We have released UnrealIRCd 4.0.11 which addresses this issue (among some other less serious issues). There is also a "hot fix" available so you can patch your server without requiring an UnrealIRCd restart. See below.
We recommend *NIX users to apply the "hot fix" as soon as possible (see below). Windows users are unaffected.
How to get the fix/patch?
For Windows there is no urgent need to upgrade, but you can install UnrealIRCd 4.0.11.
Linux/BSD/.. users can also install 4.0.11 OR you can choose to patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we recommend it.
Run the following on the IRC shell:
Code: Select all
wget http://www.unrealircd.org/patch/isonpatcher && sh isonpatcher
Have there been any reports of these bugs being abused by anyone?
Not yet. But the issue is easy to trigger, so don't wait for it.
Should I upgrade?
Yes. If you are affected (see Affected versions above) then you should upgrade or install the hot-fix as soon as possible.
Are there any workarounds so I don't have to upgrade?
On *NIX, use the hot fix / patch so you don't need to restart UnrealIRCd.
Can I upgrade without restarting the IRC server?
On Linux/BSD/.. yes. Run the following on the shell:
Code: Select all
wget http://www.unrealircd.org/patch/isonpatcher && sh isonpatcher
If, for whatever reason, you don't want to use the simple patchscript from above then you can download the .tar.gz here instead.
Extract it somewhere and look at the contents. Among other things it contains isonfix.patch. Apply that patch, recompile and rehash your UnrealIRCd.
This is exactly the same as the patch script would do.
How serious is this bug?
Any connected user can crash the IRCd. Only if the user cannot get on the IRCd (eg: password protect hub) then he can not trigger the crash.
When were these issues reported?
This issue was reported 36 hours ago. The issue was confirmed less than 24 hours ago and a fix was created today.
Updates to this advisory
Small corrections/updates will be posted here, if any.