UnrealIRCd 5.2.1 released & small security issue

News about the UnrealIRCd project, including release announcements
Post Reply
UnrealIRCd head coder
Posts: 2044
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

UnrealIRCd 5.2.1 released & small security issue

Post by Syzop »

Hi everyone,

New release: UnrealIRCd 5.2.1
UnrealIRCd 5.2.1 is out! Although it has been only a month since 5.2.0, this release comes with several new features and some major bug fixes. See the release notes for full details.
If you are on 5.0.9 or 5.2.0(.x) then you can easily upgrade by running the command: ./unrealircd upgrade
Of course, as always, you can (also) download UnrealIRCd from https://www.unrealircd.org/

EDIT: was released 24hrs after 5.2.1 which fixes SASL services autodetection and mechlist in 5.2.1. If you already upgraded then you can use the command "./unrealircd hot-patch saslmechlist" to fix this issue without restart.

Do I need to upgrade?
For more information on the end of 5.0.x and upgrading to 5.2.x, see FAQ: About the new 5.2.x series.
Admins who wish to take a conservative approach still don't need to rush to upgrade from 5.0.x to 5.2.1, they can wait for 5.2.2. If you decide not to upgrade right now, then be sure to read on the small security issue below.

Small security issue
UnrealIRCd 5.0.9, 5.2.0(.x) and 5.2.1-rc1 have an incorrect built-in ban exception for "127.*" which intended to exempt localhost (""). Unfortunately, the obvious fact was overlooked that this can also match hostnames such as "127.something.example.org", allowing such users to bypass kline, gline and shun. This bug is fixed in 5.2.1, but it can also be fixed without upgrading to 5.2.1.
If you are on 5.0.9, 5.2.0.x or 5.2.1-rc1 then simply run the following command and it will fix the issue without the need to restart UnrealIRCd:

Code: Select all

./unrealircd hot-patch exemptlocalhost
After that you can verify online at IRC as IRCOp with the command "STATS except" that the incorrect ban exception on "*@127.*" is gone and the good one on "*@" is listed.
On a side note, even without this patch, you could always have banned these users via GZLINE and KILL.
Post Reply