We have released UnrealIRCd 4.0.9 which addresses this issue. There is also a "hot fix" available so you can patch your server without requiring an UnrealIRCd restart. See below.
We recommend you to apply the "hot fix" or upgrade somewhere this weekend. It's better to do a peaceful planned upgrade soon than having to rush an upgrade later while people are abusing this bug.
Affected versions
All UnrealIRCd 4.0.x versions before 4.0.9
How to get the fix/patch?
Windows users should download and install UnrealIRCd 4.0.9.
Linux/BSD/.. users can also install 4.0.9 OR you can choose to patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we recommend it.
Run the following on the IRC shell:
Code: Select all
wget http://www.unrealircd.org/patch/ghostpatcher && sh ghostpatcher
Have there been any reports of these bugs being abused by anyone?
Not yet.
Should I upgrade?
The attack is very detectable, but we do recommend an upgrade/hot-fix. It's better to do a peaceful planned upgrade than having to rush an upgrade later while people are abusing this bug.
Are there any workarounds so I don't have to upgrade?
On *NIX, use the hot fix / patch so you don't need to restart UnrealIRCd.
Can I upgrade without restarting the IRC server?
On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell:
Code: Select all
wget http://www.unrealircd.org/patch/ghostpatcher && sh ghostpatcher
Open src/modules/m_nick.c in an editor. Around line 478 change:
Code: Select all
(void)strlcpy(sptr->name, nick, NICKLEN);
Code: Select all
(void)strlcpy(sptr->name, nick, NICKLEN+1);
This is exactly the same as the patch script would do.
How serious is this bug?
The bug leads to resource consumption and some user confusion. For a full explanation see the beginning of this announcement. Then, make your own decision.
When were these issues reported?
This issue was reported less than 24 hours before the fix release.
Updates to this advisory
Small corrections/updates will be posted here, if any.