UnrealIRCd 4.0.10 released

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

UnrealIRCd 4.0.10 released

Post by Syzop »

UnrealIRCd 4.0.10 is now available for download. Nine modules have been added to UnrealIRCd. One of them brings support for WebSockets so you can access IRC directly from your web browser. A very crude UnrealIRCd + WebSocket example is available here and should work on most browsers, including mobile. I've also created a forum thread to discuss the new WebSocket support.

A number of bugs have been fixed as well. In particular a bug in all 4.0.x versions where occasionally incorrect bans would be added during server linking, such as "a!b" (note the lack of "@"), and it was then impossible to remove these bans. In 4.0.10 code has been changed so these bans are always rejected.

Users who have tested websockets with rc1 or rc2 should upgrade to 4.0.10 as some major bugs were fixed in the websocket module.

In the interest of full disclosure: one bug fixed in this release is a buffer overflow. However, on all tested Windows, Linux and FreeBSD installations it was not possible to cause remote code execution or elevation of privileges. Main reason being that there are very big buffers behind the buffer being overflowed and you can only overflow a limited number of bytes. Additionally, if this would not have been the case, UnrealIRCd 4.0.8 and later would have provided protection against the attack due to the included hardening. Therefore I'm releasing this version as a regular stable release with no "you must upgrade ASAP" kind of comment. UnrealIRCd 4.0.10 adds some interesting features, however, and fixes some major bugs, so I still encourage anyone to upgrade at a suitable time.

Improvements:
  • Added "websocket" module. This provides support for WebSocket (RFC6455), allowing JavaScript (internet browsers) to connect directly to IRC without the need of a 'gateway'. This module is experimental and not loaded by default. See https://www.unrealircd.org/docs/WebSocket_support for more information. This module was sponsored by Aberrant Software Inc.
  • UnrealIRCd already has the ability to configure SSL settings via the set::ssl block. Now you can also override these settings for a link block and listen block. One possible use for this would be having a long-lived self-signed certificate for server linking on a serversonly port, and a short-lived certificate for your users on the other ports (such as a certificate from Let's Encrypt). Another example would be to force TLSv1.2 for server linking but not for users. Etc. Etc. General settings (already existed) are in the set::ssl block: https://www.unrealircd.org/docs/Set_blo ... ertificate Per-port settings go via listen::ssl-options: https://www.unrealircd.org/docs/Listen_block Per-link block settings go via link::outgoing::ssl-options: https://www.unrealircd.org/docs/Link_block
  • You can now exempt IP's from (DNSBL) blacklist checking via: except blacklist { mask 1.2.3.4; };
  • All free modules from vulnscan.org (by Syzop) are now included in UnrealIRCd itself. Note that only the "privdeaf" and "jumpserver" modules are loaded by default. The others you will need to load explicitly. The new modules are:
Major issues fixed
  • Incorrect bans being added during server linking, these were then impossible to remove
  • Compile fixes for Ubuntu 16 LTS / gcc 5.4.x
  • Crash if you had an invalid crypt password in your unrealircd.conf
  • Crash if you did not load the chanmodes/nocolor module or changed the order in which modules were loaded
Minor issues fixed
  • Delayjoin (channel mode +D) sending QUITs for hidden users, double JOIN's, etc.
  • You no longer need to place 'class' blocks before 'allow' blocks
  • Some error messages were not throttled
  • WHO now supports multi-prefix
  • Date in Windows log file for the first few messages was always 1970.
For services and module coders:
  • Services coders: "SVSMODE Nick +d" will now mark a client as deaf. Don't confuse this with "SVSMODE Nick +d <svid>". The parameter makes all the difference.
  • Module coders: changed return value handling of HOOKTYPE_RAWPACKET_IN -1 indicates to stop parsing (return) and 0 indicates don't parse but proceed to next packet. If you kill a client in this hook then be sure to return -1.
Other notable things: As always, you can download UnrealIRCd from www.unrealircd.org.
Post Reply