unreal-users Mailing List for UnrealIRCd

Status: Beta

Brought to you by: wildchild

unreal-users

You can subscribe to this list here.

2000	Jan	Feb	Mar (30)	Apr (10)	May (25)	Jun (77)	Jul (43)	Aug (104)	Sep (30)	Oct (52)	Nov (40)	Dec (199)
2001	Jan (124)	Feb (56)	Mar (39)	Apr (3)	May (18)	Jun (35)	Jul (90)	Aug (175)	Sep (46)	Oct (56)	Nov (26)	Dec (51)
2002	Jan (43)	Feb (75)	Mar (33)	Apr (28)	May (57)	Jun (60)	Jul (48)	Aug (224)	Sep (98)	Oct (81)	Nov (79)	Dec (151)
2003	Jan (101)	Feb (106)	Mar (100)	Apr (89)	May (173)	Jun (73)	Jul (58)	Aug (29)	Sep (84)	Oct (47)	Nov (26)	Dec (69)
2004	Jan (107)	Feb (91)	Mar (53)	Apr (18)	May (65)	Jun (23)	Jul (14)	Aug (6)	Sep (15)	Oct (13)	Nov (7)	Dec (4)
2005	Jan (9)	Feb (17)	Mar (13)	Apr (4)	May (17)	Jun (20)	Jul (8)	Aug	Sep (5)	Oct (3)	Nov (3)	Dec
2006	Jan	Feb (2)	Mar	Apr	May (1)	Jun (3)	Jul (2)	Aug (2)	Sep (2)	Oct (3)	Nov (2)	Dec (18)
2007	Jan (9)	Feb (4)	Mar (7)	Apr (10)	May (18)	Jun (18)	Jul (29)	Aug (34)	Sep	Oct	Nov	Dec
2009	Jan	Feb	Mar (1)	Apr (1)	May	Jun	Jul (2)	Aug	Sep	Oct	Nov	Dec
2010	Jan	Feb	Mar	Apr	May	Jun (2)	Jul	Aug	Sep (3)	Oct	Nov	Dec
2011	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec
2012	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec (1)
2013	Jan (4)	Feb	Mar	Apr	May	Jun	Jul	Aug (1)	Sep	Oct	Nov (1)	Dec
2014	Jan	Feb	Mar	Apr (2)	May	Jun	Jul (2)	Aug	Sep	Oct	Nov	Dec
2015	Jan	Feb	Mar (1)	Apr	May	Jun (2)	Jul (3)	Aug (1)	Sep (1)	Oct (2)	Nov (2)	Dec (4)
2016	Jan (1)	Feb	Mar (1)	Apr (2)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

1 2 3 .. 154 > >> (Page 1 of 154)

[Unreal-users] The end of the unreal-users mailing list

From: Bram M. <sy...@un...> - 2016-04-16 11:31:59

To all subscribers of the unreal-users mailing list,

The UnrealIRCd project currently has two mailing lists:

  * unreal-users <mailto:unr...@li...>: For discussion
  * unreal-notify <mailto:unr...@li...>: For release
    announcements

The unreal-users mailing list has not seen any user activity for the past 8 
years or so. Most users are using IRC or the forums 
<https://forums.unrealircd.org/> for support. Only release announcements sent 
to unreal-notify were also still CC'd to unreal-users.
Tomorrow we will close the unreal-users mailing list, meaning you will no 
longer receive any emails from it. The mailing list archive will stay 
available at https://sourceforge.net/p/unreal/mailman/unreal-users/ for 
historic purposes.

The unreal-notify mailing list with almost 2000 subscribers will continue to 
exist. If you are interested in UnrealIRCd release announcements then please 
subscribe to the unreal-notify mailing list if you have not already.
You can subscribe here: 
https://lists.sourceforge.net/mailman/listinfo/unreal-notify

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.3 released

From: Bram M. <sy...@un...> - 2016-04-16 11:11:01

On UnrealIRCd 4.0.x an IRCOp could crash a server via the RPING command. This
command has now been removed since it's rarely used anyway. Note that regular
users cannot trigger this crash.
We classify this issue as *low impact* because IRC Operators usually have the
power to kill many if not all users on a server. Many IRCOps can shutdown or
make the server unusable for users through other commands or means.

If you use UnrealIRCd 4.0.x and want to fix the RPING crash but don't want to
upgrade to 4.0.3 yet then you can unload the module by editing
conf/modules.default.conf. You should remove this line:
/loadmodule "m_rping";/
Then, rehash the IRCd (no restart needed).
If you now type '/RPING' or '/QUOTE RPING' on IRC you should see 'RPING
Unknown command'.

There are more changes in this 4.0.3 release. On Windows we changed the build
process and are now using LibreSSL. Two crash bugs related to invalid link
blocks were fixed. For more details see below.

*Changes between version 4.0.2 and 4.0.3
*Major issues fixed

* Crash on RPING command (IRCOp-only!)
* Crash on Windows on failed outgoing server connect
* Crash if you had a link { } block with invalid syntax

Minor issues fixed

* Windows: remote includes did not support https
* Compile problem with LibreSSL

*Other*

* Windows version compiled with Visual Studio 2012 rather than a mix of 2012
and 2010
* Windows version now using LibreSSL
* Crash reporter produces more useful reports (very important for us)
* PCRE2 Regex engine upgraded to 10.21

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.2 released

From: Bram M. <sy...@vu...> - 2016-03-14 12:42:43

UnrealIRCd 4.0.2 addresses a number of minor issues and comes with two small
enhancements.

*Changes between version 4.0.1 and 4.0.2
*Enhancements

* Ability to hide quit messages from *LINEd users (set::hide-ban-reason)
* Blacklist <https://www.unrealircd.org/docs/Blacklist_block> hits are now
sent to new snomask +b rather than all ircops
<https://www.unrealircd.org/docs/Cron_job>

Major issues fixed

* None

Minor issues fixed

* prefix-quit was not working
* Incorrect server description in /LINKS
* Logging to syslog was broken
* FreeBSD: fix kevent bug flood in error log
* OS X: Update ./Config to use Homebrew OpenSSL by default
* Don't show UID to client in case of a SVSMODE

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

For developers:

The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)

*Full summary of changes*
We did our best to "summarize" the 1100+ changesets in about 120 bullet points
but it's still a long read.
The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS
/ DEVELOPERS.
==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
modes and all extended bans into 138 separate modules.
This makes it...
A) possible to fully customize what exact functionality you want to load.
You could even strip down UnrealIRCd to get something close to the
basic RFC1459 features from the 1990s. (No idea why you would want
that, but it's possible)
B) easier for coders to see all source code related to a specific feature
C) possible to fix bugs and just reload rather than restart the IRCd.

Have a look at modules.default.conf which contains the "default" set of
modules that you can load if you just want to load all functionality.
If you want to customize the list of modules to load then simply make
a copy of that file, give it a different name, and include that one
instead. Since the file is fully documented, you can just comment out
or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: [A4+]
* All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
* oper::flags has been removed. Instead you must specify an operclass
in oper::operclass (for example, 'operclass netadmin').
* In operclass block(s) you define the privileges. You can now control
exactly what an IRCOp can and cannot do.
Have a look at operclass.default.conf which ships with UnrealIRCd,
it contains a number of default operclass blocks suitable for the
most common situations. See also the operclass block documentation:
https://www.unrealircd.org/docs/Operclass_block
* If you ask UnrealIRCd to convert your 3.2.x configuration file then
it will try to select a suitable operclass for the oper. This will
not always 100% match your current oper block rights, though.
* Channel Mode +A (Admin Only) has been removed. You can use the new
extended ban ~O:<operclass>. This allows you to, for example, create
an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
* set::hosts has been removed, use oper::vhost instead.
* Since oper levels have been removed you no longer see things like
"OperX is a Network Administrator" in /WHOIS by default.
If you want that, then you can set oper::swhois to
"is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
more easily to tens of thousands of clients by using kernel-evented I/O
mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
and performance.
* On-connect DNSBL/RBL checking via the new blacklist block. [B1]
* The Windows version now has IPv6 support too. [B3]
* On all OS's we compile with IPv6 support enabled. You can still
disable IPv6 at runtime by setting set::options::disable-ipv6. [B3]
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
anything in a channel. Whenever a user speaks for the first time they
will appear to join. Chanops will still see everyone joining normally
as if there was no +d set.
* If you connect with SSL/TLS with a client certificate then your SSL
Fingerprint (SHA256 hash) can be seen by yourself and others through
/WHOIS. The fingerprint is also shared with all servers on the network.
* ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This
can be used like +iI ~S:000000000etc.
* bcrypt has been added as a password hashing algorithm and is now the
preferred algorithm [A3]
* './unreal mkpasswd' will now prompt you for the password to hash [A3]
* Protection against SSL renegotiation attacks [A3]
* When you link two servers the current timestamp is exchanged. If the
time differs more than 60 seconds then servers won't link and it will
show a message that you should fix your clock(s). This requires
version alpha3 (or later) on both ends of the link [A3]
* Configuration file converter that will upgrade your 3.2.x conf to 4.x.
On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
after the config errors screen UnrealIRCd offers the conversion. [A3]
* The IRCd can now better handle unknown channel modes which expect a
parameter. This can be useful in a scenario where you are slowly
upgrading all your servers.
* If you want to unset a vhost but keep cloaked then use /MODE yournick -t
* A "crash reporter" was added. When UnrealIRCd is started it will check
if a previous UnrealIRCd instance crashed and (after booting a new
instance) it will spit out a report and ask if you want to submit it
to the UnrealIRCd developers. Doing so will help us a lot as many bugs
are often not reported. Note that UnrealIRCd will always ask before
sending any information and never do so automatically. [B3]
* SSL: Support for ECDHE has been added to provide "forward secrecy". [B4]

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
UIDs (User ID's). SIDs work very similar to server numerics and UIDs
help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
(those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
hash and validity of 10 years. [A2]
* Building with SSL (OpenSSL) is now mandatory [A2]
* The link { } block has been restructured, see
https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3]
* Better yet, check out our secure server linking tutorial:
https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 [A3]
* password entries in the conf no longer require specifying an auth-type
like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3]
* You will now see a warning when you link to a non-SSL server. [A3]
* Previously we used POSIX Regular expressions in spamfilters and at
some other places. We have now moved to PCRE Regular expressions.
They look very similar, but PCRE is a lot faster.
For backwards-compatibility we still compile with both regex engines. [A3]
* Spamfilter command syntax has been changed, it now has an extra option
to indicate the matching method:
/SPAMFILTER [add|del|remove|+|-] [method] [type] ....
Where 'method' can be one of:
* -regex: this is the new fast PCRE2 regex engine
* -simple: supports just strings and ? and * wildcards (super fast)
* -posix: the old regex engine for compatibility with 3.2.x. [A3]
* If you have both 3.2.x and 4.x servers on your network then the
4.x server will only send spamfilters of type 'posix' to the 3.2.x
servers because 3.2.x servers don't support the other two types.
So in a mixed network you probably want to keep using 'posix' for
a while until all your servers are running UnrealIRCd 4. [A3]
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
oper::mask and vhost::mask. The usermask@ part is now optional and
it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
block was highly confusing (it was an OR-match) you must now choose
between either allow::ip OR allow::hostname. [A3]
* cgiirc block is renamed to webirc and the syntax has changed [A4]
* set::pingpong-warning is removed, warning always off now [A4]
* More helpful configuration file parse error messages [A4]
* You can use '/OPER username' without password if you use SSL
certificate (fingerprint) authentication. The same is true for
'/VHOST username'. [A4]
* You must now always use 'make install' on *NIX [A4]
* Changed (default) directory structure entirely, see the section
titled 'CONFIGURATION CHANGES' about 100 lines up. [A4]
* badword quit { } is removed, we use badword channel for it. [A4]
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
This file was called modules.conf in earlier alpha's.
The file has been split up in sections and a lot of comments have
been added to aid the user in deciding whether to load or not to
load each module. [A4]
* Snomask +s is now (always) IRCOp-only. [A4]
* Previously there was little logic behind what modes halfops could
set. Now the idea is as follows: halfops should be able to help out
in case of a flood but not be able to change any 'policy decission
modes' such as +G, +S, +c, +s. Due to this change halfops can now
set modes +beiklmntIMKNCR (was: +beikmntI). [A4]
* If no link::hub or link::leaf is specified then assume hub "*". [B1]
* SWHOIS (Special whois title) has been extended in a number of ways:
* We now "track" who or what set an swhois. This allows us to
remove the swhois received via oper/vhost on de-oper/de-vhost.
* You can now have multiple swhois lines
* Multiple oper::swhois and vhost::swhois items are supported. [B1]
* When trying to link two servers without link::outgoing::options::ssl
(which is not recommended) we try to use STARTTLS in order to
'upgrade' the connection to use SSL/TLS anyway. This can be disabled
via link::outgoing::options::insecure. [B2]
* SSLv3 has now been disabled for security. This also means you can only
link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions
used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4]

