled).
 - Fixed crash which could happen when rehashing while linking to a server,
   this could be #0003689 reported by Monk.
 - New HOOKTYPE_LOCAL_NICKPASS: the 2 parameters are: sptr (client) and nsptr
   (NickServ client, NULL if not present). You can return 1 (HOOK_DENY) to
   make the IRCd not send IDENTIFY to NickServ. Suggested by tabrisnet
   (#0003739).
 - A notice is now sent when listing spamfilters through /SPAMFILTER just
   like /stats f. Bug #0003752 reported by Strawberry_Kittens, similar to
   #0002533.
 ** 3.2.8-rc1 release **
 - Added documentation for set::spamfilter::slowdetect-warn,
   set::spamfilter::slowdetect-fatal, set::ssl::server-cipher-list,
   set::ssl::renegotiate-bytes, set::ssl::renegotiate-timeout,
   set::watch-away-notification and ./unreal gencloak. Reported by Bock
   (#0003764).
 - set::ssl::renegotiate-bytes: fix when specifying a value such as 10m.
 - './unreal gencloak' now actually works
 - Fix typo in user mode q notice, reported by Strawberry_Kittens and others
   (#0003761). Patch provided by Stealth.
 - Fix for Mac OS X compile problem (in setpgrp), reported by Bock / Jckf
   (#0003767).
 - Possible fix for MAC OS X compile problem
 - Bump docdate..
 - Fixed OperOverride bug: if you are halfop you couldn't -q/-a, reported
   by Strawberry_Kittens (#0003758).
 - Added note to release notes regarding Suse 10.3 on amd64 causing a crash
   on-boot. #0003725, #0003653, #0003791.
 - Updated regex documentation in unreal32docs, it had some incorrect
   statements regarding wildcards. Reported by james2vegas (#0003800).
 - Added some big warnings regarding big timeshifts.
   In the IRCd world correct time is very important. This means that time
   should be correct when the IRCd is booted, either by running ntpd/ntpdate
   on the system or some other synchronization software, or by using the
   built-in timesync feature.
   Whenever the clock is adjusted for more than a few seconds AFTER the IRCd
   has booted, it can lead to dangerous effects ranging from unfair timestamps
   for nicks and channels (and hence the possibility to takeover channels),
   to even completely stalling the IRCd (negative timeshift) or making it so
   nobody can connect anymore due to throttling (positive timeshift).
   We now try to 'fix' the worst effects such as the IRCd freeze and
   throttling. This does not fix the whole problem, so I've added some big
   warnings when the clock is adjusted, including an annoying one every 5
   minutes if the clock was set backwards, until the time is OK again
   (catches up with the original time).
   This fixes #0003230 reported by Stealth, and #0002521 reported by durrie.
 - Throttling time is now more accurate, especially with larger time values
   such as 3 connections per 60 seconds. Previously that -could- result in
   3 per 90 seconds due to timer inaccuracy (which was max <time>*1.5), now
   it would be max 65 seconds (max 5s inaccuracy, lower with lower times).
 - Smallll fix for time shift protection
 ** 3.2.8-rc2 release **
 - Some text fixes regarding time shift feature
 - Fix for compile problem on FreeBSD (and possibly other OS's):
   - When pkg-config is present but does not recognize --static, use
     default c-ares library options.
   - Set default c-ares library options to -lcares on FreeBSD and others.
     Set to -lcares -lrt on Linux (previously was -lcares -lrt for all).
   Thanks to goldenwolf for the bugreport (#0003803) and providing a test-
   shell to trace this issue down.
 ** 3.2.8-rc2 *NIX downloads replaced **
 - 'link xx with SSL option enabled on non-SSL compile' was incorrectly
   printed out as a warning, when in fact it's an error (and was treated as
   such). Same for ZIP on non-zip compile. Reported by Stealth (#0003833).
 - Fixed harmless (but silly) message which happened on every IRCd boot
   (time jump message).
 - Updated credits (donations)
 ** 3.2.8 release **

As usual, you can download UnrealIRCd from http://www.unrealircd.com/

MD5 checksums:
53dd20a7581670997400a74fa0bb674a  Unreal3.2.8.tar.gz
3bc329c9892959df8f40ebc7359110fc  Unreal3.2.8.exe
5246701fcf90bcb8b1bf1c3f18575807  Unreal3.2.8-SSL.exe

SHA1 checksums:
4b03254d5e19b827f0653a083c0b7f895914b8be  Unreal3.2.8.tar.gz
a6c6002b161b623df4e44e2f070b2e80bf2af78c  Unreal3.2.8.exe
26ff2e3aad0dd6638009483696b44fe7c198c355  Unreal3.2.8-SSL.exe

Thanks go to:
* Stskeeps for his work on the UnrealIRCd project over the past 10 years
* All people who reported bugs and contributed by supplying patches
* Everyone who has helped with testing the 3.2.8-RC's

Thanks also to our users (3.2.7 had a new download record of over 200,000),
for keeping UnrealIRCd the #1!

	Syzop / The UnrealIRCd Team.

[1] http://forums.unrealircd.com/viewtopic.php?t=5701 {Stskeeps says goodbye}

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFJqvLX46ioc5305a8RArurAJ9MX840hCFBMjImxEeTN/X5xZDscACfZE6s
0N2zIGD4oYzg6oUHtZpPhyk=
=67Rx
-----END PGP SIGNATURE-----

Unreal3.2.7 release and important strategy change

[Carsten M. <cvm...@da...>]

[ Strategy change ] - This is important, please read.

Unreal3.2.7 will be released on 14th July 2007 - marking 8 years since 
the first UnrealIRCd release. With this, we've decided to do a rather 
big change in strategy. Fact is, the Unreal3 code base has gone stale 
and is not suitable to service your IRC networks for 8 more years.

We've been working to improve this code base but run into serious issues 
constantly due to old code laying about and design decisions in the past 
by previous coders that has locked us into an IRCd that can hardly evolve.

In light of this, and through that people have worked on a IRCd from 
scratch, in C++ - InspIRCd. InspIRCd was made by people who initially 
used Unreal, but foresaw that something radical was needed to fix the 
IRCd code base so many IRCds share.

InspIRCd was partly inspired by Unreal and this means that it will be 
easier for us to move on to the logical step - we're forking InspIRCd 
(through a tight cooperation with them), to give
you Unreal4.0. For more information on the new core, see 
http://www.inspircd.org - any documents
dealing with module coding, server protocol, etc, works for Unreal4 too 
- as we will be the project that extends from bare (InspIRCd) to 
colourful and featureful (UnrealIRCd) and the goal is to be able to move 
modules from Unreal to InspIRCd without problems.

The target is for both development teams to work what's their speciality 
- we're dedicated to give our users service, implement features and 
maintain stability and innovate, where InspIRCd also has some of these 
qualities, but focuses more on a base IRCd that can be extended
with new features through modularity and maintaining a stable core that 
just works and performs well.

The fork will not be a hostile one - the idea is to have a shared core 
(InspIRCd) and we work together on inventing and implementing new ideas 
that can be added through the module system, and we will work alone on 
features that InspIRCd coders may not want to touch and reverse.

We hope to shape InspIRCd in our image and provide an Unreal4 that feels 
like an Unreal3 - same configuration format, same quality documentation, 
support, etc, and in the progress give you users the ability to have a 
"modern" IRCd that can handle loads and loads of users, and still give 
you the choice to choose what features your network wants to use.

The Unreal3.2 branch will continue mostly as bug fixes - and adding 
ability to link to Unreal4, so we're not giving up on you people who 
want to keep on running Unreal3, but when this link is stable (in 3.2.8 
- based off 3.3), and Unreal4 is as feature complete with Unreal3, we 
stop supporting Unreal3.

So, how will this affect you? We could need a hand. Enter the 
development wiki on http://dev.unrealircd.com/unreal4_development - aid 
out and find out what we're missing in Unreal4 to make it an IRCd you'd 
switch to. Test the SVN, find bugs we introduce, and we hope this 
cooperation between InspIRCd and UnrealIRCd will lead to a new age in 
IRCd development and for IRC networks in general - since we have many 
new ideas we can try out together.

Hang out in #unreal-devel on irc.unrealircd.com - we're interested in 
having you along. Making modules should be slightly easier from now on 
as well.

[ New Website ]

Our webmaster, nate, has redesigned UnrealIRCd.com for us - if you have 
comments on the design or any aspect of the new website, please comment 
in the IRC channel or in the comments on this new item.


[ Unreal3.2.7 ]

As a minor sidenote, we've also released Unreal3.2.7, with some minor 
changes yet important - elaborated in Changes. The IRCd can be 
downloaded through http://www.unrealircd.com

- Updated c-ares to 1.4.0, TRE to 0.7.5
- chmode +L does no longer require chmode +l
- Oper blocks now can have CIDR, as in "userhost *@127.0.0.1/32";
- Services coders: SVSNOLAG/SVS2NOLAG (described in Changes) will allow 
a user to avoid fake lag (ie, flood as much as he/she wants).
- More intelligent accept() handling - that is, take in multiple times 
at a time instead of one per I/O loop
- A lot of bug fixes, basically.

[ Known issues found in testing ]

- CHROOTDIR does not work nicely together with the new patch where you 
can do hardcoded
IRC_USER / IRC_GROUP (setuid / setgid with names), due to having to look 
up password files.
- Spamfilter warn does not work with /setname
- Documentation is not complete
- There is a problem with bans getting truncated we are still trying to 
investigate. Happens in 3.2.6 too.

/Stskeeps

Unreal3.2.6 released

[Bram M. (Syzop) <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As an (early) Christmas present we've released UnrealIRCd 3.2.6.
This release comes with tons of bugfixes and is a recommended upgrade.

Our coders contest held after previous release has resulted in two new
coders in our team. Welcome aquanight and Trocotronic!

I'd like to stress that contributors are still very much welcomed,
especially C coders willing to spend time on making patches for bugs
or features. As a contributor you can work on things anytime you
please, without having to become an official coder with all it's
added responsibilities.
While we now have two new coders, and 2-3 contributors, it's still far
from ideal and not entirely what we hoped for. To be able to have an
Unreal 3.3 release in 12-18 months we would really need some extra help.
See http://dev.unrealircd.com/wiki/how_to_help_out for more information.
If you still have any questions or doubts on how to help out as a C coder
or what procedures to follow, then don't hesitate to email me at
sy...@un...

Release notes follow...

 Unreal3.2.6 Release Notes
 ==========================

 ==[ GENERAL INFORMATION ]==
 - If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
   first before doing 'make'
 - The official UnrealIRCd documentation is doc/unreal32docs.html
   online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
   FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
   Read them before asking for help.
 - Report bugs at http://bugs.unrealircd.org/
 - When upgrading a network, we assume you are upgrading from the previous
   version (3.2.5). Upgrading from 3.2.3 or 3.2.4 should be ok as well.
   However, if you have a network running with servers that are several versions behind
   (eg: 3.2.1) then you might experience small (desynch) problems.
   Please also minimize the time you have multiple versions running, a few days or
   one week is generally not a problem, but having mixed versions on a network for several
   weeks or months is not recommended.
 - The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY of
   the changes in this release. There have been 80+ changes, and trying to mention them
   all would be useless, see the CHANGELOG section for the full list of changes.

 ==[ NEW ]==
 - None. Except some behavior changes, see next.

 ==[ CHANGED ]==
 - SSL: The server certificate and keys can now be reloaded via '/REHASH -ssl', no
   restart needed anymore.
 - IRCOps can now view the bans of a channel ("MODE #channel b") from the outside
 - Moved failed /OPER attempt notices to snomask +o and made them sent to all servers.
   This means all failed oper attempts can now be seen globally. Plus, the UID is now
   always shown (like for incorrect host and maxlogin), unless trying an unknown oper acc.
 - The annoying "please type /quote pong" message is now no longer shown on connect, unless
   explicitly enabled by setting set::pingpong-warning to 'yes'. (mainly Windows)
 - /INVITE's from people on the silence list are now silently ignored
 - SAPART now works for multiple channels (again)
 - Non-SSL users are now kicked when netsynching and channel is +z (SSL only)
 - No longer showing server numerics in /MAP to non-opers (too confusing anyway)
 - Updated ukrainian-w1251, belarussian-w1251 and catalan character sets
 - Spamfilter + IPv6: for target 'u' (nick!user@host:realname bans), the 'host' part
   is now in brackets if it's an IPv6 address (eg: blah!blah@[1:2:3:4:5:6:7:8]:hello)
 - loadmodule errors are improved
 - Snomask 'N' will no longer show nick changes of U-lined servers
 - The set::dns block is now no longer mandatory, because it is actually not used
   (except for set::dns::bind-ip) and fetched from /etc/resolv.conf (*NIX) or the
   registry (Windows) instead. This has always been the case, but has never been documented.
 - Various doc updates ('/HELPOP ?EXTBANS', and some unreal32docs improvements)

 ==[ MAJOR BUGS FIXED ]==
 - Crash if link::options::quarantine was used
 - Another crash which could happen in some rare cases
 - Throttling was not always being applied correctly
 - Windows 2003: Fixed crash on-boot if no nameserver was set
 - Windows: Fixed /RESTART not always working properly (leaving the ircd dead)

 ==[ MINOR BUGS FIXED ]==
 - Remote includes: should now work with latest curl again, due to c-ares upgrade
 - a bunch of OperOverride bugs.. messages being sent when they shouldn't, some things
   not being logged or broadcasted, and more.
 - Sometimes no message was shown when a link to an SSL server failed
 - Desynch problem caused by +Q
 - SAJOIN now properly deals with +z channels
 - "MODE #channel" showing extended channel mode parameters if not in channel
 - Channel Mode 'f' did not properly eat a parameter on unset (even though it would
   show like it did), this could have caused desynchs in some cases.
 - Fixed handling of CNAME's once again (now showing original name instead of fwded name)
 - The "looking up your hostname" message was always sent, regardless of show-connect-info
 - deny link { } blocks were being ignored by autoconnect
 - Windows: SSL private key prompt caused a crash
 - Windows: Unable to write to service.log caused a crash
 - set::allowed-nickchars could cause a segfault for some unknown languages
 - If class::connfreq was omitted and used for a server link, this would cause a huge
   connection flood when autoconnect was used.
 - set::dns::bind-ip was seen as a duplicate when it actually wasn't
 - And more... see Changelog

 ==[ KNOWN ISSUES ]==
 - Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the IRCd
   down considerably and even bring it to a near-halt. In the spamfilter user target it's
   usually safe though.
 - Regexes: Possessive quantifiers such as, for example, "++" (not to be confused with "+")
   are not safe to use, they can easily freeze the IRCd.

