From 25b19e08e2083f7b1972820ca4c096687d7eeaca Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Fri, 15 Feb 2013 12:18:02 +0100 Subject: [PATCH] ngIRCd Release 20.2 (cherry picked from commit c45d9dd1f08fddb95fa01d62c69848cd753a3161) --- ChangeLog | 29 +++++++++++++++++++++++++++++ NEWS | 6 ++++++ contrib/Debian/changelog | 6 ++++++ contrib/ngircd.spec | 2 +- 4 files changed, 42 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a4cfdb91..08d337fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,35 @@ -- ChangeLog -- +ngIRCd 20.2 (2013-02-15) + + - Security: Fix a denial of service bug in the function handling KICK + commands that could be used by arbitrary users to to crash the daemon. + - WHO command: Use the currently "displayed hostname" (which can be cloaked!) + for hostname matching, not the real one. In other words: don't display all + the cloaked users on a specific real hostname! + - configure: The header file "netinet/in_systm.h" already is optional in + ngIRCd, so don't require it in the configure script. Now ngIRCd can be + built on Minix 3 again :-) + - Return better "Connection not registered as server link" errors: Now ngIRCd + returns a more specific error message for numeric ERR_NOTREGISTERED(451) + when a regular user tries to use a command that isn't allowed for users but + for servers. + - Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes + than nicknames is handled, as well as for channel limit and key changes + without specifying the limit or key parameters. + This is how a lot (all?) other IRC servers behave, including ircd2.11, + InspIRCd, and ircd-seven. And because of clients (tested with Textual and + mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the + expected result as well as correct but misleading error messages ... + - Correctly detect when SSL subsystem must be initialized and take + outgoing connections (server links!) into account, too. + - autogen.sh: Enforce serial test harness on GNU automake >=1.13. The + new parallel test harness which is enabled by default starting with + automake 1.13 isn't compatible with our test suite. + And don't use "egrep -o", insetead use "sed", because it isn't portable + and not available on OpenBSD, for example. + ngIRCd 20.1 (2013-01-02) - Allow ERROR command on server and service links only, ignore them and diff --git a/NEWS b/NEWS index be743e68..38f6029c 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,12 @@ -- NEWS -- +ngIRCd 20.2 (2013-02-15) + + - This release is a bugfix release only, without new features. + - Security: Fix a denial of service bug in the function handling KICK + commands that could be used by arbitrary users to to crash the daemon. + ngIRCd 20.1 (2013-01-02) - This release is a bugfix release only, without new features. diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog index 03c3df68..2e39af03 100644 --- a/contrib/Debian/changelog +++ b/contrib/Debian/changelog @@ -1,3 +1,9 @@ +ngircd (20.2-0ab1) unstable; urgency=high + + * New "upstream" release, fixing a security related bug: ngIRCd 20.2. + + -- Alexander Barton Fri, 15 Feb 2013 12:17:00 +0100 + ngircd (20.1-0ab1) unstable; urgency=low * New "upstream" release: ngIRCd 20.1. diff --git a/contrib/ngircd.spec b/contrib/ngircd.spec index fa0a6a15..e2448a42 100644 --- a/contrib/ngircd.spec +++ b/contrib/ngircd.spec @@ -1,5 +1,5 @@ %define name ngircd -%define version 20.1 +%define version 20.2 %define release 1 %define prefix %{_prefix} -- 2.39.2