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. [A1]
* PROTOCTL TOKEN and SJB64 are no longer implemented. [A1]
* Ziplinks have been removed. [A1]
* WebTV support. [A3]
* Channel Mode +j was removed and replaced by the configuration setting
set::anti-flood::join-flood (default: 3 per 90 seconds). [B1]
* /CHATOPS: use /GLOBOPS instead which does the same
/ADCHAT & /NACHAT: gone as we don't have such oper levels anymore
Your opers should actually be in an #opers channel. If you also want
special classes of oper channels like #admins then use +iI ~O:*admin*
* User modes:
* +N (Network Administrator): see 'Oper permissions' under NEW as for why
* +a (Services Administrator): same
* +A (Server Administrator: same
* +C (Co Administrator): same
* +O (Local IRC Operator): same
* +h (HelpOp): all this did was add a line "is available for help" in
WHOIS. You can use a vhost block with vhost::swhois as a replacement
or for opers just add an oper::swhois item.
* +g (failops): we already have snomasks and the +o usermode for this
* +v (receive infected DCC SEND rejection notices): moved to snomask +D

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
at https://www.unrealircd.org/docs/ describing things like how to
write a module from scratch, the User & Channel Mode System, Commands,
Command Overrides, Hooks, attaching custom-data to users/channels,
and more. [A2+]
* For commands: do not read from parv[0] anymore, doing so will lead
to a crash. Use sptr->name instead. This change is necessary as
the "name" in parv[0] could possibly point to a UID/SID rather than
a nick name. Thus, if you would send parv[0] to a non-UID or non-SID
capable server this would lead to serious issues (not found errors).
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
but disallows unloading of a module [A3]
* There have been *a lot* of source code cleanups (ALL)
* We now use the information from PROTOCTL CHANMODES= for parameter
skipping if the channel mode is unknown. Also, when channel modes
are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1]
* The server protocol docs have been removed. The protocol is now
documented at https://www.unrealircd.org/docs/Server_protocol
See also https://www.unrealircd.org/docs/Server_protocol:Changes
for a list of changes between the 3.2 and 4.0 server protocol.
* GCC typechecking has been added to make sure your HookAdd... calls
are adding hook functions with the correct parameter (types).

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.1 released

From: Bram M. <sy...@vu...> - 2016-01-15 17:34:33

It's time for an update to the UnrealIRCd 4 series. In UnrealIRCd 4.0.1 we fix
two crash issues & more, see below.

Thanks to everyone who provided feedback and suggestions!

*Changes between version 4.0.0 and 4.0.1
*Enhancements

* The blacklist module <https://www.unrealircd.org/docs/Blacklist_block> now
supports %ip (=banned IP) in blacklist::reason.
* *NIX: You can use cron again, see https://www.unrealircd.org/docs/Cron_job
* /MODULE now lists only 3rd party modules by default so you don't get flooded.
* *NIX: Added './unrealircd reloadtls' to reload TLS certificate and keys.

Major issues fixed

* Possible crash on-link if a user was in the process of connecting during
linking
* Crash if you removed a listen { } block with active clients on that port
* MODEs set by a server (not by a user) were not always propagated correctly
across the network. In practice this only affected /SAMODE and possibly
some services that don't send MODEs from ChanServ/BotServ.

Minor issues fixed

* When doing /LIST under mIRC it would hide empty +P channels.
* Servers wouldn't link if link::outgoing::hostname was a CNAME.
* SSL Certificate fingerprint not communicated properly to servers/services.
* *NIX: ./unrealircd [stop|rehash] failed if not installed to ~/unrealircd.
* Windows: IRCd could crash after showing the config error screen on startup.
* Possibly some interoperability issues with services.

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

For developers:

The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will need an update to run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely.
Due to the many core changes in UnrealIRCd 4 it was simply impossible to make
3.2.x modules work out-of-the-box on 4.x as well.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecating the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.0 released

From: Bram M. <sy...@vu...> - 2015-12-24 18:32:40

UnrealIRCd 4 is here!

We have been working hard over the past few years to replace the successful 
but aging 3.2.x series with a more modern code base. At the same time we have 
implemented suggestions from our bug tracker, ideas from ourselves and many 
good suggestions that came up during the UnrealIRCd survey in Q4 2013. After 4 
alpha versions, 4 betas and 6 release candidates we are proud to finally 
present you the first stable release of UnrealIRCd 4.

Thanks to everyone who has supported us in our efforts in whatever way: 
through donations <https://www.unrealircd.org/index/donations>, bug reports 
<https://bugs.unrealircd.org/>, testing releases, translating docs, providing 
support, telling others about IRC (and UnrealIRCd in particular), or simply by 
running UnrealIRCd.

*What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*

  * <https://www.unrealircd.org/docs/Modules>You decide what to load
    <https://www.unrealircd.org/docs/Modules>. We have moved as much
    functionality as possible to 150+ individually loadable modules (commands
    <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
    <https://www.unrealircd.org/docs/User_modes>, channel modes
    <https://www.unrealircd.org/docs/Channel_modes>, extbans
    <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
    which features your UnrealIRCd should have.
  * Fine-grained IRCOp privileges
    <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
    privileges are granted has been redone entirely. This allows you to
    configure oper privileges on a very detailed level. You don't want
    OperOverride? You don't want opers to see secret channels? Or you want an
    oper with a very minimal set of privileges? This is all possible.
  * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
    documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
    It's even better than before and more accessible to people who are new to
    IRCd's. The wiki also allows easy translation
    <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
    community members.
  * New directory structure
    <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
    *NIX the IRCd is now always installed to a different directory than where
    you compile from (~/unrealircd by default). No more mess. On both *NIX and
    Windows configuration files go in conf/, modules go in modules/, etc..
    Configuration files can be identical on Windows and *NIX. This new
    directory structure also allows easier packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands of
    users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
    support (both on *NIX and Windows). SSL client certificate fingerprints
    are visible in /WHOIS, a new certfp extban
    <https://www.unrealircd.org/docs/Extended_bans>
    (~S:certificatefingerprint), better defaults including 4096 bit keys and
    Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
  * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
    (DNSBL/RBL). Great for combating drones and other abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol.
    <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
    UID/SID's. Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter
    <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
    now choose between 'regex' and 'simple' matching. Simple matching allows
    using the usual '?' and '*' wildcards that everyone knows about. The regex
    engine has been moved from TRE to PCRE (=about twice as fast).
  * Configuration is more logical
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
    configuration blocks have been restructured. Don't worry, we include an
    UnrealIRCd 3.2.x to 4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in /src/modules/third/ and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
    ask you to import settings from a previous installation, remembering your
    installation directory and other settings. It will also copy the 3rd party
    modules from the old to the new installation and re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..
  * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.

For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has been
    restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...

*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things 
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have 
been changed. On *NIX the directory where you compile the IRCd from 
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.

The new directory structure is as follows (both on Windows and *NIX):
conf/           contains all configuration files
logs/           for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)

*2) Configuration file changes
*There have also been changes in various configuration blocks and settings. 
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to 
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
information on the config file conversion.

*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd 
team) then they will need an update to run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum 
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
enough to convert the module for you if you ask nicely.
Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 
3.2.x modules work out-of-the-box on 4.x as well.

*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.

*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we are deprecating the previous series.
All support for the 3.2.x series will stop after December 31, 2016 (=12 months 
from now).
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated

*Full summary of changes*
We did our best to "summarize" the 1100+ changesets in about 120 bullet points 
but it's still a long read.
The changes are split in the sections: NEW, CHANGED, REMOVED and MODULE CODERS 
/ DEVELOPERS.
==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
   modes and all extended bans into 138 separate modules.
   This makes it...
   A) possible to fully customize what exact functionality you want to load.
      You could even strip down UnrealIRCd to get something close to the
      basic RFC1459 features from the 1990s. (No idea why you would want
      that, but it's possible)
   B) easier for coders to see all source code related to a specific feature
   C) possible to fix bugs and just reload rather than restart the IRCd.

   Have a look at modules.default.conf which contains the "default" set of
   modules that you can load if you just want to load all functionality.
   If you want to customize the list of modules to load then simply make
   a copy of that file, give it a different name, and include that one
   instead. Since the file is fully documented, you can just comment out
   or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: [A4+]
   * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
   * oper::flags has been removed. Instead you must specify an operclass
     in oper::operclass (for example, 'operclass netadmin').
   * In operclass block(s) you define the privileges. You can now control
     exactly what an IRCOp can and cannot do.
     Have a look at operclass.default.conf which ships with UnrealIRCd,
     it contains a number of default operclass blocks suitable for the
     most common situations. See also the operclass block documentation:
     https://www.unrealircd.org/docs/Operclass_block
   * If you ask UnrealIRCd to convert your 3.2.x configuration file then
     it will try to select a suitable operclass for the oper. This will
     not always 100% match your current oper block rights, though.
   * Channel Mode +A (Admin Only) has been removed. You can use the new
     extended ban ~O:<operclass>. This allows you to, for example, create
     an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
   * set::hosts has been removed, use oper::vhost instead.
   * Since oper levels have been removed you no longer see things like
     "OperX is a Network Administrator" in /WHOIS by default.
     If you want that, then you can set oper::swhois to
     "is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* On-connect DNSBL/RBL checking via the new blacklist block. [B1]
* The Windows version now has IPv6 support too. [B3]
* On all OS's we compile with IPv6 support enabled. You can still
   disable IPv6 at runtime by setting set::options::disable-ipv6. [B3]
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS with a client certificate then your SSL
   Fingerprint (SHA256 hash) can be seen by yourself and others through
   /WHOIS. The fingerprint is also shared with all servers on the network.
* ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This
   can be used like +iI ~S:000000000etc.
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm [A3]
* './unreal mkpasswd' will now prompt you for the password to hash [A3]
* Protection against SSL renegotiation attacks [A3]
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version alpha3 (or later) on both ends of the link [A3]
* Configuration file converter that will upgrade your 3.2.x conf to 4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. [A3]
* The IRCd can now better handle unknown channel modes which expect a
   parameter. This can be useful in a scenario where you are slowly
   upgrading all your servers.
* If you want to unset a vhost but keep cloaked then use /MODE yournick -t
* A "crash reporter" was added. When UnrealIRCd is started it will check
   if a previous UnrealIRCd instance crashed and (after booting a new
   instance) it will spit out a report and ask if you want to submit it
   to the UnrealIRCd developers. Doing so will help us a lot as many bugs
   are often not reported. Note that UnrealIRCd will always ask before
   sending any information and never do so automatically. [B3]
* SSL: Support for ECDHE has been added to provide "forward secrecy". [B4]