 ==[ SERVICES / CODERS ]==
 - Note: this is a new section, it describes changes specifically for services coders
   and unreal module coders. Note that other changes (such as new modes, etc) mentioned
   elsewhere in this document might affect you as well. For more info about a particular
   change mentioned below (such as a new hooktype), see the Changelog.
 - New hooktype: HOOKTYPE_SILENCED (called when a message is not delivered due to silence)
 - New hooktype: HOOKTYPE_POST_SERVER_CONNECT (called after users synched to remote server)
 - Fixed CALLBACKTYPE_CLOAK_EX, wasn't working properly at all
 - Fixed SVSNICK: cAsE cHaNgE no longer causes a collision, fixed QUIT not being sent
 - SVSMODE/SVS2MODE: when doing -x on a user, the virthost is removed from memory.
   This means services can now properly "unvhost" a user and give them back their cloaked
   host by doing "SVSMODE User -x+x".
 - Services timestamps for users are now properly treated as unsigned long, previously
   some trouble could arise when netsynching for values larger than 2147483647.
 - 'SVSMOTD !' now removes the svsmotd from memory as well.
 - Fixed SVSMODE -b User not always removing all bans for that user (specifically, bans on
   the cloaked host, when the user has a vhost).
 - Fixed SVSO - not removing coadmin (+C)

 ==[ CHANGELOG ]==
 Changes sine 3.2.5:
 - c-ares resolver: upgrade from 1.3.0 to 1.3.1. This mainly fixes compile problems,
   including one reported by frigola on an old Sun Cobalt RAQ3.
   It will probably also fix an issue with the just released curl 7.15.4, if compiling
   with remote includes.
   TODO: Update win32 (not urgent)
 - Added HOOKTYPE_SILENCED: this is called whenever a message did not get delivered to a user
   because the user was on the silence list.
 - Added OpenBSD 3.9 to the supported OS list.
 - Made it so undefining SHOW_SECRET (not the default) properly hides +s channels from ircops
   (except netadmins), as it should. Reported and patch supplied by Jason (#0002965).
 - Fixed tld::options:: not working properly, reported by DelGurth (#0003003).
 - Fixed problem with oper as chanadmin kicking himself causing an operoverride notice,
   reported by Bock (as part of #2889).
 - Fixed desynch problem with +Q, reported by tabrisnet (#0002992).
 - Updated doc/coding-guidelines
 - Added bugs.* url to /info, was still showing some email address.
 - Fixed forgotten operoverride logmessage (kick if chan +Q), reported in #2889.
 - Fixed operoverride message if oper is +h and -h's himself, reported by Bock (#2889).
 - Fixed SVSMODE -b [user] not always removing all bans (specificly, bans on the cloaked
   host when you have a vhost), a code cleanup was also done. Based on patch from tabrisnet.
   Reported by Rob (#0002981).
 - MARK: 3.3* was forked off from here
 - Removed server numeric output from /MAP for normal users (still visible to ircops).
 - Renamed unreal32docs.tk.html to unreal32docs.tr.html
 - Module coders: Added HOOKTYPE_POST_SERVER_CONNECT (1 param: cptr) which is called when
   a server connects, just like HOOTYPE_SERVER_CONNECT but this is actually called *after*
   all clients and channels are synched. Obviously needed for some modules which must synch
   data that refers to clients/channels that would otherwise not exist yet on the other side.
 - The server SSL certificate and private key can now be reloaded without requiring a server
   restart, simply use: /REHASH -ssl
 - Small compile fix for above
 - Fixed /SAJOIN able to join insecure users to +z channels, reported by phedny (#0002601).
 - Fixed SSL crash problem due to previous SSL change.
 - Fixed some bugs in webtv code that could have caused trouble in the future (off by one),
   reported by Ilja van Sprundel.
 - Module coders: Fixed CALLBACKTYPE_CLOAK_EX, it was not working properly at all.
 - Fixed bug in MODE #channel showing extended channel mode parameters when not in #channel.
 - Made 'MODE #channel b' and friends show bans to ircops even when not in channel.
 - Fix for channel mode +f: It incorrectly didn't eat a paramter on unset (ouch!), even
   though it always acted like it did in the MODE line sent to the channel. This bug caused
   desynchs in some cases. Bug reported by Korfio (#0003048).
 - Fixes to SVSNICK: case-change no longer causes a collision, don't return the value from
   exit_client (which would be FLUSH_BUFFER), fix QUIT not being sent back on collision.
 - Fix for above so it doesn't -r the client.
 - Fixed small memory leak in resolver (~40 bytes when connecting to a server)
 - Made Unreal use the original name in case of a CNAME, instead of the forwarded name,
   reported by jerrcsnet (#0003054).
 - The "looking up your hostname" message was always sent, regardless of show-connect-info.
 - Kick non-SSL users when the channel turns out to be +z during netmerge, reported by
   Ron2K (#0002942).
 - Windows 2003: Fixed UnrealIRCd unable to boot if no DNS server is configured, we now
   fallback to set::dns::nameserver in such a case. Thanks to Romeo (reporter, #0002802)
   and Bock for tracing this down.
 - Fixed cloak cutoff problem with long hosts.
 - Added doc/help.tr.conf (Turkish), translated by Diablo.
 - Added doc/example.tr.conf (Turkish), translated by ironic.
 - Fixed zlib version check: 1.x is compatible with all 1.*, etc. (#0002966).
 - Fixed a couple of add_Command/del_Command lines in m_chgname and m_helpop trying to
   add the same token twice. Didn't cause any trouble, normally, though...
 - Updated ukrainian-w1251 and belarussian-w1251 charsets: some characters were previously
   included that shouldn't. Reported by avb (#0003102), patch supplied by Bock.
 - Made it so that when 'java' is enabled for a listen block, then the 2nd parameter to
   NICK is not seen as a password on this port. Patch from afolentes (#0003097).
 - Fixed some unitialized pointer things for win32 w/ssl on keyprompt, no idea if it
   helps, though. Would appreciate it if another code looks into this. -- Syzop
 - Fixed SVSO - not removing coadmin (+C). Reported by Muisje (#0003077).
 - Fixed deny link {} blocks being ignored by autoconnect. Reported by a couple people,
   also see #0003084.
 - Fixed m_names.so not being build (a problem for people not using commands.so),
   reported by aegis (#0003085).
 - Using SVSMODE (or SVS2MODE) to set -x will now actually remove the vhost from memory,
   instead of letting it magically reappear whenever +x is set. This means services can
   now properly "unvhost" a user by sending a "SVSMODE User -x+x" (then any existing vhost
   will be removed and user will have a cloaked host). Reported by avenger and others
   (#0002933).
 - [internal] Made a spamfilter_build_user_string function that will build the spamfilter
   user target string (nick!user@host:info), insteaf of doing it at like 5 places.
 - Spamfilter target 'u' (user): the host field (nick!user@HOST:realname) is now escaped
   with brackets if it's an IPv6 address, eg: blah!blah@[1:2:3:4:5:6:7:8]:hello, reported
   by aquanight and others (#0003010).
 - Win32: SSL private key prompt should now no longer crash. Patch provided by Alexey
   Markevich (#0002866).
 - Win32: we now no longer crash if no access to write to service.log, suggested and
   patch by Xuefer (#0002886).
 - Services timestamps are now always treated as an unsigned long (0..2^32-1), instead
   of accidently as signed long during netsynchs. This bug caused issues with values
   larger than 2147483647. Reported by avenger (#0002980).
 - If the 'crypt' algorithm is used, then passwords were/are truncated to 8 characters.
   We now print a warning when this happens (both on the IRC command and command-line).
   Suggested by JasonTik (#0002953).
 - Win32: Fixed a few compiler warnings, suggested by Zell (#0002890).
 - Moved a couple isatty() calls to DEBUGMODE (#0002945).
 - Made win32 compile again, reported by Bock (#0003106).
 - Moved failed oper snotices to snomask +o, and are sent out to all servers. Also now
   shows the uid attempted (like [FAILEDAUTH] does) for incorrect host or maxlogin.
 - Fixed set::allowed-nickchars causing a segfault for some unknown charsets, reported
   by avb (#0003069).
 - Cutoff webtv whois at MAXTARGETS (#0003004).
 - loadmodule now reports proper errors when the actual file can't be found, instead of
   blaming it on the temp file, reported in #3015.
 - Fixed 'SVSMOTD !' not deleting the services motd in memory, reported by avb (#0003110).
 - Snomask N: Don't show nickchanges for U-lines, reported by seneces (#0002636).
 - Fixed set::dns::bind-ip directive seen as duplicate, reported by aegis (#0003074).
 - set::dns::* block is now no longer mandatory. All info has always been read from
   /etc/resolv.conf (*NIX) or the registry (Win32), and the set::dns block is ignored
   (except for set::dns::bind-ip, but that's a special case). Suggested by many including
   djGrrr to make things slightly more logical (#0003019).
 - As a consequence of the above, set::dns blocks were removed from doc/example*conf.
 - Added two more characters to Catalan charset, reported by rmh (#0002995).
 - Added set::pingpong-warning [yes|no] which decides whether to send the "** If you are
   having problems connecting due to ping timeouts, please type /quote pong .." message
   to each client when NOSPOOF is enabled (usually on Win32). The default is NO.
   Previously this message was always sent if NOSPOOF was on, which often caused
   confusion among users. The message was intended for non-confirming clients, but these
   should be fixed by now, and those that were not fixed (self-made bots/etc) did often
   not understand the message anyway. Anyway, you can still turn it on ;). (#2680).
 - /INVITE's from people on the silence list are now (silently) ignored, suggested by
   White_Magic (#0002478).
 - Fixed a couple of typos and other one-line-text fixes at various places: reported by
   aegis (#3081), DanPMK (#2818), tabrisnet (#2974, #2970, #2467), penna (#2721),
   Brad (#2488), vonitsanet (#2467).
 - Made OpenSSL version dynamic, reported by buildsmart (#0002975).
 - Rejecting fake +z modes in conf, reported by rve (#0002532).
 - Changed some minor Makefile stuff
 - Fixed belarussian-w1251 charset.. accidently copied a "'" which caused an internal
   error, reported by Bock (#0003114).
 - Added information about extbans to help.conf (/HELPOP ?EXTBANS). Patch from Bock
   (#0003113).
 - Made SAPART work for mulitple channels, just like SAJOIN. Reported by Snake and
   SeigHart, patch provided by Bock (#0003064). This also fixes SAPART now being
   announced to all opers globally, just like SAJOIN.
 - Finally fixed /RESTART issue on windows for good, should now always restart correctly.
   Patch provided by BuHHunyx and Bock (#0002734).
 - Fixed charsys config error message sometimes saying stuff about set::accept-language,
   which should be set::allowed-nickchars (the former does not exist). Reported and
   patch provided by avb (#0003122).
 - Fixed compile bug on Solaris due to missing INADDR_NONE, fix provided by Schak
   (#0003125).
 - Fixed bug where omitting class::connfreq would result in a huge connection attempt
   flood when autoconnect was enabled. We now set class::connfreq to 60 if it's not
   specified. Reported by Milliways (#0003018).
 - Improved description of link::hub/leaf/leafdepth in unreal32docs.html reported by Bugz
   (#2623), also fixed typo (leafdepth, not leaf-depth), reported by monas (#3083).
 - c-ares resolver: upgrade to 1.3.2.
 - upgraded windows c-ares (areslib.lib) as well.
 - fix for above
 - Added release notes for 3.2.6
 - Fixed help.conf typo
 ** 3.2.6-rc1 release **
 - Get rid of some old stuff in release notes
 - Added donators since 3.2.5
 - Setting set::pingpong-warning didn't work, reported by vonitsanet, patch supplied by
   avb (#0003131).
 - Don't show silence list to others
 - Improved detection of bad set::modes-on-oper and oper::modes, now rejecting things like
   'o', 'z', and more.
 - Fix from above fixes an /OPER announce problem reported by Bock (#0003135).
 - Fixed SSL bug where an outgoing connect (either autoconnect, or /connect), would not
   show any error message when it failed. Error information has also been slightly
   improved. Reported by vonitsanet (#0003138).
 - Updated SVSNLINE syntax in help.conf (the remove-syntax).
 - Post-3.2.5 CVS-only bug: Fixed spamfilter on user target not working properly when
   changing nicks (was still trying to match on the old nick), reported by vonitsanet
   (#0003143).
 ** 3.2.6-rc2 release **
 - Fixed possible crash with using quarantine, reported by Sephiroth (#0003151).
 - Showing even more SSL server errors now, hopefully all of them, also changed the
   error notice a bit so it's much more like non-SSL server link errors. Reported by
   vonitsanet (#0003150).
 ** 3.2.6-rc3 release **
 - Updated release notes, mass-change of version number, no code changes.
 ** 3.2.6 release **

As usual, you can get it from http://www.unrealircd.com/

All our releases are PGP signed (well, with GPG) with our releases key:
rel...@un... [0x1C8A554E] which you can grab from
http://www.unrealircd.com/pgp/release_key.asc
This is the same release key that was used for signing 3.2.3 and up.

By popular request, here are the checksums again...

MD5 checksums:
611ad9a3c524204b0d382409a09abf6c  Unreal3.2.6.tar.gz
4c3186ee7dc3398bddf40f0a7fe234be  Unreal3.2.6.exe
2e17b8744977929b8e5c61d95700c667  Unreal3.2.6-SSL.exe

SHA1 checksums:
60481664d448030e5369d20885d5807323e29e81  Unreal3.2.6.tar.gz
463a4f349c6e2eb924464d61a658d0c3d4278e35  Unreal3.2.6.exe
cd71812cc020619f6f9392e408d43b565ec44993  Unreal3.2.6-SSL.exe

Thanks to everyone who contributed to this release: bug reporters,
coders, contributors, translators and testers.

Thanks also to YOU for using UnrealIRCd, keeping it the most
popular IRCd out there (55,225 downloads of Unreal3.2.5)!

Merry Christmas and a happy new year to everyone!

	The UnrealIRCd Team.

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFjSx04cPWX+btKqIRAnDmAKDMvKwsxJETO0KanVcmv2wzpUk0RACfRIGz
cUCtiTh9XLidOmTDDGJRv2Q=
=DoCd
-----END PGP SIGNATURE-----

Security advisory: OpenSSL issue affects UnrealIRCd

[Bram M. (Syzop) <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NOTE: This security advisory is only relevant to people who have SSL
support enabled in their IRCd. If unsure, just read on.

SUMMARY
========

Yesterday, OpenSSL released a security advisory[1], stating that
multiple security bugs have been fixed. Most of these are DoS (Denial of
Service) issues. In this case it means an attacker could make the IRCd
eat up huge amounts of CPU and/or memory, effectively freezing the IRCd.

This is a bug in the OpenSSL library we use, not in the IRCd.
But, the UnrealIRCd team is:
A) Releasing a new Win32-SSL version to fix this issue (shipping with
   updated OpenSSL DLL's)
..and at the same time..
B) Warning the public that this bug impacts UnrealIRCd servers
   (just like it impacts apache-ssl, and any other programs relying on
    OpenSSL)


HOW TO CHECK IF YOU ARE VULNERABLE
===================================

All IRC commands below should be executed as an IRCOp.

STEP ONE
*********

To check if you have any open SSL ports you do '/STATS P' (upcase 'P',
so *NOT* '/STATS p'). This will show something like:
*** Listener on ....:...., clients ... is PERM SSL
(multiple lines might be outputted)

If any of these lines have the word 'SSL' in it, then you have SSL
enabled. Go to STEP TWO.

