Commit Diff
Diff:
0e63fb3fa7ac4ca048e8c2b648d2be3fd0572311
25b19e08e2083f7b1972820ca4c096687d7eeaca
25b19e08e2083f7b1972820ca4c096687d7eeaca
Commit:
25b19e08e2083f7b1972820ca4c096687d7eeaca
Tree:
8199f6a5fa81f15adfebcbac5abca61ddce69405
Committer:
Alexander Barton <alex@barton.de>
Date:
Fri Feb 15 11:48:10 2013
UTC
Message:
ngIRCd Release 20.2
(cherry picked from commit c45d9dd1f08fddb95fa01d62c69848cd753a3161)
--- ChangeLog
+++ ChangeLog
@@ -9,6 +9,35 @@
-- ChangeLog --
+ngIRCd 20.2 (2013-02-15)
+
+ - Security: Fix a denial of service bug in the function handling KICK
+ commands that could be used by arbitrary users to to crash the daemon.
+ - WHO command: Use the currently "displayed hostname" (which can be cloaked!)
+ for hostname matching, not the real one. In other words: don't display all
+ the cloaked users on a specific real hostname!
+ - configure: The header file "netinet/in_systm.h" already is optional in
+ ngIRCd, so don't require it in the configure script. Now ngIRCd can be
+ built on Minix 3 again :-)
+ - Return better "Connection not registered as server link" errors: Now ngIRCd
+ returns a more specific error message for numeric ERR_NOTREGISTERED(451)
+ when a regular user tries to use a command that isn't allowed for users but
+ for servers.
+ - Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes
+ than nicknames is handled, as well as for channel limit and key changes
+ without specifying the limit or key parameters.
+ This is how a lot (all?) other IRC servers behave, including ircd2.11,
+ InspIRCd, and ircd-seven. And because of clients (tested with Textual and
+ mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the
+ expected result as well as correct but misleading error messages ...
+ - Correctly detect when SSL subsystem must be initialized and take
+ outgoing connections (server links!) into account, too.
+ - autogen.sh: Enforce serial test harness on GNU automake >=1.13. The
+ new parallel test harness which is enabled by default starting with
+ automake 1.13 isn't compatible with our test suite.
+ And don't use "egrep -o", insetead use "sed", because it isn't portable
+ and not available on OpenBSD, for example.
+
ngIRCd 20.1 (2013-01-02)
- Allow ERROR command on server and service links only, ignore them and
--- NEWS
+++ NEWS
@@ -9,6 +9,12 @@
-- NEWS --
+ngIRCd 20.2 (2013-02-15)
+
+ - This release is a bugfix release only, without new features.
+ - Security: Fix a denial of service bug in the function handling KICK
+ commands that could be used by arbitrary users to to crash the daemon.
+
ngIRCd 20.1 (2013-01-02)
- This release is a bugfix release only, without new features.
--- contrib/Debian/changelog
+++ contrib/Debian/changelog
@@ -1,3 +1,9 @@
+ngircd (20.2-0ab1) unstable; urgency=high
+
+ * New "upstream" release, fixing a security related bug: ngIRCd 20.2.
+
+ -- Alexander Barton <alex@barton.de> Fri, 15 Feb 2013 12:17:00 +0100
+
ngircd (20.1-0ab1) unstable; urgency=low
* New "upstream" release: ngIRCd 20.1.
--- contrib/ngircd.spec
+++ contrib/ngircd.spec
@@ -1,5 +1,5 @@
%define name ngircd
-%define version 20.1
+%define version 20.2
%define release 1
%define prefix %{_prefix}