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. [A2]
* Building with SSL (OpenSSL) is now mandatory [A2]
* The link { } block has been restructured, see
https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3]
* Better yet, check out our secure server linking tutorial:
   https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 [A3]
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3]
* You will now see a warning when you link to a non-SSL server. [A3]
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. [A3]
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  [A3]
* If you have both 3.2.x and 4.x servers on your network then the
   4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your servers are running UnrealIRCd 4. [A3]
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. [A3]
* cgiirc block is renamed to webirc and the syntax has changed [A4]
* set::pingpong-warning is removed, warning always off now [A4]
* More helpful configuration file parse error messages [A4]
* You can use '/OPER username' without password if you use SSL
   certificate (fingerprint) authentication. The same is true for
   '/VHOST username'. [A4]
* You must now always use 'make install' on *NIX [A4]
* Changed (default) directory structure entirely, see the section
   titled 'CONFIGURATION CHANGES' about 100 lines up. [A4]
* badword quit { } is removed, we use badword channel for it. [A4]
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
   This file was called modules.conf in earlier alpha's.
   The file has been split up in sections and a lot of comments have
   been added to aid the user in deciding whether to load or not to
   load each module. [A4]
* Snomask +s is now (always) IRCOp-only. [A4]
* Previously there was little logic behind what modes halfops could
   set. Now the idea is as follows: halfops should be able to help out
   in case of a flood but not be able to change any 'policy decission
   modes' such as +G, +S, +c, +s. Due to this change halfops can now
   set modes +beiklmntIMKNCR (was: +beikmntI). [A4]
* If no link::hub or link::leaf is specified then assume hub "*". [B1]
* SWHOIS (Special whois title) has been extended in a number of ways:
   * We now "track" who or what set an swhois. This allows us to
     remove the swhois received via oper/vhost on de-oper/de-vhost.
   * You can now have multiple swhois lines
   * Multiple oper::swhois and vhost::swhois items are supported. [B1]
* When trying to link two servers without link::outgoing::options::ssl
   (which is not recommended) we try to use STARTTLS in order to
   'upgrade' the connection to use SSL/TLS anyway. This can be disabled
   via link::outgoing::options::insecure. [B2]
* SSLv3 has now been disabled for security. This also means you can only
   link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions
   used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4]

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. [A1]
* PROTOCTL TOKEN and SJB64 are no longer implemented. [A1]
* Ziplinks have been removed. [A1]
* WebTV support. [A3]
* Channel Mode +j was removed and replaced by the configuration setting
   set::anti-flood::join-flood (default: 3 per 90 seconds). [B1]
* /CHATOPS: use /GLOBOPS instead which does the same
   /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore
   Your opers should actually be in an #opers channel. If you also want
   special classes of oper channels like #admins then use +iI ~O:*admin*
* User modes:
   * +N (Network Administrator): see 'Oper permissions' under NEW as for why
   * +a (Services Administrator): same
   * +A (Server Administrator: same
   * +C (Co Administrator): same
   * +O (Local IRC Operator): same
   * +h (HelpOp): all this did was add a line "is available for help" in
     WHOIS. You can use a vhost block with vhost::swhois as a replacement
     or for opers just add an oper::swhois item.
   * +g (failops): we already have snomasks and the +o usermode for this
   * +v (receive infected DCC SEND rejection notices): moved to snomask +D

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. [A2+]
* For commands: do not read from parv[0] anymore, doing so will lead
   to a crash. Use sptr->name instead. This change is necessary as
   the "name" in parv[0] could possibly point to a UID/SID rather than
   a nick name. Thus, if you would send parv[0] to a non-UID or non-SID
   capable server this would lead to serious issues (not found errors).
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module [A3]
* There have been *a lot* of source code cleanups (ALL)
* We now use the information from PROTOCTL CHANMODES= for parameter
   skipping if the channel mode is unknown. Also, when channel modes
   are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1]
* The server protocol docs have been removed. The protocol is now
   documented at https://www.unrealircd.org/docs/Server_protocol
   See also https://www.unrealircd.org/docs/Server_protocol:Changes
   for a list of changes between the 3.2 and 4.0 server protocol.
* GCC typechecking has been added to make sure your HookAdd... calls
   are adding hook functions with the correct parameter (types).

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report all bugs and feature suggestions at https://bugs.unrealircd.org/

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.0-rc6 released

From: Bram M. <sy...@un...> - 2015-12-16 12:56:05

The sixth - and possibly last - release candidate for UnrealIRCd 4 is now 
available for download <https://www.unrealircd.org/download>.

*Notable fixes between 4.0.0-rc5 and 4.0.0-rc6*

  * User could get an empty hostname
  * Some small memory leaks
  * CAP REQ did not work with multiple arguments

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8439>.

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 3.2.10.6 released & phase-out of 3.2.x series

From: Bram M. <sy...@un...> - 2015-12-11 10:54:00

*UnrealIRCd 3.2.10.6 released*
This release comes with the following changes:

* Build Windows version with latest OpenSSL to fix possibly user-triggerable
crash issue (CVE-2015-3194 <https://www.openssl.org/news/secadv/20151203.txt>)
* Don't show vcredist dialog if installed (Windows installer)
* Add notes regarding deprecation of 3.2.x series

It is recommended that all Windows SSL users upgrade. For other users there's
no need to upgrade UnrealIRCd but we recommend 3.2.10.6 for new installations.

*UnrealIRCd 3.2.x phase-out
*With the upcoming release of UnrealIRCd 4 later this month we are deprecating
the UnrealIRCd 3.2.x series.
The 3.2.x series will receive security fixes *for 12 months*, but after
December 31, 2016 there will be no more fixes.
Users are suggested to upgrade to UnrealIRCd 4 in the course of 2016.
For more information see our policy on the wiki
<https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>.<https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can
safely ignore this warning.

As always, please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums
<https://forums.unrealircd.org/viewtopic.php?t=8436>.

--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.0-rc5 released

From: Bram M. <sy...@un...> - 2015-12-09 19:52:12

The fifth release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.

*Notable fixes between 4.0.0-rc4 and 4.0.0-rc5*

  * Windows: crash on connect reported by 1 user
  * Added workaround for rare "Cannot accept connections" flood
  * OperOverride did not work (INVITE+JOIN)
  * LIST didn't show more than 64 channels
  * JOIN error message not shown if IRCOp
  * SAJOIN ignored set::level-on-join

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8435>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.0-rc4 released

From: Bram M. <sy...@vu...> - 2015-11-25 19:08:50

The fourth release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.

Notable fixes between 4.0.0-rc3 and 4.0.0-rc4:

  * Crash on linking attempt
  * Crash on boot if mode +f was present in set::modes-on-join
  * Channels with channel mode +P were not always synched correctly

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8430>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.0-rc3 released

From: Bram M. <sy...@un...> - 2015-11-08 10:08:12

The third release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.

Notable fixes between 4.0.0-rc2 and 4.0.0-rc3:

  * Crash in invite notify
  * Strange behavior and possible crash in /WHOIS
  * Empty host bug
  * set::allowed-nickchars 'latin1' was broken
  * Files in the tld { } block were read from the wrong location (tld::motd, ..)
  * 'quarantine' didn't work in link::options
  * /MAP was hiding ulines and showing flat-map even for IRCOps

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

UnrealIRCd 3.2.x users may be interested in Upgrading from 3.2.x 
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x> and the Running a mixed 
UnrealIRCd 3.2 and UnrealIRCd 4 network 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network> 
article.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.
Google has been repeatedly blacklisting some of our downloads and 
unfortunately does not seem to be responding to removal or even information 
requests (any help with this would be appreciated).

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8427>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.0-rc2 released

From: Bram M. <sy...@un...> - 2015-10-26 14:23:07

The second release candidate for UnrealIRCd 4 is now available for download 
<https://www.unrealircd.org/download>.
Thanks everyone who is helping out by testing and reporting bugs. Much 
appreciated!

Notable fixes between 4.0.0-rc1 and 4.0.0-rc2:

  * Crash in invite notify
  * OS X and *BSD: Serious I/O engine problems with kqueue
  * IPv6 compile problem (rare)
  * Channel mode +P not working if set::modes-on-join is set
  * /NOTICE $* did not work
  * Problem if you use remote includes and add a new listen { } block at runtime

For more information on UnrealIRCd 4, see What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

UnrealIRCd 3.2.x users may also be interested in Upgrading from 3.2.x 
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x> and the new Running a 
mixed UnrealIRCd 3.2 and UnrealIRCd 4 network 
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network> 
article.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.
Google has been repeatedly blacklisting some of our downloads and 
unfortunately does not seem to be responding to removal or even information 
requests (any help with this would be appreciated).

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8423>.

Regards,

Bram.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 4.0.0-rc1 released

From: Bram M. <sy...@un...> - 2015-10-12 18:08:10

Hi everyone,

The first release candidate for UnrealIRCd 4 is now available for download. 
This -rc1 release fixes a number of crash and linking issues.

We're aiming for an UnrealIRCd 4.0.0 stable release before the end of the year 
(2015).

*Why UnrealIRCd _4_?*
When the development version was still in alpha/beta stage it was called 
3.4.x. It has been renamed to UnrealIRCd 4 to indicate the significant changes 
to the codebase and changes to end-users. See also What's new in UnrealIRCd 4 
<https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4>.

*Release Candiate*
We run daily tests against UnrealIRCd 4 without any issues and each release 
it's getting more stable. However because this version is a "Release 
Candidate" this means that it may still crash occasionally or have other 
issues. It's not yet of "release quality".

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

*UnrealIRCd is not malware*
You may see a "malware detected" prompt when downloading UnrealIRCd. You can 
safely ignore this warning.
Google has been repeatedly blacklisting some of our downloads and 
unfortunately does not seem to be responding to removal or even information 
requests (any help with this would be appreciated).

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8407>.

Regards,

Bram.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 3.4-beta4 released

From: Bram M. <sy...@vu...> - 2015-09-07 12:32:17

More 3.4.x beta releases. We're happy to see more and more people testing our 
beta's!

*3.4-beta3* was released 3 weeks ago but was snowed under by the SASL security 
announcement <https://forums.unrealircd.org/viewtopic.php?f=1&t=8401>.
Major new features:

  * Always build with IPv6 support enabled. More important: IPv6 support is
    now available on Windows too (finally!)
  * Added a "crash reporter" which asks you to report a crash issue if
    UnrealIRCd crashed for some reason. Don't worry, it will always _ask_ and
    not do so automatically. Crash reports are not public and can only seen by
    UnrealIRCd developers. We already fixed 3 major crash bugs thanks to this,
    so it really helps!

Today I'm releasing *3.4-**beta4*, which fixes a number of major bugs and adds 
a few security enhancements. Several of these bugs were introduced by the 
changes in beta3.

Major bugs fixed:

  * Crash on outgoing server link attempt.
  * Crash on boot with bind/listen errors.
  * GLINE/KLINE/.. were refusing perfectly OK bans.
  * Possible freeze when SSL client is connecting.
  * Remote includes were broken.
  * Compile problems on OpenBSD.

Enhancements:

  * SSLv3 is now disabled for security <http://disablessl3.com/>. Pretty much
    all clients supports TLS so this shouldn't be a problem.
  * Support for ECDHE has been added to provide forward secrecy
    <https://en.wikipedia.org/wiki/Forward_secrecy>

Important notes:

  * If you are linking a 3.2.x with a 3.4.x server, with SSL enabled, then you
    need at least version 3.2.10.3 on the 3.2.x side. Earlier versions used an
    incorrect OpenSSL API call and therefore supported SSLv3 only. Yeah,
    silly, we know. We fixed it in May 2014 but some people may still be using
    old versions.
  * If upgrading from previous beta's then you'll have to run './unrealircd
    upgrade-conf' or change your listen blocks manually. This because we
    changed the listen block syntax
    <https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Listen_block> to get
    rid of the strange [] brackets in IPv6 listen blocks.

As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id 
0xA7A21B0A108FF4A9)

Please report bugs on https://bugs.unrealircd.org/

This announcement can also be read on the forums 
<https://forums.unrealircd.org/viewtopic.php?t=8405>.

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] Security: UnrealIRCd crash issue if SASL is enabled

From: Bram M. <sy...@vu...> - 2015-08-16 13:18:37

UNREALIRCD SECURITY ADVISORY
=============================

Summary: If SASL support is enabled in UnrealIRCd (this is not the default)
and is also enabled in your services package then a malicious user with
a services account can cause UnrealIRCd to crash.

Most people have not enabled SASL, and those who do can easily fix
this potential crash issue without a server restart. See below.