If all lines are without 'SSL' (eg: only '.. is PERM') then you are
generally not at risk. If you're extremely paranoid then you can still
upgrade, of course. There's a small risk if you are using SSL for
outgoing server connections (link blocks). Personally I wouldn't bother
doing an IRCd restart for that, but that's up to each admin to decide.

If it didn't show any lines with 'Listener on' in it, then you did
something wrong.

NOTE: If ANY listener is 'SSL' then you could be vulnerable (go to next
step). It doesn't matter whether the port is 'seversonly' or not. The
bug can be triggered before being registered.

STEP TWO
*********

To check out which OpenSSL version UnrealIRCd is using, you do
'/VERSION' on IRC as an IRCOp. You will then get a notice like:
- -server.somenet.net- OpenSSL 0.9.7e 25 Oct 2004

OpenSSL has two series, 0.9.7* and 0.9.8*. The particular bugs we are
talking about have been fixed in both series in:
* OpenSSL 0.9.7l (and later)
* OpenSSL 0.9.8d (and later)

Windows users: if it shows anything other than these versions, then you
are vulnerable, continue to HOW TO FIX.

Unix users: if it shows any of the versions of above, then you are safe.
If it shows an older version, then you could be vulnerable. The problem
with checking version numbers is that many *NIX distributors are
backporting fixes (which is generally a good idea btw), the consequence
of this is that bugs are fixed but the version number is not updated.
See HOW TO FIX.


HOW TO FIX
===========

Windows users:
Go to http://www.unrealircd.com/?page=downloads and (re)download the
Unreal3.2 (Win32-SSL) version. When running the installer, the first
screen will show 'Unreal3.2.5 (w/openssl0.9.8d)' so you can easily see
it's the updated version. To verify for sure, see VERIFYING THE FIX.

*NIX users:
Check out your distributor to see if a fixed package is available, and
how to verify it is installed.

After the fix is installed, you will have to restart your IRC server.


VERIFYING THE FIX
==================

To verify that the fix is installed, you can check out '/VERSION' as an
IRCOp on IRC again. For windows users it should show '0.9.8d'. For *NIX
users, it might not show that even if the fix is installed, as mentioned
ealier, use other means to verify the fix is installed (again, consult
the security advisory of your distributor).


REFERENCES
===========

[1] OpenSSL security advisory:
    http://www.openssl.org/news/secadv_20060928.txt

[2] This security advisory:
    http://www.unrealird.com/txt/unreal325sslfix.txt

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFFHX+h4cPWX+btKqIRAro3AJ9qP4ul16aw5KOZxOstk81CRq9b6QCeMwFV
UyyqjoyPc+2wzfvKUGtPwdE=
=Jut0
-----END PGP SIGNATURE-----

Unreal3.2.5 released

[Bram M. (Syzop) <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A new Unreal3.2* version is out: 3.2.5

This release comes with several new features such as CGI:IRC host spoofing and
time synchronization support. It also fixes a couple of important bugs.
This is a recommended release.

I would like to use this opportunity to do a call for help for UnrealIRCd, or
more specifically: Unreal3.3*. A wiki for this has been created at
http://dev.unrealircd.com/wiki/
Since we need fresh blood in the team, we are organizing a coders contest, for
more info check out http://dev.unrealircd.com/wiki/Coders_Contest

Special thanks for helping with this 3.2.5 release go to our testers team
(and everyone else who tested) which helped testing the 3.2.5 release candidates,
and to Dukat for recoding the testers site when we badly needed it.

Release notes follow..

 Unreal3.2.5 Release Notes
 ==========================

 If you are upgrading, please take a minute to read these release notes.
 *NIX Users: PREFIX_AQ is now enabled by default. See under 'CHANGED' below.

 ==[ GENERAL INFORMATION ]==
 - If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
   first before doing 'make'
 - The official UnrealIRCd documentation is doc/unreal32docs.html
   online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
   FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
   Read them before asking for help.
 - Report bugs at http://bugs.unrealircd.org/
 - When upgrading a network, we assume you are upgrading from the previous
   version (3.2.4). Upgrading from 3.2.3 is ok as well.
   However, if you have a network running with servers that are several versions behind
   (eg: 3.2.1) then you might experience small (desynch) problems.
   Please also minimize the time you have multiple versions running, a few days or
   one week is generally not a problem, but having mixed versions on a network for several
   weeks or months is not recommended.

 ==[ NEW ]==
 - CGI:IRC Host spoofing support. This means you can mark certain CGI:IRC gateways
   as trusted, and then the IRCd will show the real IP/host everywhere for those
   users, instead of the IP/host of the CGI:IRC gateway. See docs section 4.36.
 - Time synchronization support. This is enabled by default and will synch the IRCd
   clock when Unreal is started. This should get rid of most time differences, though
   the clock can still be off 1-3 seconds. If for some reason no reply from the time
   servers is received within 3 seconds, then the IRCd will continue to boot as usual.
   Several set::timesynch::* settings have been added, including set::timesynch::enabled
   which you can set to 'no' to disable time synching (eg: because you already run ntpd).
 - NAMESX support. This (mostly) fixes a long-standing IRC protocol bug. If, for
   example, a user was +vo and then deops (-o), other clients could not always
   know the user was then still +v, now they can. Supported by XChat and newest mIRC.
 - Chained SSL certificates support
 - Russian doc/example.ru.conf and Turkish doc/unreal32docs.tk.html

 ==[ CHANGED ]==
 - PREFIX_AQ (the ~ and & symbols for +q and +a) are now ENABLED BY DEFAULT on *NIX.
   They have always been enabled on Windows, so it made sense to do the same for *NIX.
   Pretty much all major clients support it now (mIRC, xchat, irssi, epic, PJIRC,
   CGI:IRC, etc).
 - If DNS info (*NIX: /etc/resolv.conf, Win: registry) is updated, a '/REHASH -dns'
   now rereads this info, no restart needed anymore.
 - me::numeric can now be changed without a restart, if no servers are linked.
 - Improved windows crash info: we now create minidumps, this should aid debugging.
 - '/quote dns i' (as an oper) now shows nameserver info again
 - Local oper may now use /TRACE
 - If channel is +m but -t, you now need at least voice (+v) to change the topic.
 - When checking if someone is banned, we now always verify bans against the cloaked host,
   even if the user has a vhost and the cloaked host is not visible / unused.
 - Extra binary compatibility checks: (gcc) compiler version
 - Allow /*LINE'ing of literalident@* (eg: gline clones@*). Things like *clones@* are
   still denied though, and this will not be changed. Use services AKILL instead.
 - Command aliases: made empty parameters work if the alias allows it (eg, the alias
   uses .* as a regex and not .+)
 - Moved another 2K lines from core to modules, this means 31K lines are now in modules
   and can be upgraded on the fly.
 - Real Command Aliases: This makes it possible to, for example, alias '/GLINEBOT' to
   'GLINE <param> 2d Bots are not permitted on this network, etcetc'. For more information,
   see the docs on the alias block and/or search for "glinebot" in doc/example.conf.
 - /etc/hosts is no longer checked (it never did before 3.2.3 either)

 ==[ MAJOR BUGS FIXED ]==
 - Spamfilter was not always working properly
 - MS Visual studio 2005 (8.x) was unable to compile Unreal and/or caused crashes
 - Certain IPv6 listen blocks could crash the ircd on-boot/on-rehash

 ==[ MINOR BUGS FIXED ]==
 - "Looking up your hostname" message was missing if set::options::show-connect-notice
   was enabled (other messages, like "looking up ident" were shown, however)
 - It was sometimes impossible to update a link { } block: all old settings would still
   be used, this happened if connfreq was low. This might also have caused crashes.
 - Netsynch problem, which could cause the wrong modes to be applied to a channel in
   some rare cases.
 - Setting set::maxdccallow to 0 (or lower) still allowed one entry to be added
 - Spamfilter oversized-checking is no longer done when removing a spamfilter
 - Operator count bug (there might still be others...)
 - Some chinese-* charsets could not be selected individually
 - No longer requiring a C++ compiler (was caused by resolver in 3.2.4)
 - Added workaround for "make: Permission denied" bug in some FreeBSD's

 ==[ REMOVED ]==
 - MS Visual Studio 6 support, but this did not work anymore anyway...

 ==[ KNOWN ISSUES ]==
 - Windows 2003: Crashes directly on-boot have been reported, while other W2003 servers
   work perfectly fine (including the one we used for testing). No pattern in this has
   been found yet, but the bug is somewhere in the resolver (c-ares).
 - Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the IRCd
   down considerably and even bring it to a near-halt. In the spamfilter user target it's
   usually safe though.
 - Regexes: Possessive quantifiers such as, for example, "++" (not to be confused with "+")
   are not safe to use, they can easily freeze the IRCd.
 - Windows: The /RESTART command will work, but the second time you do a /RESTART the
   IRCd will "crash" with a dialogbox.

