X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=blobdiff_plain;f=ChangeLog;h=5920316d9eb5fe2c08b633c914b2ebd767b64c54;hp=15a50a9ab25bb366278e4a71d2f7d10a9d0a9e4f;hb=refs%2Fheads%2Fbranch-20.x;hpb=a445abc10eeaaf3a082188e13332fb1e2eba897e diff --git a/ChangeLog b/ChangeLog index 15a50a9a..5920316d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,14 +2,65 @@ ngIRCd - Next Generation IRC Server http://ngircd.barton.de/ - (c)2001-2012 Alexander Barton and Contributors. + (c)2001-2013 Alexander Barton and Contributors. ngIRCd is free software and published under the terms of the GNU General Public License. -- ChangeLog -- -ngIRCd 20 +ngIRCd 20.3 (2013-08-23) + + - Security: Fix a denial of service bug (server crash) which could happen + when the configuration option "NoticeAuth" is enabled (which is NOT the + default) and ngIRCd failed to send the "notice auth" messages to new + clients connecting to the server (CVE-2013-5580). + +ngIRCd 20.2 (2013-02-15) + + - Security: Fix a denial of service bug in the function handling KICK + commands that could be used by arbitrary users to to crash the daemon + (CVE-2013-1747). + - WHO command: Use the currently "displayed hostname" (which can be cloaked!) + for hostname matching, not the real one. In other words: don't display all + the cloaked users on a specific real hostname! + - configure: The header file "netinet/in_systm.h" already is optional in + ngIRCd, so don't require it in the configure script. Now ngIRCd can be + built on Minix 3 again :-) + - Return better "Connection not registered as server link" errors: Now ngIRCd + returns a more specific error message for numeric ERR_NOTREGISTERED(451) + when a regular user tries to use a command that isn't allowed for users but + for servers. + - Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes + than nicknames is handled, as well as for channel limit and key changes + without specifying the limit or key parameters. + This is how a lot (all?) other IRC servers behave, including ircd2.11, + InspIRCd, and ircd-seven. And because of clients (tested with Textual and + mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the + expected result as well as correct but misleading error messages ... + - Correctly detect when SSL subsystem must be initialized and take + outgoing connections (server links!) into account, too. + - autogen.sh: Enforce serial test harness on GNU automake >=1.13. The + new parallel test harness which is enabled by default starting with + automake 1.13 isn't compatible with our test suite. + And don't use "egrep -o", insetead use "sed", because it isn't portable + and not available on OpenBSD, for example. + +ngIRCd 20.1 (2013-01-02) + + - Allow ERROR command on server and service links only, ignore them and + add a penalty time on all other link types. + - Enforced mode setting by IRC Operators: Only check the channel user + modes of the initiator if he is joined to the channel and not an IRC + operator enforcing modes (which requires the configuration option + "OperCanUseMode" to be enabled), because trying to check channel user + modes of a non-member results in an assertion when running with debug + code or could crash the daemon otherwise. This closes bug #147, thanks + to James Kirwill for tracking this down! + - Fix build system to cope with spaces in path names. + - Code cleanups, mostly to fix build warnings on Cygwin. + +ngIRCd 20 (2012-12-17) - Allow user names ("INDENT") up to 20 characters when ngIRCd has not been configured for "strict RFC mode". This is useful if you are using