Index:
* Who is affected
* Solutions
* Workaround
* Patch / hotfix
* New versions
* Bug details
* Timeline
* References

==[ WHO IS AFFECTED ]==
For a user to be able to crash UnrealIRCd *ALL* of the following conditions
must be true:
1) Must be running UnrealIRCd version 3.2.10 or higher (including 3.2.10.4).
    The 3.4.x series are also affected (including 3.4-beta2).
2) In your configuration file (unrealircd.conf or included files) you have
    configured a SASL server via set::sasl-server
3) You are using a services package (such as anope) and the server is linked
4) SASL support is enabled in your services
5) The malicious user has (or can) register an account at services (usually
    via NickServ).

If one of the points above is not true for your installation then a remote
user cannot crash your server via this bug. In particular, if you are not
using SASL then no patch or upgrade is needed and you can stop reading here.

If you are unsure if you have enabled SASL then search for sasl-server
in your configuration files. If this word is not found then SASL is
disabled. This will actually be the case for the majority of installations.
When SASL is enabled in the configuration file it will look like this:
set {
         sasl-server "services.something.net";
};

==[ SOLUTIONS ]==
For UnrealIRCd 3.2.10.x we present 3 possible solutions in case you are
affected by this bug:
1) A workaround (NO restart needed)
2) A patch (NO restart needed) (*NIX only)
3) A new UnrealIRCd version (for new installations)

For the UnrealIRCd 3.4 beta series we suggest you to upgrade to 3.4-beta3.

==[ WORKAROUND ]==
If you remove the sasl-server directive from your configuration file
and rehash the IRCd then SASL support will be disabled.
This is an easy workaround but for most people who have SASL enabled this
won't be an acceptable solution.

==[ PATCH / HOTFIX ]==
If you are on *NIX then it's possible to fix the crash issue by patching
the source, recompiling UnrealIRCd, and then rehashing the server.
This will fix your IRC server without requiring a server restart.

Execute the following commands on the shell from your UnrealIRCd directory,
for example from /home/irc/Unreal3.2.10.4:

wget http://www.unrealircd.org/downloads/sasl.patch
patch -p0 <sasl.patch
make && make install

After doing the above you must rehash the IRCd. Either online as an IRCOp
by using the /REHASH command, or via ./unreal rehash on the command line.

==[ NEW VERSIONS ]==
New versions of UnrealIRCd are available which include a fix for this issue.
They are 3.2.10.5 (stable) and 3.4-beta3 (development version).
The new versions are meant for Windows users and new installations.
For *NIX users with existing installations we suggest to use the patch or
workaround instead because doing so incurs no downtime.

==[ BUG DETAILS ]==
Type of bug:          Crash due to NULL pointer dereference

CVSS v2:              AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVSS Base Score:      6.8
CVSS Temporal Score:  5.6

==[ TIMELINE ]==
Times are in UTC+2
2015-08-13 00:20    Bug reported privately to UnrealIRCd team
2015-08-13 07:55    First response
2015-08-13 16:05    Bug confirmed by developer
2015-08-15 16:15    Patched
2015-08-16 09:00    Source and binary releases ready
2015-08-16 15:05    Security advisory sent out

==[ REFERENCES ]==
This advisory (and updates to it, if any) is available from:
https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt
Forum thread:
https://forums.unrealircd.org/viewtopic.php?t=8401

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] UnrealIRCd 3.4-beta2 released

From: Bram M. <sy...@vu...> - 2015-07-23 14:29:48

After more than 2 years of development I'm happy to announce that UnrealIRCd 
3.4.x is now in BETA. This ends the 3.4 /alpha/ stage. Most of the features 
we have planned for UnrealIRCd 3.4.x are now done and we are shifting our 
focus towards getting a stable IRCd. This also means we are on schedule to 
deliver an UnrealIRCd 3.4 stable release by Q4 this year.

Let me take this opportunity to introduce UnrealIRCd 3.4 to everyone who 
hasn't been tracking it since the early alpha versions:

  * You decide what to load. We have moved as much functionality as possible
    to 150+ individually loadable modules (commands, user modes, channel
    modes, extbans, snomasks, ..). You decide which features your UnrealIRCd
    should have.
  * Fine-grained IRCOp privileges. The way IRCOp privileges are granted has
    been redone entirely. This allows you to configure oper privileges on a
    very detailed level. You don't want OperOverride? You don't want opers
    to see secret channels? Or you want an oper with a very minimal set of
    privileges? This is all possible.
  * Wiki. Documentation has been moved to a wiki
    <https://www.unrealircd.org/docs/>. It's even better than before and
    more accessible to people who are new to IRCd's. The wiki also allows
    easy translation by community members.
  * New directory structure. On *NIX the IRCd is now always installed to a
    different directory than where you compile from (~/unrealircd by
    default). No more mess. On both *NIX and Windows configuration files go
    in conf/, modules go in modules/, etc.. Configuration files can be
    identical on Windows and *NIX. This new directory structure also allows
    more easy packaging.
  * New I/O system using kqueue & epoll. The IRCd can now handle thousands
    of users more easily.
  * Improved SSL/TLS support. SSL has always been a major feature in
    UnrealIRCd but has been enhanced. SSL client certificate fingerprints
    are visible in /WHOIS, a certfp extban (~S:certificatefingerprint) has
    been added, better defaults, etc.
  * DNS Blacklist support (DNSBL/RBL). Great for combating drones and other
    abusers.
  * Better and more helpful error messages. Especially regarding the
    configuration file.
  * More modern server-to-server protocol. Such as using UID/SID's.
    Resulting in less desynch. issues.
  * Lowering the bar for Spamfilter. You can now choose between 'regex' and
    'simple' matching. Simple matching allows using the usual '?' and '*'
    wildcards that everyone knows about. The regex engine has been moved
    from TRE to PCRE (=about twice as fast).
  * Configuration is more logical. Around 30% of the configuration blocks
    have been restructured. Don't worry, we include an UnrealIRCd 3.2.x to
    3.4.x configuration file converter.
  * Easier 3rd party module management. On *NIX you now just put your 3rd
    party modules in src/modules/third and then each time you run 'make'
    they will be compiled if needed.
  * Easier upgrading. On *NIX, when upgrading to a new version, ./Config
    will ask you to import settings from a previous installation,
    remembering your installation directory and other settings. It will also
    copy the 3rd party modules from the old to the new installation and
    re-compile them.
  * More secure. Even better secure defaults, more warnings about insecure
    behavior, ..


For developers:

  * Easier source navigation. Because we moved almost everything to modules,
    it's now much easier to see all the code for a particular feature.
  * Cleaner code. There have been a lot of source code cleanups. Code has
    been restructured or rewritten. Old irrelevant code has been deleted.
  * Development documentation can be found on the wiki
    <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
    module in C and list all the details on the various Module API's such as
    how to write commands, channel modes, plug-in by using Hooks, etc...


Since this is such an early beta, we do not recommend running it on a 
production network yet.

Release notes are available here. 
<https://www.unrealircd.org/txt/unreal3_4_beta2_release_notes.txt> Be sure 
to read the release notes if you are trying out UnrealIRCd 3.4 and are 
currently on 3.2. It contains important information on the new location of 
files, configuration format, and how to automatically convert your 
unrealircd.conf to 3.4.x format.

As always, you can download UnrealIRCd from https://www.unrealircd.org/

Just a small note to people who verify PGP signatures of releases: please 
note that we use a new PGP release key as previously announced on July 2nd 
on this mailing list. The new PGP key has short key id 0x108FF4A9 and long 
id 0xA7A21B0A108FF4A9. All releases on the site are (re-) signed with this 
key, including 3.2.10.4 (just the signature, the 3.2.10.4 files themselves 
are unchanged, of course).

Have fun!

Bram.

PS: I actually sent in the announcement on 3.4-beta1 a week ago, however due 
to Sourceforge infrastructure problems outside my control problems it was 
never actually sent out. Today I released 3.4-beta2, so this is the first 
announcement on a 3.4 beta.

-- 
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] New releases@unrealircd.org PGP key coming up

From: Bram M. <sy...@vu...> - 2015-07-02 14:26:30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Just a quick message to all people who use PGP to verify the authenticity of
UnrealIRCd software downloads:

I've created a new rel...@un... signing key.
The key has id 0x108FF4A9 and is a 4096 bit RSA key.

The previous releases key (rel...@un...) was a 1024 bit DSA key.

Also note the move from .com to .org in the new key.

I have signed the new key (0x108FF4A9) both with sy...@vu... /
sy...@un... (0x7FE199A6) and also with the old release key
(0x9FF03937).

3.4-alpha4 is still signed with the old key.
The new key will be used for the releases after that, so 3.4-alpha5 /
3.4-beta1, any next 3.2.x release, etc. etc.

Regards,

Bram.

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlWVShcACgkQbmdtRX/hmabsmwD6AuNYSfS7jxfD+xEK9zJwT29l
3BO1ddaWkmtmvcRpHEMBAIMCDW6Zzzty4huPTSUxtp0eq8RqwP1bCyukDEhvSkzR
=5aFE
-----END PGP SIGNATURE-----

[Unreal-users] UnrealIRCd 3.4-alpha4 released

From: Bram M. <sy...@vu...> - 2015-07-02 14:18:18

Hi all,

A few days ago we released 3.4-alpha4. This will be (almost?) the last alpha 
release for UnrealIRCd 3.4.x. After that we will move to beta.

The oper privilege system received a complete makeover in this release, 
allowing you to grant/restrict oper privileges in a very fine manner. More 
work is on the way but it looks nice already.

More things (user modes, all extended bans, ..) have been moved to modules.
Have a look at the new improved modules.default.conf to see what modules you 
can enable/disable. There are 150 modules now!
(Note: if you upgrade from 3.4-alpha3 to 3.4-alpha4 then be sure to use 
'modules.default.conf' and not alpha3's old 'modules.conf')

Another major change is the new directory structure.
On *NIX you no longer put your configuration files (and other files) in your 
just-compiled-Unreal3.4 directory. Instead UnrealIRCd installs to 
/home/yourusername/unrealircd by default. This allows for a clear 'source' 
and 'installed' directory separation.
On all OS's we then enforce the following directory structure:
conf/    for configuration files
logs/    for log files
etc. etc.

Similarly, on *NIX you now have to start UnrealIRCd from the installed 
directory via the 'unrealircd' script:
cd /home/yourusername/unrealircd
./unrealircd start
(NOTE: the script is called 'unrealircd' now, previously it was 'unreal')

Finally, the UnrealIRCd 3.4.x documentation is now online at:
https://www.unrealircd.org/docs/UnrealIRCd_3.4.x_documentation
https://www.unrealircd.org/docs/FAQ
As you can see we use a wiki now for all (3.4.x) documentation.
The wiki is available for translation as well. At this point about half of 
the pages are open for translation, but more is on the way:
https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages
The old unreal32docs.*html files have been removed from 3.4.x.

Full release notes below:

Unreal3.4-alpha4 Release Notes
===============================

This is the fourth 'alpha' version of UnrealIRCd 3.4. We plan to move to
'beta' stage in a month to have a stable 3.4.x release later in 2015.

IMPORTANT REMARKS as long as UnrealIRCd 3.4.x is in alpha stage:
* Because this is an alpha version it is far more likely to crash or hang.
* Security issues are handled as regular issues (no security advisories!)
* Linking with 3.2.x servers is supported but highly untested.
* Things are likely to change between alpha versions. Including but not
   limited to: configuration, command syntax, location of files, etc.

Therefore:
* You should never run 3.4-alpha4 as a production server
* You should not link 3.4-alpha4 with a production 3.2.x network

Please do:
* Install 3.4-alpha4 to play around, show to your friends, have fun with
   the latest features and improvements, test things.
* Report any problems, bugs, issues and other feedback on
   https://bugs.unrealircd.org/ so we can improve 3.4.x!

Finally:
* If you are moving from 3.2.x then be sure to read 'CONFIGURATION CHANGES'
   which explains the new directory structure and how to make UnrealIRCd
   convert your existing 3.2.x configuration file to the 3.4.x format.