 ==[ CHANGELOG ]==
 Changes since 3.2.4:
 - Updated autoconf/configure.in to make newer autoconf's work (developers only), reported
   and patch provided by Xuefer (#0002798). Also rebuilt ./configure from configure.in with
   autoconf 2.59 from my own machine.
 - Updated autoconf/configure.in again (does not produce different ./configure output)
 - When set::options-show-connect-notice was enabled the "*** Looking up your hostname..."
   message was not being shown (all others were). Reported by fbi (#0002820).
 - Updated win32 compiling instructions; mention the free MS stuff that can be used to compile
   UnrealIRCd (untested though).
 - Added CGI:IRC host spoofing support. This means you can mark specific CGI:IRC gateways as
   "trusted" and the IRCd will show the users' _real_ host/ip everywhere on IRC, instead of the
   host/ip of the CGI:IRC-gateway.
   To do so you must set 'realhost_as_password' to 1 in your cgiirc.conf. And add the
   CGI:IRC gateway(s) you fully trust to set::cgiirc::hosts.
 - Fixed win32 compile problem due to CGI:IRC support, reported by therock247uk (#0002821).
 - Redid whole CGI:IRC support. Configuration is now moved to cgiirc { } blocks.
   We now support the webirc ('webirc_password' in CGI:IRC) method, which is kinda superior
   to the older method ('realhost_as_password').
   See the Unreal documentation (section '4.36 - Cgiirc Block') for details on how to configure.
 - Changed quoting color in unreal32docs.. looks better now IMO (only English docs updated).
 - Fixed *BSD compile problem caused by changes of above, reported by 3rror (#0002823).
 - Added error message if c-ares failed to initialize, might help in case something is buggy
   (either with Unreal or the OS/environment).
 - Fixed (serious) bug in CGI:IRC code, IP's were often not right, reported by 3rror (#2824).
 - Fixed bug in currently unused code, reported by DeadNotBuried (#0002835).
 - Modulized NAMES command (can now be upgraded on the fly, if ever needed).
 - Added NAMESX support, seeing both mIRC (6.17) and XChat support this. What this does is
   send all rights of all users on the channel in the NAMES reply (eg: @+Syzop if the user is +ov)
   instead of only the highest one (@Syzop in previous example). We only do so if the client
   explicitly requested this via a NAMESX in a PROTOCTL message (eg: 'PROTOCTL NAMESX').
   Note that there is a glitch: since most clients only send the PROTOCTL NAMESX after they
   see NAMESX listed in the 005 announce message this has the effect that if there are
   set::auto-join channels present (where users are automatically joined to by the server) the
   extended NAMES reply will not be sent for those channels, because from the IRC server' point
   of view the join happened before the PROTOCTL and hence it does not know the client wanted
   NAMESX at that point (the result is not catastrophic: the old-style NAMES is sent for those
   channels). Anyway, for all non-autojoin channels this works great. So still worth adding IMO.
   Originally suggested in #0000606.
   Side note: this does not mean we dropped the idea of (also) having a challenge-response
   system for good ;).
 - Updated win32 makefile due to m_names modulization, reported by Trocotronic (#0002838).
 - Actually committed src/modules/m_names.c... This tends to help with the compiling process.
 - Fixed possible netsplit problem (#0002790).
 - Partially redid m_message, moved some stuff to a subroutine, etc to avoid duplicate code
 - Rephrased/editted part of example.conf and unreal32docs to make it a littttttle bit easier
   for beginners / try to mention the FAQ a bit more explicitly.
 - CGI:IRC: gzlines, zlines, throttling, and unknown connect floods are now all checked for
   clients connecting trough a CGI:IRC gateway that is in cgiirc { }. This might also fix a bug
   where (g)zlines were not applied to CGI:IRC clients, reported by devil (#0002850).
 - Changed default PREFIX_AQ behavior to ON instead of OFF. Since basically all major IRC
   clients support it now (mIRC, xchat, epic, eggdrop, Klient, PJIRC, irssi, CGI:IRC, etc).
   It has always been weird that win32 had it ON by default and *NIX OFF, anyway.
   Naturally this change will be mentioned clearly in next release notes.
 - Fixed (unimportant) DNS resolver problem if using some LAN domains with digits at end,
   reported by Bock (#0002843).
 - Added minidump support for crashes to aid debugging a bit.
 - Added chained SSL certificates support, patch provided by justdave (#0002848).
 - Local opers may now use /TRACE (local only), suggested by GSF19 (#0002365).
 - Removed some odd code causing a 'my port is' message to appear in (f.e.) syslog, reported
   by rsc (#0002853).
 - Fixed CHROOTDIR compilation problem, reported by toshio (#0002854).
 - Improved CHROOTDIR documentation in include/config.h
 - Added error if CHROOTDIR is defined but IRC_UID isn't (in include/config.h).
 - Hide stats request if requested by an U-lined client. Suggested by vonitsanet (#0002865).
 - Made it so if the channel is +m but -t, you need at least voice (+v) to change the topic.
   Reported by aquanight (#0002233).
 - Made the windows installer better compress things (SolidCompression=true), suggested
   by Trocotronic (#0002877).
 - Added support for URL redirections in curl (if version >=7.15.1), suggested by Trocotronic
   (#0002879).
 - Made doc/compiling_win32.txt a bit more ugly (mention that only vstudio 7.x actually works
   at this moment).
 - c-ares (currently, a forked off version) enhancements:
   - '/quote dns i' now shows the nameserver settings (which is taken from /etc/resolv.conf
     on *NIX, and from the registry on Windows)
   - We no longer depend on a C++ compiler (was useless c-ares dependency caused by libtool)
   - '/REHASH -dns' now rereads the resolver data from resolv.conf/registry, no IRCd restart
     needed anymore. It's currently kinda experimental however, but I *think* it will work ok.
   Unfortunately the above features required some ugly hacks if curl was enabled, so if you
   use curl (Remote includes), feel free to test on your OS (Linux, but especially FreeBSD
   and the other *NIXes) to see if things still compile (make clean; ./Config && make).
 - Made the IRCd calculate the cloaked host only once upon connect, and store (cache) it.
 - When checking if a user is banned, we always check the cloakhost too. Previously we could
   not do this if the user had a /VHOST (=a minority of the cases, but still...). In short,
   this is some extra protection to combat ban evasion.
 - Performance of is_banned() *slightly* improved (just 1-2 usec, but 7 usec if no bans).
 - [Module coders] For extban routines, we now offer a routine extban_is_banned_helper(buf)
   which can be used instead of the ban_realhost/etc static chars stuff, see
   extban_modeq_is_banned for a (real-life) example of how this is used.
 - [Services coders!] Added PROTOCTL CLK (requires NICKv2) which adds an extra field in the
   NICK command (when a user connects) right before the infofield (gecos).
   The added field contains the cloaked host, that is: the masked host if +x would have been
   set. This field is ALWAYS sent, regardless of whether the user is actually +x or not.
   Services can then store this field in memory, to know the host of the user if the user
   is set +x (+x-t). This is a (better) alternative to PROTOCTL VHP, with no race conditions,
   and avoids some other VHP problems.
   VHP will stay supported though... so it's not mandatory to switch over.
 - Fixed set::maxdccallow setting to <=0 still allowing one entry to be set, reported by
   RSCruiser (#0002883).
 - Fixed Microsoft Visual Studio 2005 (8.x) unable to compile, and, after fixing that, causing
   a lot of crashes. Both are now fixed. Reported by Zell, Yamake, and others (#2875, #2704).
   Fix provided by Xuefer. This also gets rid of some annoying and useless compile warnings
   as well. Also thanks to Zell for his help.
 - Fixed null pointer config parser crash, reported by alkalinex (#0002894).
 - Added compiler version checking to "module binary incompatability"-check. This should fix
   some more odd problems from people (eg: people switching from GCC 3.x to 4.x and wondering
   why they are crashing or getting other errors).
 - Module coders: For cloaking, added a new callback type CALLBACKTYPE_CLOAK_EX (which is an
   enhanced version of CALLBACKTYPE_CLOAK). This passes 'aClient *sptr, char *host' instead
   of only 'char *host' to the cloaking module, which can be useful if you need to cloak on
   something other than IP/host. Suggested by fez (#0002275).
   Module may still provide only CALLBACKTYPE_CLOAK though, in fact this is what the official
   cloaking module does. So no updating of cloaking modules needed.
   If you do write a module with the new *_EX callback, you only need the *_EX one and not
   the CALLBACKTYPE_CLOAK as well (though it's currently np if both are present).
   A side-effect of this "extra cloaking" callback is that we needed to change make_virthost()
   which now has an extra parameter in front, and another side-effect is that calling the
   CALLBACKTYPE_CLOAK may not work since only *_EX might be available. To my knowledge there
   are very few modules (only 1 I know) that will have a problem due to this, so sounds like
   an affordable tradeoff.
 - Updated sendnotice() so it sends a proper notice if the user is in pre-connect stage.
 - Fixed bug with chinese-* charsets not getting detected properly by config parser.
   Reported and patch provided by Xuefer (#0002891).
 - Made it so me::numeric can be changed (when not linked to any servers) so no server restart
   is needed anymore (#0002896).
 - set::ssl::egd does not require a parameter per-se (bug caused few days ago), reported
   by Trocotronic (#0002899).
 - (multiple?) IPv6 listen blocks could cause a crash in config parser. Reported by Robby22
   (#0002868).
 - Added error checking to (main) setuid/setgid calls.
 - Fixed implicit declaration compiler warning if compiling for ipv6.
 - Fixed some small memory leak on rehash.
 - Removed spamfilter-oversized-checking when trying to REMOVE one.. duh.. reported by satmd
   (#00029160).
 - Allow *lining of literalident@* such as clones@* (but not *clones@*), this is also as
   far as we want to go with regards to relaxing "too broad" checking... Just continue to use
   services AKILL for (other) "too broad cases", as many people (correctly) do. Change
   suggested by salama (#0002911).
 - Made empty command aliases work (no more "no text to send" error) if the alias finds it ok,
   which basically means if it allows .*. If you want to require a parameter, use .+ (or
   anything other in regex that requires at least one character). Suggested and patch provided
   by Nazzy (#0002722).
 - Fixed oper count bug which happened on /mode, this was our fault (can't blame services in
   this case ;p). Reported by KnAseN and many others (#0002581).
   There might still be other operator count bugs, but these are triggered by a different bug
   and may or may not be caused by services.
 - Added MINIMAL time synchronization support. This is enabled by default and will try to
   synchronize the IRCd clock (TSOffset) with a few good time servers. It currently only does
   this on-boot, but it will hopefully help a lot of people with most of their time differences.
   I still keep recommending anyone who can to run proper time-synchronization software such as
   ntpd/ntpdate on their servers.
   To disable time synchronization (eg: because you are already running ntp), you can simply
   set set::timesynch::enabled to no.
   The boot timeout for the timeserver response (=causes boot delay) can be configured via
   set::timesynch::timeout and is set to 3 seconds by default (range is 1s-5s), there should
   be no reason to change this.
   The time server can be configured by setting set::timesynch::server, the default is to
   use 3 time servers on 3 continents (US, EU, AU) which should be sufficient for anyone but
   if you got a good one near you you can use that one instead.
   The time protocol we use is (S)NTP v4.
 - Fixed some compile warnings for Windows
 - Updated windows compile instructions again.
 - Updated release notes
 - Added 'real' aliases, this are aliases that map to real commands, so you can for example
   map the command '/GLINEBOT <x>' to 'GLINE <x> 2d Bots are not allowed on this server, blabla'.
   See the documentation on the alias block for more information. doc/example.conf contains an
   example as well (search for "glinebot").
 - Modulized: badwords system (src/badwords.c is now gone) and StripColors/StripControlCodes
   to m_message, multiple netsynch routines to m_server, send_list to m_list, a certain mode
   routine to m_svsmode, all /MSG IRC.. webtv stuff to src/modules/webtv.c which is compiled
   with m_message.
   This means another ~1500 lines of code are now in modules (and thus can be upgraded on
   the fly), which brings the total of modulized lines at 32K.
 - Fixed compilation error on FreeBSD and others caused by timesynch, reported by tigra
   (#0002921).
 - Fixed win32 compile problem cause by timesynch.
 - Updated release notes: more modulization and real command alias support.
 - Fixed crash in /STATS Z (possibly rare), reported by yasinbey (#0002929).
 - Win32 makefile/installer updates for new curl/ssl
 - Updated versions everywhere, bumped protocol to 2308
 ** 3.2.5-rc1 release **
 - Added doc/example.ru.conf, translated by Bock.
 - Deal with unsupported regexes added by remote servers (possible crash otherwise)
 - Fixed crash problem on win32 if TKL times were <0. Obviously it's hard to protect from such
   invalid server traffic, but figured in this case it might be a good idea since *NIX does
   not crash.
 - Made a note about possessive quantifiers, they are scary :P.
 - Made the "voice needed when channel is +m but -t" actually work, reported by Trystan and
   Ron2K (#0002940).
 - #undef STRIPBADWORDS did not work, reported by penna (#0002944).
 - Made the resolver no longer check /etc/hosts, since that's how it used to be and should be.
   Saves some useless file reads.
 - Fixed compile (well, configure) problem on FreeBSD if compiling with remote includes
   enabled. Reported by psadi (#0002941).
 - Added translated Turkish docs (doc/unreal32docs.tk.html), translated by tt` and Timaeus.
 - Fixed problem with IRCd using old link block settings if using a low connfreq, this made it
   for example near-impossible to remove autoconnect for such a server. Reported by mixx941
   (#0002836).
 - Fixed problem if c-ares library is already installed system-wide, reported by Trystan.
 - Updated release notes a bit (will be updated more later): backrefs (\1) in regexes are
   kinda scary, or at least at the moment.
 - Removed PATCH5 from module version incompatibility system, so it can be used if we ever
   need to update stuff and not enforce modules to recompile.. Might be useful one day ;p
 - Updated list of donators
 ** 3.2.5-rc2 release **
 - Updated release notes, bleh.. I forgot :P
 - Got rid of qline notice that could happen if using services holds (semi-race condition),
   reported and bugfix provided by tabrisnet (#0002950).
 - Made opers with can_override able to change the topic again if not chanop and banned/+m-t,
   reported by vonitsanet (#0002952).
 - Disable /RESTART if running chrooted since that won't work anyway, reported by kayelem
   (#0002956).
 - On certain (newer?) FreeBSD's you get "make: Permission denied" after ./Config, but when
   you do 'cd ..' and then 'cd -' again, make works just fine. This is going to be the most
   stupid workaround in history... Reported by vonitsanet and others (#0002926).
 ** 3.2.5-rc3 release **
 - Updated doc/technical/005.txt
 - Mass version change (no code changes)
 ** 3.2.5 release **

As usual, you can get it from http://www.unrealircd.com/

All our releases are PGP signed (well, with GPG) with our releases key:
rel...@un... [0x1C8A554E] which you can grab from
http://www.unrealircd.com/pgp/release_key.asc
This is the same release key that was used for signing 3.2.3 and 3.2.4.
More info about this is shown when downloading.

We no longer provide MD5/SHA1 checksums because we feel they are too insecure.

Thank you for using UnrealIRCd!

	The UnrealIRCd Team.

- --
Bram Matthys
Software developer/IT consultant        sy...@vu...
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D  1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFElGvU4cPWX+btKqIRAmZ1AJ44Mp0/Mndp3639zDySnd8TPL7T9QCfQW8Q
qKImAnOUCdt5b21TM8eM/yk=
=O1P3
-----END PGP SIGNATURE-----

Unreal3.2.4 re-released

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I regret to inform you that we had to re-release 3.2.4 because the
'?' wildcard was not working (in for example bans).
Apparently despite numerous testing and hundreds of downloads of the last
release candidate, this bug simply slipped trough.

All files on unrealircd.com and it's mirrors have been replaced with the fixed
version.

If you have downloaded 3.2.4 before Sunday February 5 18:00 GMT, then you
probably have the broken version without the fix.

To check if you are using the old version, type '/quote INFO' on IRC and pay
attention to the numbers in the ReleaseId line (=almost the last line):
1.1.1.1.2.21 = bad version (*NIX)
1.1.1.1.2.22 = fixed version (*NIX)
1.1.1.1.2.1.2.1.2.2234.2.449 = bad version (Windows or *NIX CVS)
1.1.1.1.2.1.2.1.2.2234.2.454 = fixed version (Windows or *NIX CVS)

*NIX people: warning regarding version numbers:
 If someone applied the patch for *NIX (see below) the version number will not
 change. So basically if you have .22 you know you are ok, but if you get .21
 then you are either not ok or the admin patched it already.
 In that case, you can try this to determine if you have the fix or not:
 1. go to your Unreal3.2 directory
 2. type: grep -F "(*m != '?')" src/match.c
 3. if it returns 2 lines then you got the fix, if it returns 1 then not.

For everyone who already downloaded the old 3.2.4:
Windows:
 redownload from http://www.unrealircd.com/?page=downloads
*NIX:
 Either redownload it too, OR (much faster) do this:
 1. go to your Unreal3.2 directory
 2. download http://www.unrealircd.com/downloads/324.wildcard.patch
 3. type: cat 324.wildcard.patch|patch -p0
 4. type: make && make install
 5. restart the ircd

 Or, all in two lines (except the restart), from your Unreal3.2 directory:
 wget http://www.unrealircd.com/downloads/324.wildcard.patch
 (cat 324.wildcard.patch|patch -p0) && make && make install

 This should only take a few seconds, but the main annoyance is that
 you will have to restart the ircd in order for the fix to take effect.

We did not change the version number, so people will not have to recompile
their modules. I understand this has it's own advantages/disadvantages.

We are really sorry for all the inconvenience.

	The UnrealIRCd Team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFD5lGo4cPWX+btKqIRAi+wAJ99UycY9iTEBnq1UauOrwBVIBFQJwCeOFun
nOkWCEoaYlht36bsyBPkF2w=
=avn1
-----END PGP SIGNATURE-----

Unreal3.2.4 released

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Finally, after 11 months, there's a new 3.2* stable release: 3.2.4

Our previous release, 3.2.3, was a successful one and has in fact been
downloaded over 130.000 times. However, as usual, new bugs are
discovered and other (older) issues needed to be corrected.

This new release comes with tons of bugfixes (of which some major),
and is a RECOMMENDED upgrade. Besides all the bugfixes, there are
also a few new features.

We've been experimenting with public Release Candidates (RC's);
there have been 3 rc's before this 3.2.4 release, and the rc's
have been downloaded ~1700 times total.
We would like to thank both our Unreal Testers Team and everyone
of the public that tested the 3.2.4-rc's for helping us to make
this a stable release.

If you wonder about future UnrealIRCd development (like Unreal3.3*):
another mail will be sent out about that in a few weeks, presenting
our future plans for UnrealIRCd, and and how people (coders, doc
writers, etc) can contribute.
Unfortunately we've simply been too busy with the current release
to finish off our (revised) development plan at the same time as
this release. Anyway, more info on that soon.

For now, happy upgrading! ;)

Unreal3.2.4 Release Notes
==========================

==[ GENERAL INFORMATION ]==
- - If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
  first before doing 'make'
- - The official UnrealIRCd documentation is doc/unreal32docs.html
  online version at: http://www.vulnscan.org/UnrealIrcd/unreal32docs.html
  FAQ: http://www.vulnscan.org/UnrealIrcd/faq/
  Read them before asking for help.
- - Report bugs at http://bugs.unrealircd.org/
- - When upgrading a network, we assume you are upgrading from the previous
  version (3.2.3). If you have a network running with servers that are several
  versions behind (eg: 3.2.1) then you might experience (desynch) problems.
  Please also minimize the time you have multiple versions running, several days
  is not a problem, but having mixed versions on a network for weeks or months
  is not recommended.

