ngIRCd Release 20.2

(cherry picked from commit c45d9dd1f08fddb95fa01d62c69848cd753a3161)

diff --git a/ChangeLog b/ChangeLog
index a4cfdb91ea07ab432ce23eb6aafdcf06433b06f1..08d337fa72e47940a87f34f74ded362ece29f23e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,35 @@
                                -- ChangeLog --
 
 
+ngIRCd 20.2 (2013-02-15)
+
+  - Security: Fix a denial of service bug in the function handling KICK
+    commands that could be used by arbitrary users to to crash the daemon.
+  - WHO command: Use the currently "displayed hostname" (which can be cloaked!)
+    for hostname matching, not the real one. In other words: don't display all
+    the cloaked users on a specific real hostname!
+  - configure: The header file "netinet/in_systm.h" already is optional in
+    ngIRCd, so don't require it in the configure script. Now ngIRCd can be
+    built on Minix 3 again :-)
+  - Return better "Connection not registered as server link" errors: Now ngIRCd
+    returns a more specific error message for numeric ERR_NOTREGISTERED(451)
+    when a regular user tries to use a command that isn't allowed for users but
+    for servers.
+  - Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes
+    than nicknames is handled, as well as for channel limit and key changes
+    without specifying the limit or key parameters.
+    This is how a lot (all?) other IRC servers behave, including ircd2.11,
+    InspIRCd, and ircd-seven. And because of clients (tested with Textual and
+    mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the
+    expected result as well as correct but misleading error messages ...
+  - Correctly detect when SSL subsystem must be initialized and take
+    outgoing connections (server links!) into account, too.
+  - autogen.sh: Enforce serial test harness on GNU automake >=1.13. The
+    new parallel test harness which is enabled by default starting with
+    automake 1.13 isn't compatible with our test suite.
+    And don't use "egrep -o", insetead use "sed", because it isn't portable
+    and not available on OpenBSD, for example.
+
 ngIRCd 20.1 (2013-01-02)
 
   - Allow ERROR command on server and service links only, ignore them and

diff --git a/NEWS b/NEWS
index be743e681266239fc91caf1265f7e59b94e4acea..38f6029c5b32b397d3522d258da919f74aa109df 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,12 @@
                                   -- NEWS --
 
 
+ngIRCd 20.2 (2013-02-15)
+
+  - This release is a bugfix release only, without new features.
+  - Security: Fix a denial of service bug in the function handling KICK
+    commands that could be used by arbitrary users to to crash the daemon.
+
 ngIRCd 20.1 (2013-01-02)
 
   - This release is a bugfix release only, without new features.

diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog
index 03c3df6804d0d863f5f0ee2bd6879893cb6454d4..2e39af03bb82030ea810427f700f846e0e851f83 100644 (file)
--- a/contrib/Debian/changelog
+++ b/contrib/Debian/changelog
@@ -1,3 +1,9 @@
+ngircd (20.2-0ab1) unstable; urgency=high
+
+  * New "upstream" release, fixing a security related bug: ngIRCd 20.2.
+
+ -- Alexander Barton <alex@barton.de>  Fri, 15 Feb 2013 12:17:00 +0100
+
 ngircd (20.1-0ab1) unstable; urgency=low
 
   * New "upstream" release: ngIRCd 20.1.

diff --git a/contrib/ngircd.spec b/contrib/ngircd.spec
index fa0a6a1527dc7deddaf70e53e7005bda7a9a3a18..e2448a42c9108d05751665d95f4cbe3450e63b9d 100644 (file)
--- a/contrib/ngircd.spec
+++ b/contrib/ngircd.spec
@@ -1,5 +1,5 @@
 %define name    ngircd
-%define version 20.1
+%define version 20.2
 %define release 1
 %define prefix  %{_prefix}