==[ DOCUMENTATION ]==
UnrealIRCd 3.4.x documentation is now located in a wiki online at:
* https://www.unrealircd.org/docs/
The old unreal32docs.*html files have been removed.

==[ CONFIGURATION CHANGES ]==
Starting with 3.4-alpha4 we use a new directory structure.

*NIX: If you are not on Windows then this means you must now choose a
       target directory to install UnrealIRCd to. ./Config will ask this
       and it's ~/unrealircd by default (eg: /home/nerd/unrealircd).
       You also need to run 'make install' after 'make' now.
       After compiling, you should leave your Unreal3.4-alphaX directory
       and change to ~/unrealircd as everything takes place there.
       For example to start UnrealIRCd you run './unrealircd start'
       (again, from the /home/xxxx/unrealircd directory).

The new directory structure is as follows (both on Windows and *NIX):
conf/      contains all configuration files
logs/      for log files
modules/   all modules (.so files on *NIX, .dll files on Windows)
tmp/       temporary files
data/      persistent data such as ircd.tune
cache/     cached remote includes

It is possible to use your existing 3.2.x configuration file, but it needs
to be 'upgraded' to the new 3.4.x syntax. UnrealIRCd can do this for you.
Simply place your unrealircd.conf (and any other .conf's you use) in the
conf/ directory and then:
* On *NIX run './unrealircd upgrade-conf' (from /home/xxxx/unrealircd)
* On Windows simply try to boot and watch all the errors, click OK and
   you will be asked if UnrealIRCd should upgrade your configuration file.
On either OS, after running the step from above, simply start UnrealIRCd
again and it should boot up fine with your converted configuration file(s).

Note: UnrealIRCd can only convert *working* 3.2.x configuration files!
If your 3.2.x configuration contains mistakes or errors then the upgrade
process will likely fail or the resulting config file will fail to load.

You may still be interested in the configuration changes, they are
listed on: https://www.unrealircd.org/docs/Upgrading_from_3.2.x

==[ GENERAL INFORMATION ]==
* Below you will see a summary of all changes. Changes may be tagged when
   a change was made in a specific version, e.g. "(A3)" means 3.4-alpha3.
   For a complete list of changes (600+) use 'git log' or have a look at
   https://github.com/unrealircd/unrealircd/commits/unreal34

==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
   modes and all extended bans into 145 separate modules.
   This makes it...
   A) possible to fully customize what exact functionality you want to load.
      You could even strip down UnrealIRCd to get something close to the
      basic RFC1459 features from the 1990s. (No idea why you would want
      that, but it's possible)
   B) easier for coders to see all source code related to a specific feature
   C) possible to fix bugs and just reload rather than restart the IRCd.

   Have a look at modules.default.conf which contains the "default" set of
   modules that you can load if you just want to load all functionality.
   If you want to customize the list of modules to load then simply make
   a copy of that file, give it a different name, and include that one
   instead. Since the file is fully documented, you can just comment out
   or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: (A4)
   * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
   * oper::flags has been removed. Instead you must specify an operclass
     in oper::operclass (for example, 'operclass netadmin').
   * In operclass block(s) you define the privileges. You can now control
     exactly what an IRCOp can and cannot do. (This process is on-going)
     Have a look at operclass.default.conf which ships with UnrealIRCd,
     it contains a number of default operclass blocks suitable for the
     most common situations. See also the operclass block documentation:
     https://www.unrealircd.org/docs/Operclass_block
   * If you ask UnrealIRCd to convert your 3.2.x configuration file then
     it will try to select a suitable operclass for the oper. This will
     not always 100% match your current oper block rights, though.
   * Channel Mode +A (Admin Only) has been removed. You can use the new
     extended ban ~O:<operclass>. This allows you to, for example, create
     an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
   * set::hosts has been removed, use oper::vhost instead.
   * Since oper levels have been removed you no longer see things like
     "OperX is a Network Administrator" in /WHOIS by default.
     If you want that, then you can set oper::swhois to
     "is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS then your SSL Fingerprint (SHA256 hash) can
   be seen by yourself and others through /WHOIS. The fingerprint is also
   shared (broadcasted) with all servers on the network. In alpha3 we
   will add more features that will use SSL fingerprints. (A2)
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm (A3)
* './unreal mkpasswd' will now prompt you for the password to hash (A3)
* Protection against SSL renegotiation attacks (A3)
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version 3.4-alpha3 (or later) on both ends of the link (A3)
* Configuration file converter that will upgrade your 3.2.x conf to 3.4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. (A3)

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. (A2)
* Building with SSL (OpenSSL) is now mandatory (A2)
* The link { } block has been restructured, see
   https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block (A3)
* Better yet, check out our secure server linking tutorial:
   https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 (A3)
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. (A3)
* You will now see a warning when you link to a non-SSL server. (A3)
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. (A3)
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  (A3)
* If you have both 3.2.x and 3.4.x servers on your network then the
   3.4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your UnrealIRCd servers are on 3.4.x. (A3)
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. (A3)
* cgiirc block is renamed to webirc and the syntax has changed (A4)
* set::pingpong-warning is removed, warning always off now (A4)
* More helpful configuration file parse error messages (A4)
* You can use '/OPER username' without password if you use SSL
   certificate (fingerprint) authentication. The same is true for
   '/VHOST username'. (A4)
* You must now always use 'make install' on *NIX (A4)
* Changed (default) directory structure entirely, see the section
   titled 'CONFIGURATION CHANGES' about 100 lines up. (A4)
* badword quit { } is removed, we use badword channel for it. (A4)
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
   This file was called modules.conf in earlier alpha's.
   The file has been split up in sections and a lot of comments have
   been added to aid the user in deciding whether to load or not to
   load each module. (A4)
* Snomask +s is now (always) IRCOp-only. (A4)
* There's now actually an idea behind HalfOp permissions. The idea
   is that halfops should be able to help out in case of a flood but
   not be able to
* Previously there was little logic behind what modes halfops could
   set. Now the idea is as follows: halfops should be able to help out
   in case of a flood but not be able to change any 'policy decission
   modes' such as +G, +S, +c, +s. Due to this change halfops can now
   set modes +beiklmntIMKNCR (was: +beikmntI).

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. (A2+)
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module (A3)
* There have been *a lot* of source code cleanups (ALL)

==[ MAJOR BUGS FIXED ]==
* Crash bug on-boot in alpha1 (A2)
* IRCOp commands such as /GLINE were not always working (A2)
* link::outgoing::options::autoconnect did not work (A4)
* This is still an alpha release, so likely contains major issues
* If the IRCd could not bind to any ports it started anyway (A4)
* alpha3 did not compile on x86 (32 bit) systems (A4)

==[ MINOR BUGS FIXED ]==
* Errors in example configuration files (A2)
* Some fixes in delayjoin (Channel mode +d) (A2)
* Deal with services who allow you to log in by account name (A3)
* Detect "IRCd not running" situations better (A4)
* './unrealircd restart' will now always try to start UnrealIRCd,
   so also if it wasn't running previously. (A4)

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. (A1)
* PROTOCTL TOKEN and SJB64 are no longer implemented. (A1)
* Ziplinks have been removed. (A1)
* WebTV support. (A3)
* User mode +h (helpop). This user mode only added a line in /WHOIS
   saying the user "is available for help". You can use a vhost block
   with a vhost::swhois as a replacement. Or oper::swhois. (A4)

Have fun with the development release!

Bram

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] Security: DoS issue in OpenSSL, affecting UnrealIRCd (again)

From: Bram M. <sy...@vu...> - 2015-06-11 16:31:33

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

The OpenSSL project team sent out a security advisory today regarding
several security issues that were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd when you compiled with SSL
support.

Most of the reported bugs result in a server crash or hang: the attacker
sends some bad data and the IRC daemon will crash or hang.
One other issue is a possible 'SSL downgrade' attack called "Logjam" which
could make SSL/TLS connections easier to crack (decrypt), but only if the
attacker has access to the network path between the client and the server.

The OpenSSL development team says there is NO risk for remote code
execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries
until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1 (Windows)
* Unreal3.4-alpha2 (Windows)
* Unreal3.4-alpha3 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix2 (version shown by installer)
* Unreal3.4-alpha3-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system
installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install).
~   This is often not needed, but is sometimes necessary.
~   If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
- -server.test.net- OpenSSL 1.0.2b 11 Jun 2015

Version 1.0.2b means you're good.

If you see 1.0.0 with a version lower than 1.0.1s,
or 1.0.1 with a version lower than 1.0.1n,
or 1.0.2 with a version lower than 1.0.2b,
then you are possibly vulnerable, see next version.

If you see no such line at all, and again.. you are sure you are IRCOp,
then it means the server does not have SSL support (no OpenSSL in use).
You're safe.

TIP: You can also check remote servers, again only if you are IRCOp,
~     by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix2.exe' and
'Unreal3.4-alpha3-fix.exe'
After installation, you see no change in UnrealIRCd version number.
This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block
'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version
in use? Even after you restarted UnrealIRCd? On several Linux distro's
this is pretty common as vendors routinely backport security fixes
without bumping the version number. So if you are on Linux, then after you
followed the 4 steps mentioned in '*NIX USERS' then you more or less have
to trust your vendor (and yourself).
NOTE: At the time this security advisory was sent, the OpenSSL security
advisory has only been out for an hour or so, so your distro may not
have a new OpenSSL version available yet!

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and
the OpenSSL version is vulnerable. Then if at least one port is reachable
for the attacker it can be attacked. It doesn't matter if this is an SSL
or non-SSL port and whether you have restrictive allow { } blocks or not.
In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-06-11 14:45    OpenSSL security announcement
2015-06-11 15:33    Downloads replaced
2015-06-11 16:05    Security announcement

==[ LINKS ]==
This advisory (and updates to it, if any) is posted to:
https://www.unrealircd.org/txt/unrealsecadvisory.20150611.txt

The OpenSSL security advisory can be found on:
https://www.openssl.org/news/secadv_20150611.txt

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlV5sjwACgkQbmdtRX/hmaYKWAD/UzyHHNQ0YOTy/HoTgnGi15R7
4njo1AIGdsy4BCNYObQA/izj0Bw8z80XNUOmZMjY+x+Qs99GXbzEgbRLlobQ7RVW
=SAfX
-----END PGP SIGNATURE-----

[Unreal-users] 3.4-alpha3 released

From: Bram M. <sy...@vu...> - 2015-06-11 16:31:08

On a more positive note, the development of UnrealIRCd 3.4.x is going well.
I only just realized that I forgot to send an announcement out for 
3.4-alpha2. No problem, 3.4-alpha3 just came out ;)

In 1-2 months we plan to move 3.4.x to 'beta' stage so we can have a 
'stable' release by the end of this year (2015).

For UnrealIRCd module coders and developers we now have a development 
documentation available at https://www.unrealircd.org/docs/ which explains 
how to create a module from scratch and documents a lot of the UnrealIRCd 
API such as User & Channel modes, Hooks, adding new commands, Command 
Overrides, extended bans, storing per-user/per-channel custom module data, 
etc. etc.
During development of alpha2 and alpha3 we already noticed increased 
community interest and contributions to UnrealIRCd 3.4.x via GitHub.
We hope that with this detailed technical documentation even more people 
will be interested in UnrealIRCd. Be it code or patches for inclusion in 
official UnrealIRCd or coding 3rd party modules.

Notable changes in alpha2 are that we now always compile with SSL/TLS 
support, we show the SSL Fingerprint in /WHOIS, and several crash bugs were 
resolved including a crash-on-boot problem that affected many.

Notable changes in alpha3 are in the /SPAMFILTER command (also supports 
non-regex, simple '?' and '*' matching), the move to PCRE regex engine which 
uses a slightly different syntax but is considerably faster, bcrypt password 
hashing support (very secure, now the default), more secure defaults, 
warnings when doing something insecure, etc.

There have been many changes in the configuration file so we now provide an 
easy to use tool which will convert your existing configuration file from 
3.2.x or earlier 3.4-alpha's to the new style in 3.4-alpha3.