==[ NEW ]==
- - Spamfilter: Added 'warn' target which is basically the same as 'block' except it
  does not block ;). It simply sends a numeric to the user saying the command has been
  processed, but a copy has been sent to ircops (which receive a spamfilter notice).
  Example usage: /spamfilter add p warn - Testing_mirc_decode_filter \$decode\(.*\)
- - Spamfilter: an option to apply spamfilters to aliases as well. To do so, you have
  to put 'spamfilter yes;' in every alias block you want to get filtered.
  The /MS and /MEMOSERV aliases in aliases/*.conf have been updated to have
  spamfiltering enabled by default.
- - The "max bans per channel" setting can now be changed trough the config file by
  setting set::maxbans. Note that you probably also want to enlarge set::maxbanlength
  then as well (see docs!) or else you will hit that limit first. Note that the max ban
  length setting has been slightly relaxed in 3.2.4, see the CHANGED section further down.
- - Nick Character System: new languages/character sets are added: 'danish',
  'belarussian-w1251' and 'ukrainian-w1251'.
- - ExtBan ~c now accepts wildcards, such as: "+b ~c:#*xxx*" (don't forget the "#")
- - Banned users can no longer change the topic
- - Made it so you no longer can change your nick TO a banned one in a channel.
  This option can be turned off by setting set::check-target-nick-bans to "no".
- - Translations: Added a Bulgarian example.bg.conf, a Russian help.ru.conf, and a Dutch
  unreal32docs.nl.html
- - For services coders: Added doc/technical/serverprotocol.html

==[ CHANGED ]==
- - Changed the MAXBANLENGTH (now set::maxbanlength) from 1K to 2K. This means users can now
  set more bans and actually reach the 60 MAXBANS (now set::maxbans) limit in practice.
- - Added several indicators to the "detect binary incompatible modules"-system, such as
  a module compiled with ziplinks support on a non-ziplinks ircd (*NIX only), nospoof
  mismatches, etc. Hopefully this will help some people preventing odd crashes when
  they forgot to recompile everything.
- - More modulizing: another 200 lines of code / 20 functions have been moved to modules.
- - Multiple allow channel::channel items are now permitted again
- - Redid glob matching. Escaping is now ripped out for normal bans (as it should be), this
  means no longer weird issues with +b *\* etc not banning nicks with \ in it.
  ExtBan ~c/~r get special treatment and will use our match_esc [match with escaping]
  routine, you can escape via \, so \* will match * (an asterisk), \? will match a
  questionmark (?), and \\ will match a \ (backslash). This way you can ban channels
  such as "#f*ck" via "+b ~c:#f\*ck". So, take note, if you want to ban for example a
  channel with a backslash in it, such as "#bl\ah", then you do "+b ~c:#bl\\ah".
  Again, for any bans other than ~c/~r this does not apply.
- - Spamfilter: regexes and reasons are now more limited in size, this is to combat the
  "I set a spamfilter, but cannot remove it" problem. In practice this means - depending
  on the length of the spamfilter reason - that spamfilter will max ~300 characters.
  Note that spamfilters in the config file can still be larger (since they cannot be
  removed on the command line anyway, it doesn't matter that they are cut off on /stats F).
- - CMDLINE_CONFIG behavior change: specifying a config file on the command line is now
  permitted as long as the ircd isn't suid/sgid.
- - set::channel-command-prefix now defaults to ".`!" instead of "`"
- - When OPEROVERRIDE_VERIFY is enabled, we now allow opers to still join any channels listed
  in set::auto-join or set::oper-auto-join, even if they are +s/+p.
- - Made it so co-admins can /ADCHAT. They were already receiving them anyway...
- - ./Config: the script now actually stops upon the error, making it more clear what is wrong.
- - Global opers on quarantined servers will now be KILL'ed. So link::options::quarantine now
  actually does what it should, even if it's not in the most elegant way.
- - Empty (but existing) include files no longer cause an error.
- - We now properly error if someone tries to /(G)ZLINE *@hostmask (should be *@ipmask) or
  /(G)ZLINE usermask@something (should be *@something). Both forms are illegal because
  (G)ZLINES are processed before dns and ident lookups. If you require a ban on a hostmask
  or a usermask, simply use a KLINE or GLINE.
- - For users using remote includes w/ssl (https, ftps): the CA certificates are now stored
  in curl-ca-bundle.crt (shipped with Unreal) which contains most major CA's plus CACert.

==[ MAJOR BUGS FIXED ]==
- - Two issues with an incorrect badword { } block in the config file causing a crash.
- - Incorrect TKL/*LINE causing a crash
- - Complete resolver recode: now using c-ares + caching to fix some (rare?) crash bugs and
  to make our code much more cleaner.
- - Using GCC4 caused a crash on-link.
- - Crash when a class block was removed and had any other blocks were referencing it.
- - OpenBSD crash on /REHASH.
- - Several AMD64 crash issues.
- - Sometimes a serious flood of notices was generated if link::options::nodnscache was used.
- - Spamfilter: action 'viruschan' combined with target 'user' caused crashes.
- - chinese-* nick characters support caused memory corruption.
- - Crash issue regarding SSL and junk snomask.

==[ MINOR BUGS FIXED ]==
- - Now properly resolves hostnames again that use CNAME delegation (got broken in 3.2.3).
- - Fedora Core w/IPv6 failed to compile.
- - A few read-after-free bugs that could have caused crashes.
- - ./Config was not loading the settings properly on Solaris 10
- - Crash if high ascii in set::network-name
- - Fixed advanced channel aliases not working properly
- - Fixed \* and \? escaping not always working properly (for example in ~r/~c bans).

==[ REMOVED ]==
- - Windows 9X/ME are no longer supported (it might work, but we won't support them).

==[ CHANGELOG ]==
Changelog since 3.2.3:
- - Fixed incorrect badword { } in conf causing a crash (should give an error).
- - spamfilter.conf Gaggle worm sigs were broken causing odd things to match, this is because
  \\ now needs to be escaped as \\\\ due to the 3.2.3 conf change... didn't think of updating sigs.
- - Clarified some nickchar stuff in the docs
- - Added 'danish' nickchars, supplied by klaus (#0002436).
- - Module coders: Added HOOKTYPE_LOCAL_SPAMFILTER: catches (local) spamfilter matches.
- - Fixed chanmode G showing up twice in 005, reported by Snake (#0002466).
- - Fixed a TKL crash on incorrect *line, reported by nanookles1234 (#0002524).
- - Redid include dependencies in Makefile, this makes things safer because on any .h change it
  would force a recompile of all files, but it could mean things will be a bit slower for us
  coders unless we tweak it later on.
- - Changed whois a bit to print less useless results.
- - Added several indicators to the "detect binary incompatible modules"-system such as detecting
  of a ziplinks module on non-ziplinks (on windows this is ok however), nospoof module on a
  a server without nospoof server, etc. Hopefully this will help some people preventing odd
  crashes because they did not recompile or (re)install modules properly.
- - Added './unreal backtrace', so far this has only been tested on Linux and FreeBSD.
- - Fixed a bug making ./Config not load the previously stored settings on Solaris 10 and
  probably other Unixes, reported by lion-o (#0002474).
- - Cosmetic bug in set::modes-on-join: now rejecting +I in it. Reported by Ron2K (#0002508).
- - Moved all TKL code and register_user to modules (using efuncs), that means 20 functions
  and 2000 lines total that can be hotfixed if needed ;). The effort involved in moving all
  this sucks a lot though :/. This might need some more testing to make sure it doesn't break
  anything.
- - Updated support OS list in documentation.
- - Fixed various major bugs due to TKL move from 13h ago.
- - Fixed 2 problems caused by TKL move: 1 windows crash, 1 problem with loading m_*.so,
  reported by Trocotronic (#0002553, #0002554).
- - Added some TSCTL logging (this reminds me we need to add new log levels for 3.3 ;p).
- - Attempt to fix bug #2431: 3.2.3 broke CNAME delegation for reverse dns. I'm sorry it took
  so long, but this stuff just plain sucks...
- - Made '?*' work correctly in wildcard matches ('1 or more characters'), reported by
  Bugz (#2585).
- - Added -fno-strict-aliasing.. this might well be temporary, but we get tons of strict-
  aliasing warnings, so it sounds good to disable this type of optimization for now.
- - Fixed problem with crash-on-link if compiled with GCC 4, reported by jonneyboy (#2573)
  and PHANTOm (#2590).
- - IPv6: Added configure check for in6addr_any to fix Fedora Core 4 compile problem,
  reported by wheatie80 (#2594).
- - Added -Wno-pointer-sign (if available) to get rid of those stupid warnings that are
  enabled by default even without -Wall (!?) on GCC4.
- - Fixed a bug where allow channel::channel generated a warning when specified multiple times
  (#0002427) reported by matridom.
- - Fixed ~c not working properly with * and ?'s in channel names.. Now you just need to
  escape them like in all bans (eg: to ban #* you need to +b ~c:#\*). As an additional
  bonus, real wildcards are now accepted and processed (eg: +b ~c:#*sex*, just don't
  forget to specify the #). Reported by PhantasyX (#2605).
- - Sidenote on above: ~c:*chan* is not supported (use ~c:#*chan* instead) because it would
  cause "hidden bans", therefore it now prints a message (which is useful anyway), but
  does accept such remote bans. In 3.2.5 or so we could enable support for it, it's
  not that important though... ;)
- - Added ifdefs for mass closing of file descriptors on start, can now be disabled by
  adding -DNOCLOSEFD as a compile option. Useful for valgrind w/--db-attach=yes, mpatrol,
  and some other debugging tools (not useful for anyone normally running a server).
- - Fixed a read-after-free: sptr->serv->aconf was freed but not NULL'ed in exit_client,
  causing close_connection to read from it (when deciding on doing a quick reconnect).
  Could have caused a crash, although nobody ever reported one...
- - Removed useless strncpyzt with dest==src.
- - Temporary workaround for spamfilter bug: action 'viruschan' in combination with the
  'u' (user) target can cause severe problems (crashes, etc). For now, we have disabled
  'viruschan' in combination with 'u'. A real fix will require quite some work, sorry.
- - Fixed crash with invalid set::network-name (eg: high ascii), reported by galahad
  (#0002584), now printing an error instead (the network name is limited by the 005 spec).
- - Added Bulgarian example.bg.conf, translated by Peace.
- - Spamfilter: regexes (and reasons) are now more limited in size, this is to combat "I set
  a spamfilter, but cannot remove it" problems. In practice this means - depending on the
  length of your spamfilter reason - regexes will be max ~300 characters.
  Spamfilters set in the .conf can be slightly longer (which still causes them to be
  truncated in '/stats f', but they don't have to be removed anyway so it's kinda
  acceptable if it's really needed). This should fix bug #2083, reported by White_Magic.
- - Fixed a bug where an invalid /*line could cause a crash, reported by Gilou (#2629).
- - (5 minutes later..) Small update for above, fix was incorrect for ipv6.
- - CMDLINE_CONFIG behavior change: command line configuration is now still permitted
  if #undef'ed (which is the default) if uid==euid && gid==egid, since it doesn't make
  any sense to disable it then and is in fact just plain annoying.
- - Added FAKELAG_CONFIGURABLE option in include/config.h, this enables an option called
  class::options::nofakelag, which disables "fake lag" for a certain class (that is:
  the artificial delay introduced by the ircd to prevent flooding is turned off,
  allowing the user to flood at full speed).
  IT'S USE IS DISCOURAGED UNLESS YOU REALLY KNOW WHAT YOU ARE DOING.
  Sorry, option is not in ./Config -advanced since I don't get autoconf working, but it's
  such a scary option that this might as well be a good idea to keep in config.h anyway.
  This feature has been suggested for several years (and refused), but the final
  suggestion (with implementation specific hints) came from Gilou in bug #0002207.
- - Fixed win32 makefile, now compiles fine.
- - Fixed (important?) reference count bug regarding sptr->serv->conf. I don't know what
  effects this caused (memory corruption?), but it didn't look good ;).
- - Fixed an invalid badword block in the conf causing a crash, reported by Monk (#2639).
- - [Internal] Code cleanup for spamfilter target/bantype routines
- - Added 'warn' target which is basically the same as 'block' except it does not block ;).
  It also sends a numeric to the user saying the command has been processed, but a copy
  has been sent to ircops. I feel this is a good idea for privacy reasons (anti-spy),
  though I don't know how users will react to this. If you are using this on your network
  and get users bothering you about it (or before that ;p), it's probably a good idea
  to explain it somewhere on your site or FAQ :).
  Example usage:
   /spamfilter add p warn - Testing_mirc_decode_filter \$decode\(.*\)
  [WARNING] The numeric text is likely to change in the next few weeks (early-cvs-commit).
- - If a class block was removed and any other blocks would be referencing the class block
  (such as: allow::class, oper::class, link::class), then this would cause a crash.
  Reported by Mike_ (#0002646).
- - Changed the way we build most of the .so's: the .o files of individual modules that were
  generated (for linkage by commands.so), are now used to generate the .so files of the
  individual modules as well (eg: m_setname.o -link-> m_setname.so). This reduces compile
  time ('make') on my machine by 33%, so it's quite noticable ;).
- - Added doc/technical/serverprotocol.html created by aquanight (updates will follow soon).
- - Documented set::channel-command-prefix a bit more, and also changed the default from
  "`" to "`!." which seems much more reasonable / widespread :).
- - Some m_restart cleanups, suggested by w00t (#2652).
- - Removed all old resolver code and switched over to c-ares (+our caching routines).
  This should get rid of some annoying untracable (and usually rare) crashbugs in the
  old resolver. Besides that, it makes things look more clean and understandable.
  This should be the fix for the following bugids (all the same issue): #2499, #2551, #2558,
  #2559, #2603, #2642, #2502, #2501, #2618, #2616.
  Feedback and testing is very much welcomed (sy...@un...).
- - Fixed SSL + new resolver problem, would cause an "interesting flood" of messages / 100% CPU.
  Reported by Trocotronic (#0002659).
- - Fixed a problem with entries in the hosts file (such as, usually, localhost), this would
  cause an unresolved host and a 30s delay for the user, even though resolving succeeded.
- - When OPEROVERRIDE_VERIFY is enabled, we now allow opers to still join any channels listed
  in set::auto-join or set::oper-auto-join, even if they are +s/+p. Suggested by ultrotter
  (#0002644).
- - Added 4 UNREAL_VERSION_* macro's that can be useful for 3rd party modules to find out the
  unreal version that the user is using. I presume this can be helpful (although nobody ever
  suggested it ;p). The macros (#define's) are:
  UNREAL_VERSION_GENERATION    The generation version number        eg: 3 for 3.2.4
  UNREAL_VERSION_MAJOR         The major version number             eg: 2 for 3.2.4
  UNREAL_VERSION_MINOR         The minor version number             eg: 4 for 3.2.4
                               This can be negative for unstable,
                               alpha and beta versions.
  UNREAL_VERSION_TIME          Year + week of the day (starting     eg: 200541
                               on Monday), this is updated on
                               the CVS server every week.
  The first 3 are for nicely identifiying the version, the 4th can be useful in case
  you want to support CVS and/or want some more control.
- - Fixed crash bug (due to new resolver) if not using 1 general *@* / *@* allow block,
  reported by Daniel.
- - Fixed issue that could cause an alias to be added that would override a command.
- - Fixed OpenBSD crash on /REHASH. Thanks to Peter Laur (OpenBSD.se) for providing us
  a shell account to trace this issue down.
- - Couple of source code cleanups (svsnick, a *line msg, kill, and some useless l_commands
  code), suggested by Nazzy and Requi3m.
- - Fixed extbans no longer working properly in CVS, fix provided by Nazzy (#0002681).
- - Made it so you no longer can change your nick to a banned one in a channel, suggested
  by vonitsanet (#0002388), partial patch provided by Nazzy.
  This option can be turned off by setting set::check-target-nick-bans to 'no'.
- - Removed useless (unused) WATCH code that was still present in the core.
- - Made it so coadmins can use /ADCHAT (makes sense, since they already *received*
  adchats). Reported by RandomNumber (#0002557).
- - Fixed serious flood of notices to opers if link::options::dnscache was present.
  Reported by firstof9.
- - Added proper "not enough parameters" message for /SETNAME and cleaned up some whitespace
  in the function, reported by Robby22 (#0002696).
- - Fixed set::static-part set to 'no' not working properly. Reported by Robby22 (#0002698).
- - Fixed crash in new resolver, reported by firstof9.
- - [CVS Only] Refixed name<->ip mapping check in new resolver, reported by Darko.
- - Reverting "Changed the way we build most of the .so's" feature, this caused m_*.so
  to be build incorrectly. So now back at normal compile speed :p.
- - Added option to apply spamfilters to aliases as well (such as /MS, etc). To do so,
  you have to put 'spamfilter yes;' in every alias block you want to get filtered.
  This is so you can have for example /MS filtered (due to heavy spam), while keeping
  /NS and /CS unfiltered. Reported by Homer (#0002496).
- - The memoserv aliases (/MS and /MEMOSERV) now have spamfiltering enabled by default.
- - Made the "strict aliasing"-warning-disabler use $CC instead of gcc.
- - Made ./Config better react to errors (no longer print a "everything is a big success"
  kind of message when in fact everything went wrong).
- - Made ./Config (configure) exit on openssl or zlib not found errors, instead of
  silently continueing and then causing trouble later on. Also now printing _a bit_
  more helpful error message.
- - Made the link::options::quarantine actually do something... People that get global
  oper privileges on quarantined servers will be instantly killed. Bit ugly perhaps, but
  then it actually does what it should (prevent opers on quarantine from getting GLOBAL
  oper privileges). This "fixes" #2510, #2163 and #1968.
- - Fixes for an amd64 crash problem, reported by Peter Laur (OpenBSD.se).
- - Redid some net synching code to make it more efficient (#2716).
- - Fixed spamfilter crash problem: the action 'viruschan' is now no longer incompatible
  with target 'user'. Reported by Monk (#0002570).
- - Fixed invalid servername in quarantine kill, reported by pinstrate (#0002743).
- - Fixed bug in chinese-* charset implementation that would cause crashes, reported
  and patch supplied by Xuefer (#0002744).
- - Added new charsys languages: belarussian-w1251 and ukrainian-w1251. Patch provided
  by Bock (#0002724).
- - Fixed memory leak in new resolver.
- - Made the charsys mismatch during linking a warning instead of an error (temp. fix,
  until a good solution is implemented without false positives).
- - Crashbug fix for above
- - Fixed some more memleaks, thanks to valgrind.
- - Updated the list of donators.
- - Fixed (well, workaround) win32 /RESTART bug that caused it to popup a window instead
  of actually restarting the server properly (#0002734).
- - If you now use /(G)ZLINE usermask@something instead of /(G)ZLINE *@something you get
  an error, since specifying usermask should not be done and is useless, since a (G)ZLINE
  takes place BEFORE ident lookups.
- - Did the same for /(G)ZLINE *@hostmask (should be *@ipmask), this already was a warning
  in 3.2.3, and is an error now in 3.2.4.
- - Little /STATS v tweak: should display 'v' in output, not 'V'. Reported by Robby22 (#2700).
- - Fixed complex command aliases not working properly, patch from Nazzy (#2722).
- - Made it so banned users cannot change the topic, suggested by aquanight and Stealth (#2233).
- - Made the "max bans per channel" setting dynamic. This can be changed by setting
  set::maxbans in the configfile, note that you probably also want to enlarge set::maxbanlength
  as well (see docs) or else you will hit that limit first.
- - Changed the default maxbanlength from 1K to 2K, which means people can set more bans because
  in pracitce the 60 (maxbans) limit was never met because the maxbanlimit was set so low.
- - Empty (but existing) include files no longer cause an error. Reported by w00t (#0002460).
- - Nick Character System: Silently not advertising danish if using latin1, circumventing link
  problems if using latin1.
- - Removed small comment from docs, which no longer applies (sorry translators ;p).
- - Updated /CREDITS (forums/mainsite hosting and update of current active supporters).
- - Updated makefile.win32: apparently libcurl.dll is now libcurl_imp.dll (import library)
- - Updated unrealinst.iss: made it easier for me to have 2 curl versions, this is so we can
  ship the SSL version of unreal with a curl that supports SSL (https, etc).
- - Preperations for pre-1 (version change, etc)
- - Updated wircd.def (for developers).
- - Added doc/help.ru.conf, translated by Slyder.
** internal 3.2.4-pre1 release **
- - set::maxbans / set::maxbanlength were reported as duplicates when they were not, reported
  by Jason and trystanscott (#0002753).
- - Made it so bans on normal users will prevent them from speaking with +mu, reported by Nazzy.
- - Made set::maxbanlength also count the "to be set" ban in, otherwise you could exceed the
  limit by (max) NICKLEN+USERNAME+HOSTNAME+2, reported by Trocotronic (#0002762).
- - Switched over to an older match() routine based on hybrid, this one is a bit less optimized
  but is actually understandable and has less bugs. This fixes +b ~c:#c\*t not properly
  matching #c*t, reported by Jason (#0002752). Initial results look good, but this needs
  some good testing ;).
- - Removed some old config.h stuff + clarified some text, reported by Jason (#2765, #2766).
** internal 3.2.4-pre2 release **
- - Made it so a set::maxbanlength and/or set::maxbans of 0 denies all bans properly, and
  fixes the first-ban-can-be-as-long-as-you-want bug, both reported by Trocotronic (#2762).
- - Fixed SVS2SNO not always notifying the user of the snomask change, reported by decoder
  (#0002767).
- - Curl users using https/ftps/etc: UnrealIRCd now ships with a 'curl-ca-bundle.crt' which
  contains the (root) certificates of most major Certificate Authorities. It is basically
  the default curl ca-bundle.crt plus cacert's certificates.
  The 'curl-ca-bundle.crt' will be copied to the installation dir if needed.
  It will from now on be used by Unreal for all remote includes (curl) related certificates.
  If you want to use https but don't want to buy a certificate, we suggest you to apply for
  a free certificate at CACert (www.CACert.org). Or, alternatively, add your own certificate
  (PEM encoded) to curl-ca-bundle.crt, see 'SSLCERTS' in the curl package for more info.
** public 3.2.4-rc1 release **
- - Fixed(?) bug due to match() rewrite: we now use our old rules with escaping again, due to
  the switchover we were accidently using different ones which caused funny kill messages
  like "You were killed by a.b.c (a!a.b.c (SOMENICK[N\A](?) <- d.e.f))." This also broke
  some bans in pre2/rc1. Bug reported by HERZ (#0002772).
- - Fixed localhost crash (if no dns record for 127.0.0.1), reported by Trocotronic (#2773).
** public 3.2.4-rc2 release **
- - Sometimes if an oper was connected trough SSL and had the junk snomask (+s +j) set it
  would cause a crash. Reported by chasingsol (#0002777).
- - Updated help.ru.conf (corrections by CS-Help / Bock)
- - Updated example.bg.conf (by Peace)
- - Added Dutch unreal32docs.nl.html, translated/maintained by Mark.
- - Redid glob matching. Escaping is now ripped out for normal bans (as it should be), this
  means no longer weird issues with +b *\* etc not banning nicks with \ in it.
  ExtBan ~c/~r get special treatment and will use our match_esc [match with escaping]
  routine, that way you can ban channels such as "#f*ck" via "+b ~c:#f\*ck".
  Fix triggered by bugreport of vonitsanet (#0002782).
** public 3.2.4-rc3 release **
- - No changes (except version number)
** 3.2.4 release **

