Unreal IRCd & the 05-Jun-2014 OpenSSL vulns

[r3mbr4ndt]

As far as the Windows version goes, can I just update some DLLs? Or will there be a new download package made like was done for heartbleed?

Thanks,
r3m

[Stealth]

What version of OpenSSL is your server running? You may find out by doing a /version as an oper on your server.

If you have OpenSSL version 1.0.0 or 1.0.1, you'll need to wait until we can get together a new release or patch for Windows. You can try to replace the OpenSSL DLL files, though as I recall they need to be compiled with specific parameters to be compatible with UnrealIRCD.

If you have any other version of OpenSSL, you're safe.

[r3mbr4ndt]

OpenSSL 1.0.1g 7 Apr 2014

[Stealth]

We have looked into the advisory, and it appears 6 of the 7 issues reported do not apply to UnrealIRCd. The issue that applies is the vulnerability in MITM which requires both the server AND client to be running a vulnerable version of OpenSSL to work. We will update the Windows compile with new OpenSSL libraries (DLLs) with the next update to UnrealIRCd (perhaps 2-3 weeks).

In the mean time, I recommend updating OpenSSL on the systems you use to IRC with as just having your client up to date will keep you safe.

Thank you for bringing this to our attention.

[r3mbr4ndt]

You're welcome. Thanks for the reply.