Full release notes below:

Unreal3.4-alpha3 Release Notes
===============================

This is the third 'alpha' version of UnrealIRCd 3.4. We plan to move to
'beta' stage in 1-2 months and have a stable 3.4.x release later in 2015.

IMPORTANT REMARKS as long as UnrealIRCd 3.4.x is in alpha stage:
* Because this is an alpha version it is far more likely to crash or hang.
* Security issues are handled as regular issues (no security advisories!)
* Linking with 3.2.x servers is supported but highly untested.
* Things are likely to change between alpha versions. Including but not
   limited to: configuration, command syntax, location of files, etc.

Therefore:
* You should never run 3.4-alpha3 as a production server
* You should not link 3.4-alpha3 with a production 3.2.x network

Please do:
* Install 3.4-alpha3 to play around, show to your friends, have fun with
   the latest features and improvements, test things.
* Report any problems, bugs, issues and other feedback on
   https://bugs.unrealircd.org/ so we can improve 3.4.x!
   During alpha stage we are still very flexible so feedback is really helpful.

Finally:
* If you are moving from 3.2.x then be sure to read 'CONFIGURATION CHANGES'!
* The documentation has not been updated to reflect the changes in 3.4.x.

==[ GENERAL INFORMATION ]==
* Documentation is still in doc\unreal32docs.html but - as said - is not
   up to date for 3.4.x. FAQ is on: http://www.unrealircd.com/faq
* Please report bugs at http://bugs.unrealircd.org/
* Below you will see a summary of all changes. Changes may be tagged when
   a change was made in a specific version, e.g. "(A3)" means 3.4-alpha3.
   For a complete list of changes (500+) use 'git log' or have a look at
   https://github.com/unrealircd/unrealircd/commits/unreal34

==[ CONFIGURATION CHANGES ]==
UnrealIRCd 3.4.x comes with an easy to use tool to upgrade your configuration
file from the 3.2.x syntax to 3.4.x. If you already have a good working
3.2.x configuration file then this should make it very easy to move to 3.4.x.

After UnrealIRCd is compiled/installed you copy your unrealircd.conf over
from 3.2.x (along with any other custom .conf's).
Then, on *NIX run './unreal upgrade-conf'.
On Windows simply try to boot and watch all the errors, click OK and
you will be asked if UnrealIRCd should upgrade your configuration file.

UnrealIRCd will go through your unrealircd.conf and any other files that
are included from there and upgrade the files one by one.

For both *NIX and Windows, after running the step from above, simply
start UnrealIRCd (again) and it should boot up fine with your freshly
converted configuration file(s).

Note: UnrealIRCd can only convert *working* 3.2.x configuration files!
If your 3.2.x configuration contains mistakes or errors then the upgrade
process will likely fail or the resulting config file will fail to load.

You may still be interested in the configuration changes, they are
listed on: https://www.unrealircd.org/docs/Upgrading_from_3.2.x

==[ NEW ]==
* We moved a lot of channel and user modes to modules. These are all
   loaded by modules.conf, but if you don't want to load a certain module
   you can now simply comment them out or remove that line.
   Since a lot of code has been moved from the core to these modules it
   makes it A) easier for coders to see all source code related to a
   specific feature, and B) makes it possible to fix something and reload
   the module rather than restart the IRCd.
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
   more easily to tens of thousands of clients by using kernel-evented I/O
   mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
   and performance.
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
   anything in a channel. Whenever a user speaks for the first time they
   will appear to join. Chanops will still see everyone joining normally
   as if there was no +d set.
* If you connect with SSL/TLS then your SSL Fingerprint (SHA256 hash) can
   be seen by yourself and others through /WHOIS. The fingerprint is also
   shared (broadcasted) with all servers on the network. In alpha3 we
   will add more features that will use SSL fingerprints. (A2)
* bcrypt has been added as a password hashing algorithm and is now the
   preferred algorithm (A3)
* './unreal mkpasswd' will now prompt you for the password to hash (A3)
* Protection against SSL renegotiation attacks (A3)
* When you link two servers the current timestamp is exchanged. If the
   time differs more than 60 seconds then servers won't link and it will
   show a message that you should fix your clock(s). This requires
   version 3.4-alpha3 (or later) on both ends of the link (A3)
* Configuration file converter that will upgrade your 3.2.x conf to 3.4.x.
   On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
   after the config errors screen UnrealIRCd offers the conversion. (A3)

==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
   UIDs (User ID's). SIDs work very similar to server numerics and UIDs
   help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
   (those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
   hash and validity of 10 years. (A2)
* Building with SSL (OpenSSL) is now mandatory (A2)
* The link { } block has been restructured, see
   https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block (A3)
* Better yet, check out our secure server linking tutorial:
   https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 (A3)
* password entries in the conf no longer require specifying an auth-type
   like password "..." { md5; };. UnrealIRCd will now auto-detect. (A3)
* You will now see a warning when you link to a non-SSL server. (A3)
* Previously we used POSIX Regular expressions in spamfilters and at
   some other places. We have now moved to PCRE Regular expressions.
   They look very similar, but PCRE is a lot faster.
   For backwards-compatibility we still compile with both regex engines. (A3)
* Spamfilter command syntax has been changed, it now has an extra option
   to indicate the matching method:
   /SPAMFILTER [add|del|remove|+|-] [method] [type] ....
   Where 'method' can be one of:
   * -regex: this is the new fast PCRE2 regex engine
   * -simple: supports just strings and ? and * wildcards (super fast)
   * -posix: the old regex engine for compatibility with 3.2.x.  (A3)
* If you have both 3.2.x and 3.4.x servers on your network then the
   3.4.x server will only send spamfilters of type 'posix' to the 3.2.x
   servers because 3.2.x servers don't support the other two types.
   So in a mixed network you probably want to keep using 'posix' for
   a while until all your UnrealIRCd servers are on 3.4.x. (A3)
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
   oper::mask and vhost::mask. The usermask@ part is now optional and
   it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
   For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
   block was highly confusing (it was an OR-match) you must now choose
   between either allow::ip OR allow::hostname. (A3)

==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
   at https://www.unrealircd.org/docs/ describing things like how to
   write a module from scratch, the User & Channel Mode System, Commands,
   Command Overrides, Hooks, attaching custom-data to users/channels,
   and more. (A2+)
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
   but disallows unloading of a module (A3)
* There have been *a lot* of source code cleanups (ALL)

==[ MAJOR BUGS FIXED ]==
* Crash bug on-boot in alpha1 (A2)
* IRCOp commands such as /GLINE were not always working (A2)
* This is still an alpha release, so likely contains major issues

==[ MINOR BUGS FIXED ]==
* Errors in example configuration files (A2)
* Some fixes in delayjoin (Channel mode +d) (A2)
* Deal with services who allow you to log in by account name (A3)

==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. (A1)
* PROTOCTL TOKEN and SJB64 are no longer implemented. (A1)
* Ziplinks have been removed. (A1)
* WebTV support. (A3)

==[ KNOWN ISSUES ]==
* Documentation has NOT been updated to reflect 3.4.x features!!!


-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

[Unreal-users] Security: DoS issue in OpenSSL, affecting UnrealIRCd

From: Bram M. <sy...@vu...> - 2015-03-19 20:37:44

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SECURITY ADVISORY
==================

Several security issues were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd if you compiled with SSL support.

At least one issue is a server crash: the attacker sends some bad data
and the IRC daemon will crash.

As far as we know there is NO risk for remote code execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries
until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.4-alpha1 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system
installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install).
   This is often not needed, but is sometimes necessary.
   If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
[18:40:06] -server.test.net- OpenSSL 1.0.1m 19 Mar 2015

Version 1.0.1m means you're good.

If you see anything lower than 1.0.1m, such as "1.0.1h" then you are
possibly vulnerable, see next section.

If you see no such line at all, and again.. you are sure you are IRCOp,
then it means the server does not have SSL support (no OpenSSL in use).
You're safe.

TIP: You can also check remote servers, again only if you are IRCOp,
     by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix.exe' and
'Unreal3.4-alpha1-fix.exe'
After installation, you see no change in UnrealIRCd version number.
This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block
'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version
in use? Even after you restarted UnrealIRCd? On several Linux distro's
this is pretty common as vendors routinely backport security fixes
without bumping the version number. So if you are on Linux, then after you
followed the 4 steps mentioned in '*NIX USERS' then you more or less have
to trust your vendor (and yourself).

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and
the OpenSSL version is vulnerable. Then if at least one port is reachable
for the attacker it can be attacked. It doesn't matter if this is an SSL
or non-SSL port and whether you have restrictive allow { } blocks or not.
In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-03-19 14:12    OpenSSL security announcement
2015-03-19 17:57    Downloads replaced
2015-03-19 20:15    Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20150319.txt

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlULL64ACgkQbmdtRX/hmaamSwD7BhhnKAD0FuD5W0e3fT6KppZ8
hde7mYukukjBdjKAYW0A/i349jcHXUQcBC2wHalTaNh9EcEXaojV/d50tCVtOCAE
=VOM4
-----END PGP SIGNATURE-----

Re: [Unreal-users] Unreal3.4-alpha1 & Unreal3.2.10.4 released, help us, move to GitHub, ..

From: Bram M. <sy...@vu...> - 2014-07-31 19:50:05

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To anyone using GitHub: the address has changed.
It's http://www.github.com/unrealircd/unrealircd now.
(rather than unreal-ircd)