As usual, you can get it from http://www.unrealircd.com/

All our releases are PGP signed (well, with GPG) with our releases key:
rel...@un... [0x1C8A554E] which you can grab from
http://www.unrealircd.com/pgp/release_key.asc
This is the same release key that was used for signing 3.2.3.
More info about this is shown when downloading.

We no longer provide MD5/SHA1 checksums because we feel they are
too insecure.

Thank you for using UnrealIRCd!

	The UnrealIRCd Team.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFD45JZ4cPWX+btKqIRAvk5AKCXTBVtv2MAg5yGHfslL+y2utTvkQCgruoL
fl7UHfEMf3gllUW1i775SN4=
=yz15
-----END PGP SIGNATURE-----

Unreal3.2.3 released

[Bram M. <sy...@un...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After almost 5 months of coding (not counting the hotfix)
there's finally a new 3.2* stable release out: 3.2.3.
As usual, this is a recommended upgrade.

Unreal3.2.3 Release Notes
==========================

==[ GENERAL INFORMATION ]==
- - If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
  first before doing 'make'
- - The official UnrealIRCd documentation is doc/unreal32docs.html
  online version at: http://www.vulnscan.org/UnrealIrcd/unreal32docs.html
  FAQ: http://www.vulnscan.org/UnrealIrcd/faq/
  Read them before asking for help.
- - Report bugs at http://bugs.unrealircd.org/
- - When upgrading a network, we assume you are upgrading from the previous
  version (3.2.2). If you got a net running with servers that are several
  versions behind (eg: 3.2.1) then you might experience (desynch) problems.
  Also, if you try to use the new features, some might not work properly
  until all your servers are upgraded. It is therefore recommended to
  upgrade all servers in a 'short' time span (x day[s], not weeks).

==[ NEW ]==
- - Channel mode +I (invex, invite exceptions). Users on this list can join +i channels
  without needing an /invite.
- - Channel mode +j (jointhrottle). If you set +j X:Y you limit each user (individually)
  to X joins per Y seconds to the channel.
- - Nick Character System: this allows you to choose which additional characters to
  allow in nicknames by language (and codepage). Currently available are:
  catalan, dutch, french, german, swiss-german, icelandic, italian, spanish,
  swedish, hungarian, polish, romanian, slovak, czech, greek, turkish, russian,
  hebrew and chinese. There are also several 'groups' available, for more info see:
  http://www.vulnscan.org/UnrealIrcd/unreal32docs.html#feature_nickchars
- - *NIX: ./Config -advanced, allows you to choose more options
- - tld::botmotd and tld::opermotd
- - Using /INVITE with no parameters will a list of channels you are invited to
  but have not yet joined.
- - set::gline-address, works just like set::kline-address but then for glines.
- - Added a basic regex tutorial in unreal32docs.html
- - /SAJOIN now supports multiple channels (and '0') again.
- - Spamfilter topic support ('t' in spamfilter, 'topic' in conf).
- - Added a feature to +b/+e ~c: ~c:[prefix]<#channel>. This can be used if you for
  example trust all ops of #leet: mode #x +e ~c:@#leet.
- - Various translated documents in doc/: unreal32docs.gr.html (Greek), help.fr.conf
  and example.fr.conf (French), help.de.conf & example.de.conf (German), and
  example.hu.conf (Hungarian).

==[ CHANGED ]==
- - Updated auspice.conf
- - The usual doc updates, help.conf, spamfilter.conf, dccallow.conf, etc.
- - The config parser got (mostly) recoded. This makes it rehash much faster,
  additionally "duplicate item" checking is now available.
- - Added a 'B' flag to /who output for bots. Also normal users can now /who +m B.
- - Support in configfiles for \\ (= a \)
- - set::dns::bind::ip, hardly useful for anyone
- - If a user is +b on a channel, and set::allow-userhost-change force-rejoin is
  in use, then a part/join is not sent in order to prevent flooding.
- - OperOverride INVITE notices are now sent out globally to all +s +e users.
- - User mode 'g' is now operonly, it hardly did anything for non-opers.
- - Made CIDR no longer accept bitmasks with less than 16bits for /*line commands.
- - Modulized a lot of commands (~5000 lines of code).
- - Made channel modes +c/+S deal with RGB color codes.
- - If no log { } block is present, then a warning will be printed and we will log
  by default to ircd.log (errors only).
- - If an invalid character is found in a nick then the whole nick is rejected now.
- - Changed numeric&text of 'is a Secure Connection' to 'is using a Secure Connection',
  client coders are encouraged to add support for this new numeric 671. Until then,
  in-window-/whois's will probably be broken.
- - A locops with can_override/can_gkline/can_gzline is now automatically converted
  to a globop, just like we do with can_globalroute/can_gkline. These privileges
  are GLOBAL and therefore are not meant to be granted to locops.
- - A warning is now sent to an oper if (s)he tries to use /(G)ZLINE on a host.
  (G)ZLINES should be placed on *@ipmasks because they are processed before any
  ident and host lookups.
- - Made (fast) badwords work better with word boundaries, in practice this means
  blocking of words with accents/umlauts/es-zett/etc now works properly.
- - Made it so halfops can now -h themselves and chanadmins can -a themselves.
- - Made spamfilter 'u' also check nickchanges.

==[ MAJOR BUGS FIXED ]==
- - Serious crashbug [this is the same fix that was fixed by the hotfix/3.2.2b]
- - TRE mem corruption- & crash-bugs (eg: in backreferences).

==[ MINOR BUGS FIXED ]==
- - Made kline/shun/zline/gzline without parameters report the correct stats(flag).
- - Made a few more errors send out to all opers, such as link::bind-ip problems.
- - A few missing operflags in /STATS O (and SVSO)
- - DCC Spamfilter was not always working correctly
- - OperOverriding to, for example, a +zi channel did not print the special join notice.
- - Servers behind ulines were not properly ulined, one effect that had was causing
  an odd view in /MAP if you had flat-map + hide ulines + a juped server in services.
- - Made SVSMODE -b/-e remove bans/excepts placed on IPs
- - The set::htm::incoming-rate config item was not working correctly
- - If a user was +R then remote server notices were accidently also filtered.
- - A locop setting MODE #CHAN +O caused a desynch
- - Resolver sometimes incorrectly aliased names, causing incorect TTLs etc.
- - Fixed SVSNOOP not removing ALL oper status properly.
- - 'shun' target was not working for spamfilter and ban version { }
- - Removing of shuns placed on IP's did not take effect immediately (had to reconnect).
- - Fixed a bug in mode skipping (eg: '+qk a b' if not +q) and error msgs.
- - Chanmode +f #t (per-user text limit) now no longer affects halfops.
- - Opers w/can_override can now +qa/-qa if they are not netadmins, also affected +L/+u.
  Be sure you upgrade all servers to 3.2.3 if using these new abilities, or else you
  will get desynch issues.
- - Fixed several /SAMODE bugs as well, regarding non-netadmins, being halfop'ed, etc.
- - /GZLINE [nick] was placing a *line on *@host instead of *@IP, fixed.
- - alias::format in combination with ::type 'command' caused a crash
- - zlib upgraded to 1.2.2, curl upgraded to 7.13.1, both fix various issues.
- - Win32 installer now also installs doc\technical\*.*
- - Desynch issues regarding +s/+p and +c/+S
- - /SAMODE causing a 'fishy timestamp' if a cmode with a digit parameter was used.

==[ REMOVED ]==
- - NAZIISH_CHBAN_HANDLING (did not work at all)
- - The 'oldcloak' cloaking module is now removed, since this old algorithm got broken
  8 months ago, nobody should be using it anymore.

==[ CHANGELOG ]==
- - Fixed a typo in the makefile for USERIP
- - Made the WATCH command work for WebTV users (#0002121) suggested by White_Magic.
- - Some text updates... docs: now 3.2.2-CVS, also got rid of double version to avoid
  confusion. credits: fixed typo.
- - Added updated auspice.conf from Rocko since previous one was outdated (#0002147).
- - Recoded the config parsing code
  - The new system is much faster, for the programmers out there, the
    old system averaged O(MN) where N was the number of sub-directives for a block, and
    M was the number of sub-directives actually contained in the block in the config file.
    The new system averages O(N), so the number of sub-directives no longer has a significant
    impact on performance.
  - Added duplicate config entry detection (#0002126) suggested by brain2
  - May have a few bugs (easily fixed)
- - Corrected numerous -Wall warnings
- - Fixed a bug with /rehash and classes due to the config parser rewrite
- - Modified the module symbol dependency code to do more accurate searching for the module
  that contains the necessary symbol (#0002123) suggested by Xuefer.
  - Unreal will now prepend the pathname to the module and append the appropriate extension
    (.so or .dll) to the end)
  - The new module system version is "3.2.3" to allow for backwards compatibility
- - Documented the default behavior of snomasks when /mode nick +s is used (#0002141) suggested
  by Bugz.
- - Added "const" to the functions in match.c, (#0002116) suggested by Xuefer.
- - Made ./Config better handle command line arguments
- - Removed NAZIISH_CHBAN_HANDLING as it didn't do anything
- - Added -advanced flag to ./Config to configure advanced options (#0002145) suggested by
  Bugz. As a result, some config.h options are now in ./Config -advanced.
- - Small fix for above
- - Added the ability to specify a botmotd and opermotd in a tld {} (#0000176) suggested by
  swissSolaris.
- - Fixed crashbug on /rehash due to config rewrite, also made DEBUGMODE working again.
- - Removed an excess space from the SAMODE notice when a mode without a parameter was set
  (#0002134) reported by Bugz.
- - Fixed small memory leak on /rehash (post-3.2.2).
- - Fixed botmotd crash due to last change (post-3.2.2).
- - Updated the Donation file
- - Added a 'B' flag to /who output for bots, and allowed normal users to /who +m B
  (#0002096) suggested by White_Magic
- - Added support for using \\ in the config file to indicate a \ (#0002178) reported by
  TimeFX
- - Added documentation for set::options::fail-oper-warn (#0002166) reported by Snake
- - Removed an extra ) in the Throttle disconnect message (#0002165) reported by Snake
- - Fixed a bug where the "looking up your hostname" message could still be displayed even
  if hostname resolving was disabled (#0002161) reported by Xuefer
- - Made typing /kline, /shun, /zline, and /gzline correctly report the correct /stats flag,
  and these commands now produce the same output as the respective /stats flag they emulate
  (#0002149) reported by Snake
- - Renamed some calls from report_error() to report_baderror() since otherwise the errors are
  hardly ever seen (unless you have +s +j set). For example a bad link::bind-ip only caused
  "Couldn't connect to xxxxxx" without any meaningful error message. Additionally, errors
  sent to report_baderror() are now logged.
- - Win32 installer: Apparently 'install as a service' was still not the default, reported
  by fez (#0002191, #0002189).
- - Fixed the crule parser to treat - and : as valid 'word' characters rather than separators
  (#0002188) reported by diskman1.
- - Fixed bug in remote version reply, reported by DukePyrolator (#0002180).
- - Added set::dns::bind-ip (rarely ever needed, but might be useful for paranoid people).
- - Some unreal32docs->security section improvements.
- - Fixed a minor bug in the new config system when displaying link {} and set::hosts errors
  (#0002194) reported by AngryWolf.
- - Renamed RPL_INVITELIST/RPL_ENDOFINVITELIST to RPL_INVEXLIST/RPL_ENDOFINVEXLIST
- - Using /invite with no parameters now lists the channels you are invited to but have not
  yet joined (#0002190) suggested by sac.
- - Added some missing operflags to /stats O and SVSO (#0002193) reported by Bugz.
- - If a user is +b on a channel, and set::allow-userhost-change force-rejoin is used, a
  part/join is not sent in order to prevent flooding (#0001933) suggested by Z3l3zT.
- - Rewrote some of the previous change to deal with some strange issues found by aquanight
  - Introduced two new macros DYN_LOCAL and DYN_FREE to allow creation/deletion of dynamically
    sized arrays in the most efficient manner (C99 variable length, alloca, or malloc)
- - Changed the +z cannot join message to be a bit more descriptive (#0002148) suggested by cust.
- - Added a config.h options, IPV6_COMPRESSED to make Unreal use compressed IPv6 addresses where
  possible (#0002107) suggested by Neo-Vortex.
- - Fixed alloca warning @ Linux (post-3.2.2)
- - Numeric audit: 15 small changes (int/long mismatches etc). This might have fixed some
  bugs on architectures where 'long' and 'int' have different sizes (eg: opteron).
- - Added a set::gline-address which works like set::kline-address (#0001298) suggested by
  Bugz.
- - Added missing documentation for spamfilter away target (#0002205) reported by Dukat.
- - Fixed dcc spamfilter problem reported by TimeFX and Deadalus (#2177, #2204).
- - Fixed Oper Override not giving a 'special join notice' if +z is set along with another mode
  (eg: +i/+k), reported by tabrisnet (#0001487).
- - help.conf: Fixed a typo, updated *CMDS indexes a bit, reported crazy (#0002208),
  added long flags to OFLAGS.
- - OperOverride INVITE notices are now also global (if you have the eyes snomask set) (#2212).
- - Module coders: New function: sendto_snomask_global().
- - Speedup sendto_snomask/sendto_connectnotice/sendto_fconnectnotice code.
- - spamfilter.conf: fixed mIRC exploit sigs
- - Fixed all spamfilters in configfile not working due to configrewrite (post-3.2.2).
- - Module coders: sendto_snomask* now only sends to opers, sendto_snomask_normal* can be used
  to send to normal users w/the snomask set.
- - Fixed dcc filtering a bit more.
- - Made usermode 'g' operonly since it didn't do much, reported by DukePyrolator (#0002024).
- - Fixed tkl except { } not working (post-3.2.2).
- - Fixed bug where servers behind ulines were not ulined, causing for example juped servers to
  show up if flat-map was enabled, reported by GSF19 (#0002230).
- - Some doc/ updates: removed: Unreal31_to_32.html & example.settings, updated: Authors &
  translations.txt.
- - Added a basic regex tutorial to unreal32docs.html (#0000920)
- - Updated wircd.def
- - Made CIDR no longer accept bitmasks with less than 16bits for /*line commands (#0002240)
  reported by aquanight.
- - Made the (?) kill message not show IP addresses (#0002227) reported by neothematrix.
- - Added some error checking to /sapart (#0002253) suggested by Troco.
- - Imported TRE 0.7.2 for Windows
- - Imported TRE 0.7.2 for *nix
- - Got rid of wma/wmv in dccallow.conf, better to require an explicit select here due to
  recent DRM exploits (spyware etc).
- - Fixed /restart reasons, reported by SouL-FoRTuNe.
- - Partial (incomplete!) fix for alloca warnings during compile (especially w/SSL).
- - Fixed serious crashbug that can be triggered by users, released a hotfix and a seperate
  version called 3.2.2b (which is just 3.2.2+patch+version change to '3.2.2b',
  nothing else).
- - Fixed 'make install' error due to example.settings remove.
- - Fixed a minor typo in the "now an oper" announcement (#0002284) reported by Rocko.
- - Made SVSMODE -b and -e remove bans/excepts placed on IPs (#0002270) reported by Snake.
- - Fixed a couple of problems introduced with the ./Config -advanced changed (#0002239).
- - Made the win32 installer include the dccallow.conf (#0002269) reported by Ron2K.
- - Made the win32 installer work with the latest version of Inno Setup (5.0.6).
- - Made /sajoin support multiple channels and using 0 (#0002231) suggested by acemi.
- - Fixed a problem where doing ./unreal restart multiple times would not actually restart
  the ircd (#0002120) reported by SineSwiper.
- - Made it so +f notices are sent to %#chan, not @%#chan (#0002248) reported by aquanight.
- - Hopefully fixed the last of the alloca warnings (#0002202) reported by Stoebi.
- - Fixed a problem with set::htm::incoming-rate being interpreted incorrectly (#0002266)
  reported by tabrisnet.
- - Fixed a resolver cache bug regarding CNAME's. Thanks to insiderZ.DE for tracing down
  this issue.
- - Fixed a bug related to the sajoin recode regarding notices displayed (#0002293) reported
  by Troco.
- - Reworded a cloak-key error message to make it clearer (#0002297) reported by Bugz.
- - Fixed a bug where /whois notices were not sent to users who are +R if the sender is -r
  and on a remote server (#0002288) reported by Freadon.
- - Made /stats E include tkl except stats as well (#0001524) suggested by Cnils.
- - Added an options member to the ExtbanInfo structure. This currently supports one flag,
  EXTBOPT_CHSVSMODE. When set, this extban will be removed when an SVSMODE -b [nick] is
  executed (#0002222) suggested by Snake.
- - Fixed a bug where specifying a reason to SVSPART would cause it to fail (#0002210) reported
  by tabrisnet.
- - Moved channel mode +G to extcmode to make room for invex.
- - Added debug code to trace proto-check bugs in DEBUGMODE [IsToken() etc]
- - [Module coders] Added new function: do_cmd(cptr, sptr, cmd, parc, parv) which is an
  uniform method to call any other commands. For more info, see description in src/packet.c.
  This will be used for any further modulization of commands that need to call other
  commands, like NICK (will be done soon).
- - Added invite exceptions (+I). This prevents users from needing a /invite in for a +i
  channel (#0002044) suggested by medice.
- - Updated help.conf's +f documentation for the new syntax
- - Fixed some problems with the /stats help and documentation (#0002299) reported by Rocko.
- - Corrected the help.conf documentation for /invite (#0002306) reported by White_Magic.
- - Fixed a documentation inconsistency with me::numeric (#0002290) reported by Bugz.
- - Fixed a problem when compiling Unreal with GUEST support (#0001758) dvzion.
- - Fixed a win32 GUI problem where the tray menu's config submenu was not updated when new
  files were loaded or files were unloaded (#0002084) reported by Troco.
- - Made m_template.c use CommandAdd() and CMD_FUNC()
- - Modulized a lot of commands and related subfunctions: NICK (750 lines), USER (200),
  MODE (2300), WATCH (250), JOIN (600), PART (250), MOTD (100), OPERMOTD (100),
  BOTMOTD (100), LUSERS (100). More will follow soon (probably including more subfunctions
  related to existing commands).
- - Various (important) fixes to above, also made win32 compile work again.
- - And some more.
- - Made unreal_copyfile try hardlinking first, if that fails.. it will try to copy
  (perhaps this should be a different function?). Anyway, this means less diskspace
  is needed (~1.5mb or more), and it also makes it a bit easier for RBAC (#2300).
- - Made a new function DoMD5() which is ssl/non-ssl independent. Also made the cloaking
  module and the auth functions use it. Hopefully I didn't break anything ;). Suggested
  by Bugz (#2298).
- - Fixed mode #chan +O set by locop causing a desynch, reported by Unim4trix0 (#0001946).
- - Added spamfilter topic support ('t' in /spamfilter, or 'topic' in conf), suggested
  by Z3l3zT (#0001929).
- - Updated makefile to fix compile problem, reported by vonitsanet (#0002317) [?].
  Also made loading m_*.so work again.
- - Added unreal_copyfileex() which works just like unreal_copyfile() but has an additional
  param to try hardlinks first.
- - Win32 crash fixes due to modulizing
- - Made channel mode +c block RGB color codes.
- - Fixed a bug with channel alias{}'s where using the format syntax caused a crash (#0002323)
  reported by Snake.
- - Made channel mode +S strip RGB color codes.
- - Added channelmode +j (jointhrottle), syntax: /mode #chan +j X:Y, and then it will
  throttle the number of joins per-user to X in Y seconds. Idea from Angrywolf (who
  wrote a module that did this before). This needs testing :).
  It's enabled by default but can be #undef'ed in include/config.h (line 449).
- - Added a feature to +b ~c, ~c:[prefix]<#channel>, prefix can be +/%/@/&/~ and will
  check if the user is voiced/halfoped/etc.. Especially useful for +e ~c. Idea from
  Bugz (#0002198). Obviously all servers need to be upgraded to make this work.
- - Fixed SVSNOOP bug where remote servers still thought the opers had privileges, reported
  by Zell (#0002185)
- - Docs: log { } from 'optional' -> 'recomended'
- - If no log { } block is present a warning will be printed out and we will fallback
  to a default of logging errors to ircd.log. Suggested by w00t (#0002327).
- - Fixed shuns not working as target in spamfilter and ban version { }, reported by Bugz
  (#0002223).
- - Fixed a bug where shuns placed on IP's did not take effect to currently connected users.
- - Fixed a small doc bug regarding shun in spamfilter, reported by KnuX (#0002338).
- - Added greek docs, translator: GSF.
- - Some help.conf/005.txt updates, reported by Ron2K (#0002354).
- - No longer cutoff nick upon illegal character -- just reject the whole nick. The nick is
  still cutoff if the nick is too long. Basically this is the same way as Hybrid does it
  so it should work ok :).
- - Added nick character system. This allows you to choose which (additional) characters
  to allow in nicks via set::allowed-nickchars. See unreal32docs.html -> section 3.16
  for a list of available languages and more info on how to use it.
  Current list: dutch, french, german, italian, spanish, euro-west, chinese-trad,
  chinese-simp, chinese-ja, chinese.
  If you wonder why your language is not yet included or why a certain mistake is present,
  then please understand that we are most likely not experienced (at all) in your language.
  If you are a native of your language (or know the language well), and your language
  is not included yet or you have some corrections, then contact sy...@vu... or
  report it as a bug on http://bugs.unrealircd.org/
- - Added swedish support for nicks, supplied by Tank.
- - Various updates to unreal32docs from Ron2K (#0002354).
- - set::allowed-nickchars:
  - Renamed 'euro-west' to 'latin1' since that's more descriptive/fair ;)
  - Added 'hungarian' [supplied by AngryWolf]
  - Added category 'latin2': just Hungarian for now
  - Added 'catalan' [supplied by Trocotronic]
  - Added 'greek' [supplied by GSF]
  - Added category 'latin7': alias for 'greek'
  - Added category 'gbk': alias for 'chinese'
- - Removed 2 unneeded characters from 'catalan'.
- - Added NICKCHARS= in PROTOCTL. This indicates which languages are accepted in nicks.
  If 2 servers try to link and the allowed nick characters do not fully match, then
  the link will be rejected. Note that this will not prevent you from 3.2.2<->3.2.3/CVS
  charsets mistakes, but only with linking CVS/3.2.3+ servers. Suggested by Troco (#0002360)
  This might need some additional testing, but initial results are positive :).
- - NickChars:
  - Got rid of 'latin7', tiny mistake ;)
  - Removed e' accent from German (used in borrow-words only), reported by Dukat.
  - Added 'swiss-german', which is just German without es-zett, reported by Dukat.
  - Added 'turkish', supplied by Ayberk Yancatoral.
  - Build in some additional checks (especially for Chinese).
  - Fixed a bug in chinese character range (affecting 3.2*)
  - Relaxed nick character checking from remote servers (rely on NICKCHARS= PROTOCTL
    to deal with problems). This is useful to prevent any kills in case we slightly
    change the characters that are allowed in a language.
  - Added 'polish' (latin2), supplied by k4be.
  - Added 'hebrew' (iso8859-8I / windows-1255), supplied by PHANTOm.
- - Added French example.fr.conf and help.fr.conf, translated/maintained by Babass.
- - Fixed a doc typo, reported by SDF_of_BC.
- - NickChars: Updated polish a bit, and added polish-w1250 which is unfortunately more
  common than real latin2 (iso-8859-2), supplied by k4be as well.
- - NickChars: Added 'icelandic', supplied by Saevar.
- - Updated wircd.def
- - Fixed a bug where USERIP would say USERHOST in the not-enough-parameters numeric
  (#0002366) reported by vonitsanet.
- - Fixed a bug causing SVSNICK not to send out a snomask +n notice (#0002359) reported by
  Rob_.
- - Fixed a bug where SAJOIN would list channels multiple times in the notices (#0002325)
  reported by vonitsanet.
- - Fixed a bug in mode-skipping (eg '+qk a b' if not +q) and error msgs, reported by brain2
  (#0002372).
- - Fixed bug where chanmode +f #t (per-user text kick[ban]) was also affecting halfops,
  reported by seneces (#0002333).
- - Fixed doc bug reported by Dukat (#0002374). Also fixed 2 error msgs related to
  the nickchars system printing out incorrect set:: directives.
- - spamfilter.conf and dccallow.conf are now also copied upon make install, reported by
  TommyTheKid (#0002313).
- - Made CHGIDENT, CHGHOST and CHGNAME use more numerics (where possible) (#0002358).
- - Fixed halfop trying to set chanmode +G/+T/+j not getting an error message, reported
  by Ron2K (#Ron2K).
- - Module coders: using extcmode_default_requirechop is now depricated, check src/extcmodes.c
  ctrl+f extcmode_default_requirechop for more details (solution: copy+paste & fill in modechar).
- - Nicks with ~ are now also not cutoff anymore but rejected like any other illegal char (#0002074).
- - Fixed bug in +G where with not-really-matching-words color was needlessly stripped,
  reported by SpeedFire (#0002375).
- - Changed the 'is a Secure Connection' msg/numeric in /whois from RPL_WHOISSPECIAL to
  a slightly changed RPL_WHOISSECURE, namely: ':%s 671 %s %s :is using a Secure connection',
  I'm sure some client coders will bitch at this, but the current way is brok in 2 ways:
  - RPL_WHOISSPECIAL is meant for 1 line of additional whois info, usually an IRCOp title or
    description. Having a dedicated numeric for it allows for client-side interpretations
    and/or translations.
  - The 'is a Secure Connection' was incorrect English, this has been reported numerous times.
  The PRO's of this change are clear, the only CON is that in-window-/whois's are now
  likely not to show this line properly in-window but rather in the status window, until client
  coders implement this numeric.
  If you wonder why we didn't use RPL_USINGSSL, that's because this numeric collides with
  RPL_STATSDLINE (which we are already using for >5 years).
  If you wonder why we didn't use the RPL_WHOISSECURE numeric as-is (even though I haven't
  seen it in use anywhere), then that's because we wanted to minimize display problems in
  the transition period and the extra parameter would not be used by us anyway.
- - If a locop now has can_override/can_gkline/can_gzline we will print out a warning and
  convert it to globops. This is also what we always did for can_globalroute/can_gkill
  (well, except the warning). Giving such NETWORK (GLOBAL) privileges to a LOCAL operator
  does not make any sense and is therefore no longer allowed.
- - NickChars:
  - Added 'russian-w1251', supplied by Roman Parkin. There are like 7 standards
    in Russia (and like 2-3 main ones), so I didn't dare to call this one 'russian' ;).
  - Added 'czech-w1250' and 'slovak-w1250' (both might miss a few characters).
  - Added 'windows-1250' group which contains czech-w1250, slovak-w1250, polish-w1250
    and hungarian.
  - Hungarian characters show both fine in w1250 and latin2, hence hungarian is included
    both in 'windows-1250' and 'latin2'.
  - Fixed bug: polish was not included in latin2
- - Fixed various OperOverride issues:
  - Opers with can_override can now +qa/-qa even if they are not netadmins,
    and they can also (un)set L/u.
  - Fixed several SAMODE bugs, such as not completely working for non-netadmins and
    not working if you were halfop'ed, etc.
  Bugs reported by pak, aquanight, niphler, Bugz, and more.
  If there are still any bugs left, please report them on http://bugs.unrealircd.org/
  NOTE: some of these enhancements will produce desynchs if your net is not 100%
        on current CVS / Unreal3.2.3 and an oper tries to use these 'new features'.
        So use with care on mixed-version nets.
- - Fixed /(G)ZLINE [nick] placing the *line on *@host instead of *@IP, reported by
  Snake (#0002246).
- - A warning is now sent to the oper if (s)he tries to add a (G)ZLINE on *@host.
  (G)ZLINES should have an ipmask, not a hostmask, because they are processed BEFORE
  any dns lookups are done. Therefore any (g)zlines placed will probably work
  (but not necessarily) for like an hour (or whatever TTL), but after that the
  (ab)user can get in again so this is usually not what you want ;).
  I suppose I'll add a FAQ entry about this.
- - Made badwords (+G) now work with hardcoded word boundaries. Also made the fastbadwords
  system accept more characters. Basically what this means is that the (fast) badwords
  system can now be used to properly block words with accents and things like that, just
  the way you block English words. Bug reported by MJ12Helios (#0002311).
- - Fixed 'russian-w1251', was not working ok at all.
- - Made it so halfops can -h themselves, and chanadmins can -a themselves, reported
  by fez (#0001503).
- - Made spamfilter 'u' also check nickchanges, reported by Gilou (#0002251).
- - Updated doc/technical/token.txt, reported by webfox (#0002373).
- - NickChars: Added 'romanian', supplied by crazytoon.
- - Added 3.2.3 release notes (expected to be changed later on).
- - Updated russian-w1251 (added 2 chars).
- - Made the (G)ZLINE warning only happen on add, as it should. Reported by crazy.
- - Made some (incorrect) -Wall warnings dissapear.
- - Renamed version to 3.2.3-pre1, for Thursday. I'll keep the doc version numbers
  at 3.2.2-CVS to avoid confusion with the online semi-realtime docs ;).
** internal 3.2.3-pre1 release **
- - Fixed a bug with /invite with no parameters (accidentily broken when +I was added)
  (#0002383) reported by trystanscott.
- - Fixed a bug where /SAJOIN user 0 caused a desynch, reported by trystanscott (#0002384).
- - Merged NICKCHARS= in PROTOCTL for now, since a seperate one is not (yet!) needed,
  reported by SolutechUK and psadi (#0002386).
- - Fixed various (major) problems that the '-h yourself' caused, reported by Trocotronic
  (#0002387).
- - Fix for above, also reported by Trocotronic.
** internal 3.2.3-pre2 release **
- - Fixed a couple of typos in doc/example.conf (#0002393) reported by AngryWolf.
- - Added documentation about channel mode +j (#0002392) suggested by Dukat.
- - Added doc/help.de.conf and doc/example.hu.conf
- - Fixed +s/+p and +c/+S desynch issue during netmerge, reported by Ron2K (#0002391).
- - Fixed a bug where an unknown operflag would cause a crash.
- - Windows versions will now be compiled with zlib 1.2.2 and curl 7.13.1.
- - Made windows installer also install doc\technical\*
- - Removed oldcloak cloaking module, everyone should be using the new cloak one by now.
- - Updated release notes (translated docs, zlib, doc\technical, sp/cS desynch).
- - Made +g get removed when an oper sets -o (#0002399) reported by Ron2K.
- - Made it so the win32 version shows channel modes in /list (#0002397) reported by Ron2K.
- - Fixed /SAMODE with no can_override not always working with +G/+j/+T (extcmodes), reported
  by Ron2K (#0002398).
- - Added doc/example.de.conf
** internal 3.2.3-pre3 release **
- - Some spelling fixes in unreal32docs.html, reported by alex323 (#2412).
- - Updated the list of donators
- - /SAMODE could cause 'fishy timestamp' if digit parameters were used (eg: SAMODE #chan +l 5),
  this has now be fixed by sending an explicit TS 0.
- - Fixed an important channelmode +j memory corruption bug that would cause crashes, reported
  by Bergee (#0002416).
- - Some clarifications on /RESTART, remote restarts were well never supported, so the docs
  are now updated on that (no code changes).
** internal 3.2.3-pre4 release **
- - Corrected small doc typo in unreal32docs, reported by arbiter.
** 3.2.3 release **