Bram Matthys wrote, on 29-7-2014 13:44:
> Hi all,
> 
> There has been a lot of activity on the UnrealIRCd project past few months!
> 
> Index
> ======
> * UnrealIRCd 15 years!
> * New website
> * Survey results
> * Help us with development
> * UnrealIRCd 3.4
> * UnrealIRCd 3.2
> * Move to GitHub
> * GitHub/Twitter account
> * Finally
> 
> UnrealIRCd 15 years!
> =====================
> In May of this year UnrealIRCd celebrated its 15th birthday.
> See http://forums.unrealircd.com/viewtopic.php?t=8271 where I thanked all
> past coders, contributors and the community (you!) for all the support.
> In the same article I also wrote about the past and future development of
> UnrealIRCd, openly speaking about the difficulties we have encountered and
> the challenges in moving forward.
> 
> New website
> ============
> On UnrealIRCd's 15th birthday www.unrealircd.com got a new design as well.
> The new website is easier to navigate and just looks a lot more 'clean'.
> Thank n0kS for all the work on this.
> 
> Survey results
> ===============
> I've made a document summarizing the results of the UnrealIRCd survey. In
> total 342 people completed the survey, (almost) all of them were admins
> running UnrealIRCd. Thanks *a lot*! This was really useful. The survey
> results are (already) used to guide future 3.4.x development.
> In general people are really satisfied with UnrealIRCd (49% even gave us a 9
> or 10 out of 10), but we can always do better and we got many suggestions.
> The UnrealIRCd survey results are available from:
> http://www.unrealircd.com/files/UnrealIRCd%20Survey%20results.pdf
> (apologies in advance for the lack of fancy graphics)
> 
> Help us with development
> =========================
> I welcome Travis McArthur (Heero) who recently joined as an UnrealIRCd 3.4.x
> developer. Travis has already worked on channel mode +d, improving the
> module API and modularizing modes and is - besides many other things -
> working on documenting the 3.4 Module API to make the source code more
> understandable for new (module) coders.
> 
> If you are a C programmer and interested in helping out with 3.4.x
> development then send an e-mail to sy...@un... and we can discuss.
> Even if it's just for the summer vacation you're more than welcome to help.
> 
> UnrealIRCd 3.4
> ===============
> This weekend I released the first alpha version of UnrealIRCd 3.4:
> 3.4-alpha1. Although 3.4 development started well over a year ago, this
> version marks the beginning of the alpha series: we plan to release an alpha
> version every month or so, the exact release schedule depends highly on the
> changes and bugs we encounter.
> Since this is an alpha version, and in fact the very first one, we strongly
> discourage you to run 3.4-alpha1 on a production network.
> However, if you are curious and want to help us by testing and reporting
> bugs at http://bugs.unrealircd.org/ then please go ahead and download it.
> Just don't be (too) surprised by the bugs you will encounter and if it
> crashes from time to time.
> 
> Major enhancements in 3.4-alpha1 compared to 3.2.x are:
> * We moved a lot of channel and user modes to modules, while at the same
> time improving the module system as a whole. This means A) You can now
> easily choose not to load a particular feature if you don't like it (we will
> be moving more in next few versions!), B) It makes it easier for coders to
> see all source code related to a specific feature, C) Enables you to fix /
> "patch" something and reload (the module) rather than needing to restart the
> entire IRCd.
> * The I/O engine has been rewritten. This makes the IRCd feel a lot more
> 'responsive' and can potentially accept a lot more users. Still, the entire
> system is not as stable as 3.2.x yet.
> * The SSL version of the IRCd will now boot even if you have no SSL
> certificates. Naturally SSL won't work then, but this means you can safely
> compile with SSL support even if you don't intend to use it straight away.
> This also means for 3.4.x we only provide the SSL version of Windows
> downloads, if you insist on not using SSL then simply don't make a
> server.*.pem certificate.
> * A new channel mode +d which hides joins/parts for users who don't say
> anything in a channel. Whenever a user speaks for the first time they will
> appear to join. Channel ops will still see everyone joining normally as if
> there was no +d set.
> * Behind-the-scenes: A lot of source code cleanups, enhancements, memory
> pooling, simplifying the code, all to make the source better and also more
> readable for (new) developers. This should make it easier for the community
> to contribute patches.
> * There have been some configuration changes, Unreal 3.4 will not boot with
> your existing 3.2.x unrealircd.conf! Be sure to read the section
> CONFIGURATION CHANGES in the Release Notes. In later alpha versions more
> configuration changes may be necessary.
> 
> This first alpha version contains by no means all of the changes and
> features we would like to see in the final version of UnrealIRCd 3.4. There
> will be many major changes to come.
> 
> UnrealIRCd 3.2
> ===============
> I forgot to send out an announcement to this mailing list for 3.2.10.3 which
> was released on the 31st of May.
> 3.2.10.3 has the following bugs fixed:
> * Crash when SASL is enabled and ping-cookie is disabled (a rare combination)
> * Compile issue with remote include
> * OS X compile problems
> * ./unreal backtrace not always working well
> Two days ago I released another update: 3.2.10.4. This fixes the following
> two major issues:
> * Compile problems with clang, which is the default compiler on a number of
> systems nowadays.
> * Newer services like anope 2.0 allow you to log in by account name, this
> means you don't necessarily get user mode +r (registered nick). Previously
> even if you logged in to anope you could still not join +R channels
> ("registered only") or speak in +M channels ("only registered users may
> speak"). Now this has been fixed.
> 
> In addition to these two issues, the OpenSSL/curl/.. libraries for the
> Windows build have also been updated to the latest versions. Plus an update
> to the shipped curl-ca-bundle.crt, which now contains the latest certificates.
> 
> If you are not encountering any of the issues from above then there's little
> reason to upgrade from 3.2.10.2 or 3.2.10.3.
> 
> Move to GitHub
> ===============
> To give UnrealIRCd development more exposure and make it easier for people
> to contribute we decided to move our source code over to GitHub. This was
> actually one of the suggestions that came out of the UnrealIRCd survey.
> This means from now on the Mercurial repository is no longer functional.
> See this FAQ item http://www.unrealircd.com/faq.php#82 for more information
> on how to access the 'bleeding edge' source code.
> Or go directly to our GitHub page on
> https://github.com/unreal-ircd/unrealircd
> 
> Note that the bug tracker, downloads, and all the rest of the project will
> stay at www.unrealircd.com. It is only our repository (source code) which
> moved to GitHub.
> 
> GitHub/Twitter account
> =======================
> We are searching for the owner of the 'unrealircd' account on GitHub, and
> similarly the owner of @unrealircd on Twitter. We already sent a message to
> both accounts but received no response.
> Presumably these accounts were registered in advance with good intentions,
> ensuring nobody else could take them, as a placeholder until the project
> needs it.
> That moment is now, if you are the owner of one of these accounts (or know
> who is) then please contact sy...@un...
> 
> Finally
> ========
> I'm really glad to see all the activity on the UnrealIRCd project as a whole
> and on 3.4.x in particular. I hope more people will jump in to help out,
> either as a developer or simply by testing the 3.4.x releases and reporting
> bugs or giving suggestions.
> Since there's a lot more activity now, especially on 3.4.x, this newsletter
> and release announcements is likely to be sent out more often than before. I
> hope everyone sees this as a positive sign, but if not then you can always
> unsubscribe.
> 
> Finally, as always..
> * You can download UnrealIRCd from www.unrealircd.com - Downloads
> * All our releases are signed with our release key 0x9FF03937
> * Thanks everyone for their continued support!
> 
> 

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlPanegACgkQbmdtRX/hmaa33QD8DcVrDy06RwpltKXeMRmlz0Bi
jjcW+fmpe38Tpa/raegA/R2+mlP24Umk4FVNey29j0hFu5/UBwdxUVEAsQg631Gl
=R3Oe
-----END PGP SIGNATURE-----

[Unreal-users] Unreal3.4-alpha1 & Unreal3.2.10.4 released, help us, move to GitHub, ..

From: Bram M. <sy...@vu...> - 2014-07-29 12:16:34

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

There has been a lot of activity on the UnrealIRCd project past few months!

Index
======
* UnrealIRCd 15 years!
* New website
* Survey results
* Help us with development
* UnrealIRCd 3.4
* UnrealIRCd 3.2
* Move to GitHub
* GitHub/Twitter account
* Finally

UnrealIRCd 15 years!
=====================
In May of this year UnrealIRCd celebrated its 15th birthday.
See http://forums.unrealircd.com/viewtopic.php?t=8271 where I thanked all
past coders, contributors and the community (you!) for all the support.
In the same article I also wrote about the past and future development of
UnrealIRCd, openly speaking about the difficulties we have encountered and
the challenges in moving forward.

New website
============
On UnrealIRCd's 15th birthday www.unrealircd.com got a new design as well.
The new website is easier to navigate and just looks a lot more 'clean'.
Thank n0kS for all the work on this.

Survey results
===============
I've made a document summarizing the results of the UnrealIRCd survey. In
total 342 people completed the survey, (almost) all of them were admins
running UnrealIRCd. Thanks *a lot*! This was really useful. The survey
results are (already) used to guide future 3.4.x development.
In general people are really satisfied with UnrealIRCd (49% even gave us a 9
or 10 out of 10), but we can always do better and we got many suggestions.
The UnrealIRCd survey results are available from:
http://www.unrealircd.com/files/UnrealIRCd%20Survey%20results.pdf
(apologies in advance for the lack of fancy graphics)

Help us with development
=========================
I welcome Travis McArthur (Heero) who recently joined as an UnrealIRCd 3.4.x
developer. Travis has already worked on channel mode +d, improving the
module API and modularizing modes and is - besides many other things -
working on documenting the 3.4 Module API to make the source code more
understandable for new (module) coders.

If you are a C programmer and interested in helping out with 3.4.x
development then send an e-mail to sy...@un... and we can discuss.
Even if it's just for the summer vacation you're more than welcome to help.

UnrealIRCd 3.4
===============
This weekend I released the first alpha version of UnrealIRCd 3.4:
3.4-alpha1. Although 3.4 development started well over a year ago, this
version marks the beginning of the alpha series: we plan to release an alpha
version every month or so, the exact release schedule depends highly on the
changes and bugs we encounter.
Since this is an alpha version, and in fact the very first one, we strongly
discourage you to run 3.4-alpha1 on a production network.
However, if you are curious and want to help us by testing and reporting
bugs at http://bugs.unrealircd.org/ then please go ahead and download it.
Just don't be (too) surprised by the bugs you will encounter and if it
crashes from time to time.

Major enhancements in 3.4-alpha1 compared to 3.2.x are:
* We moved a lot of channel and user modes to modules, while at the same
time improving the module system as a whole. This means A) You can now
easily choose not to load a particular feature if you don't like it (we will
be moving more in next few versions!), B) It makes it easier for coders to
see all source code related to a specific feature, C) Enables you to fix /
"patch" something and reload (the module) rather than needing to restart the
entire IRCd.
* The I/O engine has been rewritten. This makes the IRCd feel a lot more
'responsive' and can potentially accept a lot more users. Still, the entire
system is not as stable as 3.2.x yet.
* The SSL version of the IRCd will now boot even if you have no SSL
certificates. Naturally SSL won't work then, but this means you can safely
compile with SSL support even if you don't intend to use it straight away.
This also means for 3.4.x we only provide the SSL version of Windows
downloads, if you insist on not using SSL then simply don't make a
server.*.pem certificate.
* A new channel mode +d which hides joins/parts for users who don't say
anything in a channel. Whenever a user speaks for the first time they will
appear to join. Channel ops will still see everyone joining normally as if
there was no +d set.
* Behind-the-scenes: A lot of source code cleanups, enhancements, memory
pooling, simplifying the code, all to make the source better and also more
readable for (new) developers. This should make it easier for the community
to contribute patches.
* There have been some configuration changes, Unreal 3.4 will not boot with
your existing 3.2.x unrealircd.conf! Be sure to read the section
CONFIGURATION CHANGES in the Release Notes. In later alpha versions more
configuration changes may be necessary.

This first alpha version contains by no means all of the changes and
features we would like to see in the final version of UnrealIRCd 3.4. There
will be many major changes to come.

UnrealIRCd 3.2
===============
I forgot to send out an announcement to this mailing list for 3.2.10.3 which
was released on the 31st of May.
3.2.10.3 has the following bugs fixed:
* Crash when SASL is enabled and ping-cookie is disabled (a rare combination)
* Compile issue with remote include
* OS X compile problems
* ./unreal backtrace not always working well
Two days ago I released another update: 3.2.10.4. This fixes the following
two major issues:
* Compile problems with clang, which is the default compiler on a number of
systems nowadays.
* Newer services like anope 2.0 allow you to log in by account name, this
means you don't necessarily get user mode +r (registered nick). Previously
even if you logged in to anope you could still not join +R channels
("registered only") or speak in +M channels ("only registered users may
speak"). Now this has been fixed.

In addition to these two issues, the OpenSSL/curl/.. libraries for the
Windows build have also been updated to the latest versions. Plus an update
to the shipped curl-ca-bundle.crt, which now contains the latest certificates.

If you are not encountering any of the issues from above then there's little
reason to upgrade from 3.2.10.2 or 3.2.10.3.

Move to GitHub
===============
To give UnrealIRCd development more exposure and make it easier for people
to contribute we decided to move our source code over to GitHub. This was
actually one of the suggestions that came out of the UnrealIRCd survey.
This means from now on the Mercurial repository is no longer functional.
See this FAQ item http://www.unrealircd.com/faq.php#82 for more information
on how to access the 'bleeding edge' source code.
Or go directly to our GitHub page on
https://github.com/unreal-ircd/unrealircd

Note that the bug tracker, downloads, and all the rest of the project will
stay at www.unrealircd.com. It is only our repository (source code) which
moved to GitHub.

GitHub/Twitter account
=======================
We are searching for the owner of the 'unrealircd' account on GitHub, and
similarly the owner of @unrealircd on Twitter. We already sent a message to
both accounts but received no response.
Presumably these accounts were registered in advance with good intentions,
ensuring nobody else could take them, as a placeholder until the project
needs it.
That moment is now, if you are the owner of one of these accounts (or know
who is) then please contact sy...@un...

Finally
========
I'm really glad to see all the activity on the UnrealIRCd project as a whole
and on 3.4.x in particular. I hope more people will jump in to help out,
either as a developer or simply by testing the 3.4.x releases and reporting
bugs or giving suggestions.
Since there's a lot more activity now, especially on 3.4.x, this newsletter
and release announcements is likely to be sent out more often than before. I
hope everyone sees this as a positive sign, but if not then you can always
unsubscribe.

Finally, as always..
* You can download UnrealIRCd from www.unrealircd.com - Downloads
* All our releases are signed with our release key 0x9FF03937
* Thanks everyone for their continued support!