Downloadable, as usual, from http://www.unrealircd.com/

We have created 2 PGP keys:
rel...@un... [0x1C8A554E]
 http://www.unrealircd.com/pgp/release_key.asc
 Used for signing releases _only_
co...@li... [0x61904C03]
 http://www.unrealircd.com/pgp/coders_key.asc
 For secure communication with the UnrealIRCd head coders.

Since all releases now have PGP signatures (see details when downloading a
file), we suggest you to validate the downloaded files via PGP/GPG instead
of using MD5/SHA1 checksums. But here they are anyway...

MD5 checksums (not recommended):
b41f09c5999c67dc8e33db777b7397cf  Unreal3.2.3.tar.gz
32c1b8545901717775a7d1fc26bea45c  Unreal3.2.3.exe
5e2052ce173edc63c577ab97af1c99c5  Unreal3.2.3-SSL.exe

SHA1 checksums:
5820906434f0c9e2cd027882e85900a919a2065d  Unreal3.2.3.tar.gz
b5897b0e02ae96475fa15c08d5e1c8452de468bb  Unreal3.2.3.exe
535e06ba695f134683d91d7f9cd2eaf15cdf3457  Unreal3.2.3-SSL.exe

Thanks you for using UnrealIRCd,

	The UnrealIRCd team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFCNOpi4cPWX+btKqIRAsvaAKCTpH4dWuiy6R0Tcji6vBqmtaw/vQCeI88i
pMrXj8YxFkUgomcKaVaKiFc=
=16DW
-----END PGP SIGNATURE-----

Security: Serious Unreal3.2* crashbug discovered

[Bram M. (Syzop) <sy...@vu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

we became aware of a crash issue in UnrealIRCd
that can be triggered by users.
This time however, we are trying a new approach by
offering a "hot patch" that will fix your ircd
without requiring a restart, so the process
shouldn't be too painful.
It won't be possible for all future security issues,
but it works great for this one :).

In any case, we apologize for any inconvenience
this will cause.

	Syzop / The UnrealIRCd Team.

PS: If you experience any problems with the patch,
    then you can ask for help on our forums
    [ http://forums.unrealircd.com/ ]

SECURITY ADVISORY
==================

A serious Denial-of-Service issue has been discovered in UnrealIRCd.

==[ AFFECTED VERSIONS ]==
Affected:
- - Unreal3.2: beta18, beta19, RC-1, RC-2, 3.2, 3.2.1, 3.2.2

Unaffected:
- - versions older than beta18 (OLD, UNSUPPORTED)
- - 3.1* (VERY OLD, UNSUPPORTED)
- - If you have NO servers and NO services linked and you
  are using a vulnerable version then this problem does
  not occur (this is however an uncommon configuration)

Fixed in/by:
- - Hot-patched 3.2* servers (see FIX)
- - The newly released 3.2.2b (for fresh installs)
- - CVS from January 15 03:00 GMT and later

==[ PROBLEM ]==
There's a severe crashbug present in UnrealIRCd that can quite
easily be triggered by users. No code execution or anything
like that is possible (it's a NULL pointer dereference),
but it does cause a crash, which is of course serious enough.

Server admins should apply the fix (which does not require a
server restart) as soon as possible before an exploit will
become widespread (within 24h is recommended).

During the time of writing (Jan15 19:00 GMT) there are no signs
of "bad users" causing crashes, but we expect that this will
happen after public announcement of this bug.

==[ WORKAROUND ]==
There's no safe workaround, but see next for an easy fix.

==[ FIX ]==
Thanks to modulized commands we have created a "hot patch" utility
that will fix the issue WITHOUT requiring a server restart, all
you will have to do is install it and rehash.
This patch can be used on Unreal3.2-RC2, 3.2, 3.2.1 and 3.2.2.
Older version (eg: beta's) are not supported, in that case we
suggest you to upgrade to 3.2 (and apply this patch) or 3.2.2b.

*NIX:
 Download and run the hotpatch utility, available URLs:
 http://www.vulnscan.org/tmp/unrealpatch322
 http://www.unrealircd.com/unrealpatch322
 http://unreal.atlanti-ka.org/unrealpatch322

 EXAMPLE:
 cd ~/Unreal3.2 && wget http://www.unrealircd.com/unrealpatch322 && \
 chmod +x unrealpatch322 && ./unrealpatch322
 (or 'fetch' instead of 'wget', or any other download utility)

 Alternatively if that did not work, try this .tar.gz:
 http://www.vulnscan.org/tmp/qpatch.tar.gz OR
 http://www.unrealircd.com/qpatch.tar.gz OR
 http://unreal.atlanti-ka.org/qpatch.tar.gz

 Extract it, cd to the directory and run ./doinstall

Windows:
 Download and run the win32 hotpatch utility, available URLs:
 http://www.vulnscan.org/tmp/322_hotpatch.exe
 http://unreal.atlanti-ka.org/322_hotpatch.exe
 http://unrealircd.funny-chat.net/322_hotpatch.exe

 (this hotpatch is for 3.2.2 only, if using an older version then
  upgrade to 3.2.2 first).

Additionally, we have replaced the 3.2.2 downloads on our site with
"3.2.2b" which is 3.2.2 + this patch (useful in case the hot patch
utility did somehow not work, or for any new installs):
See http://www.unrealircd.com/?page=downloads

This issue has also been fixed in CVS, both in 'stable' and
'unreal3_2_2fixes' since January 15 2005 03:00 GMT.

MD5 checksums:
2157afe65f97358645aac0b3f957bd57  unrealpatch322
8b842d83d037eca9cedcf49a6306b129  qpatch.tar.gz
d6a90889ce937d77e6e63787d7b31b51  Unreal3.2.2b.tar.gz
90ec48229484b16b94381471c39c07aa  Unreal3.2.2b.exe
de445797833c281f87cdec193f098b0a  Unreal3.2.2b-SSL.exe

SHA1 checksums:
31790d50dfa207a223c76f6c1119a8d48294c796  unrealpatch322
20879d90e328671f1853e78d6e4a6fb2557bf686  qpatch.tar.gz
c3f8258202c32ca09085975b6a042e6296c2d4b7  Unreal3.2.2b-SSL.exe
55019a076def37509fdb7e5382a62662f18dda30  Unreal3.2.2b.exe
749dfb38f514d1341b6ad8199ce0176f7709faf1  Unreal3.2.2b.tar.gz

==[ TIMELINE ]==
Times are GMT+1
13-01-2005  Bug reported, traced and *NIX hotpatch ready
14-01-2005  Bug fixed in CVS, Win hotpatch ready,
            private announcement to some networks
15-01-2005  CERT-IRC announcement
15-01-2005  Downloads replaced, public announcement

==[ SOURCE ]==
A copy (and any updates) of this advisory is posted on:
http://www.unrealircd.com/unreal3_2_2b_advisory.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6YfP4cPWX+btKqIRAiosAKDFzRo3BM16tSlmyYd2RsGxyS8bUQCgnPgq
G+aIfS5KSA6Fim83P8aoJhU=
=xfC2
-----END PGP SIGNATURE-----