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlPXiQUACgkQbmdtRX/hmaa8IwD+J9q33qqkJZDZyTTwh0wrdV+E
GGJ/QslQQSiMWfDrwwAA/iEdS2glthzCqfVz6LC6ubzL5yBOMfbtQ0xQWCcOi1Fc
=cRML
-----END PGP SIGNATURE-----

Re: [Unreal-users] SSL Heartbleed security issue & UnrealIRCd

From: Bram M. <sy...@vu...> - 2014-04-09 07:35:36

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Below are some very important additions to previous advisory:

With regards to *NIX:
Some Linux distros (including Debian and Ubuntu) fixed the issue but didn't
update their OpenSSL version. This means they won't show up as the safe
'1.0.0g' version even though they are indeed fixed. So, if you installed the
OpenSSL security update, restarted the IRCd, and still see the old version
in UnrealIRCd then you'll simply have to assume you're safe now.

Regarding the exploit:
The exploit was already out there, it is unknown for how long, but the bug
itself has been in OpenSSL since March 2012. The exploit I found only needed
some minor modifications to work with UnrealIRCd.
When testing the exploit I can indeed see server memory being exposed. This
includes memory of OpenSSL and possibly (likely) some key material. On some
servers I could also see short phrases of text that other users had been
saying. This is all possible without actually getting online as a user on
IRC. And again, this issue exists on any SSL-capable server, not just
UnrealIRCd.

This brings us to a (rather drastic) recommendation:

AFTER YOU HAVE UPGRADED ALL YOUR SERVERS WE RECOMMEND YOU TO GENERATE A NEW
SSL CERTIFICATE & KEYS. I highly recommend this because there's no way to
tell if your private key has been retrieved by someone due to this
vulnerability.
This recommendation is not unique to UnrealIRCd or even IRC, the same
applies to apache, exim, and any other service that was using a vulnerable
OpenSSL. That's why other software makers are actually recommending the same.

HOW TO GENERATE A NEW SSL CERTIFICATE & KEYS
=============================================
If you are using a self-signed certificate, like most people, then see
below. Otherwise, if you are using an SSL certificate that has been signed
by a Certificate Authority then you should already know how to make and get
a new one.

Windows:
Start -> Programs -> UnrealIRCd -> Make Certificate

*NIX:
Run 'make pem' in your Unreal3.2.x directory. After that use 'make install'
if you installed UnrealIRCd in a different directory.

HOW TO ACTUALLY USE THE NEW SSL CERTIFICATE & KEYS
===================================================
Once you have made/installed the new certificate and keys, /OPER up on your
server and run:
/REHASH -ssl
You should see:
*** Notice -- [SSL rehash] XYZ (none@some.host) requested a reload of all
SSL related data (/rehash -ssl)
That's it. You should not see any errors.

There's no need to restart UnrealIRCd (again) if you only want to reload the
certificate and keys. This can be reloaded on the fly with /REHASH -ssl.


Bram Matthys wrote, on 8-4-2014 18:56:
> Hi all,
> 
> A serious issue in OpenSSL was reported yesterday, the so called
> 'Heartbleed' bug (CVE-2014-0160).
> This bug is very serious because it gives remote users the ability to read
> highly sensitive data from memory from programs using OpenSSL. This includes
> private SSL keys, passwords, etc.
> 
> There's a lot of media attention regarding this bug, and a lot of attention
> from hackers. It's likely that there is or very soon will be an active
> exploit available. We therefore suggest to take this matter seriously and
> not delay fixing it (IF you are affected, read on..).
> 
> UNREALIRCD & HEARTBLEED
> ========================
> UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So
> if you are using an UnrealIRCd version with SSL support then you may be
> vulnerable to this serious security issue.
> 
> Note that even if you are not actively using SSL/TLS, even if you have no
> SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL
> support means you may be affected.
> 
> In fact, even if your server is completely password protected, like a hub.
> Even then, if you are running a vulnerable version of OpenSSL then you are
> still affected.
> 
> HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION
> ========================================================
> Windows users who already know they are using the SSL version of UnrealIRCd
> can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all
> vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'.
> 
> Best way to check if you are vulnerable is to execute '/VERSION' as an IRC
> Operator (IRCOp) on your server and verify the OpenSSL version.
> 
> As IRCOp you can also check other servers for OpenSSL on your network by using:
> /VERSION [remote server name]
> 
> This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more:
> 
> 1) If you have SSL enabled then you will see something like:
> [17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date]
> Continue reading under 'I AM USING SSL - AM I VULNERABLE?'...
> 
> 2) If you are an IRCOp, you did /VERSION, and you did not see any line with
> 'OpenSSL' in it, then this means OpenSSL support is not compiled in and you
> are safe. You don't need to take any action and can stop reading.
> 
> Note that if you are NOT an IRCOp then no OpenSSL version information will
> be displayed. Therefore it's important you execute the /VERSION command as
> IRCOp.
> 
> I AM USING SSL - AM I VULNERABLE?
> ==================================
> The following OpenSSL versions have the security issue:
> * 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..)
> * 1.0.2-beta1
> 
> The following versions are safe:
> * Any version before 1.0.1, so 1.0.0x or 0.9.8etc...
> * 1.0.1g (which has just been released on April 7, 2014)
> 
> If you are using any such 'safe' version, then you don't need to take any
> action.
> 
> I AM VULNERABLE - WHAT TO DO?
> ==============================
> If you are indeed using 1.0.1-1.0.1f then you are affected by this security
> issue.
> 
> Windows
> --------
> Simply re-download the package from http://www.unrealircd.com/
> The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once
> installed you will see (by using /VERSION as IRCOp) the OpenSSL version is
> 1.0.1g.
> 
> Linux / *NIX
> -------------
> Update your system the usual way. This depends on your OS and distribution.
> On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on
> Redhat-based systems 'yum' is used, etc...
> If you don't have root on your system, consult your (shell) provider.
> 
> You normally don't need to recompile UnrealIRCd. But once you installed an
> updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is
> not sufficient.
> After UnrealIRCd has been restarted, verify that your OpenSSL version is
> indeed safe now. You can see the OpenSSL version in the boot screen of
> ./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier.
> 
> TIMELINE
> =========
> [2014-04-07 18:39 GMT] OpenSSL Security advisory
> [2014-04-08 15:39 GMT] UnrealIRCd windows download replaced
> [2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out
> 
> UPDATES
> ========
> The following URL contains a copy of this advisory, and any updates to it:
> http://forums.unrealircd.com/viewtopic.php?f=1&t=8265
> 
> 

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlNE8JkACgkQbmdtRX/hmaaT6QD/YxbkLo/vZ/6Acpxy+MR0vusM
fzXdJHSuQHkkwdIuv2MA/1O8P1GwpvRtNNV4/6Co/+8ZdzXkHmImQYG9dU6G4dLw
=/G8k
-----END PGP SIGNATURE-----

[Unreal-users] SSL Heartbleed security issue & UnrealIRCd

From: Bram M. <sy...@un...> - 2014-04-08 17:35:35

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

A serious issue in OpenSSL was reported yesterday, the so called
'Heartbleed' bug (CVE-2014-0160).
This bug is very serious because it gives remote users the ability to read
highly sensitive data from memory from programs using OpenSSL. This includes
private SSL keys, passwords, etc.

There's a lot of media attention regarding this bug, and a lot of attention
from hackers. It's likely that there is or very soon will be an active
exploit available. We therefore suggest to take this matter seriously and
not delay fixing it (IF you are affected, read on..).

UNREALIRCD & HEARTBLEED
========================
UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So
if you are using an UnrealIRCd version with SSL support then you may be
vulnerable to this serious security issue.

Note that even if you are not actively using SSL/TLS, even if you have no
SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL
support means you may be affected.

In fact, even if your server is completely password protected, like a hub.
Even then, if you are running a vulnerable version of OpenSSL then you are
still affected.

HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION
========================================================
Windows users who already know they are using the SSL version of UnrealIRCd
can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all
vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'.

Best way to check if you are vulnerable is to execute '/VERSION' as an IRC
Operator (IRCOp) on your server and verify the OpenSSL version.

As IRCOp you can also check other servers for OpenSSL on your network by using:
/VERSION [remote server name]

This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more:

1) If you have SSL enabled then you will see something like:
[17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date]
Continue reading under 'I AM USING SSL - AM I VULNERABLE?'...

2) If you are an IRCOp, you did /VERSION, and you did not see any line with
'OpenSSL' in it, then this means OpenSSL support is not compiled in and you
are safe. You don't need to take any action and can stop reading.

Note that if you are NOT an IRCOp then no OpenSSL version information will
be displayed. Therefore it's important you execute the /VERSION command as
IRCOp.

I AM USING SSL - AM I VULNERABLE?
==================================
The following OpenSSL versions have the security issue:
* 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..)
* 1.0.2-beta1

The following versions are safe:
* Any version before 1.0.1, so 1.0.0x or 0.9.8etc...
* 1.0.1g (which has just been released on April 7, 2014)

If you are using any such 'safe' version, then you don't need to take any
action.

I AM VULNERABLE - WHAT TO DO?
==============================
If you are indeed using 1.0.1-1.0.1f then you are affected by this security
issue.

Windows
- --------
Simply re-download the package from http://www.unrealircd.com/
The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once
installed you will see (by using /VERSION as IRCOp) the OpenSSL version is
1.0.1g.

Linux / *NIX
- -------------
Update your system the usual way. This depends on your OS and distribution.
On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on
Redhat-based systems 'yum' is used, etc...
If you don't have root on your system, consult your (shell) provider.

You normally don't need to recompile UnrealIRCd. But once you installed an
updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is
not sufficient.
After UnrealIRCd has been restarted, verify that your OpenSSL version is
indeed safe now. You can see the OpenSSL version in the boot screen of
./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier.

TIMELINE
=========
[2014-04-07 18:39 GMT] OpenSSL Security advisory
[2014-04-08 15:39 GMT] UnrealIRCd windows download replaced
[2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out

UPDATES
========
The following URL contains a copy of this advisory, and any updates to it:
http://forums.unrealircd.com/viewtopic.php?f=1&t=8265

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlNEKlcACgkQbmdtRX/hmaYVOAD9GTCVWHtoBEGorShJ/7EViC2k
AIpbUcBKl12HGEQY7+0A/RF/4rJDRkd/ErSMudaarWKzPCkkLfRcQ2ZmmeBIKhTS
=lY4b
-----END PGP SIGNATURE-----

[Unreal-users] Unreal3.2.10.2 released

From: Bram M. <sy...@un...> - 2013-11-23 13:03:22

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello everyone,

We have released a second update to latest stable: UnrealIRCd 3.2.10.2

This version contains a number of important fixes. In particular:
* A remote crash issue when compiled with SSL (NULL pointer dereference)
* A second issue that can potentially lead to a crash (read-after-free)

These bugs are present in UnrealIRCd 3.2.10 and 3.2.10.1.
Previous versions, such as 3.2.9, are unaffected.

Other than that, there are also improvements in the area of server linking
and some flood hardening.

Unfortunately the upgrade will require an IRCd restart, as part of the
problem lies in the core.

We recommend all 3.2.10 & 3.2.10.1 users to upgrade somewhere in the next
few weeks, especially if you have SSL/TLS enabled.

This release announcement (and any updates to it) can be found at
http://forums.unrealircd.com/viewtopic.php?t=8221

Full release notes can be found at
http://www.unrealircd.com/txt/unreal3_2_10_2_release_notes.txt

As always, you can download UnrealIRCd from http://www.unrealircd.com/

- -- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlKQoU4ACgkQbmdtRX/hmaa5aAD/W7gyG5jX0B1K5hIe3ALPPyv1
w3iwlmiWgk+9X2DXcBIBAIClgVbkwV8Y40U2KgFmlnon0NYU1wKhNxDMHxHqU45t
=JeeK
-----END PGP SIGNATURE-----

133 messages has been excluded from this view by a project administrator.

Flat | Threaded

1 2 3 .. 154 > >> (Page 1 of 154)