commit - 0e63fb3fa7ac4ca048e8c2b648d2be3fd0572311
commit + 25b19e08e2083f7b1972820ca4c096687d7eeaca
blob - a4cfdb91ea07ab432ce23eb6aafdcf06433b06f1
blob + 08d337fa72e47940a87f34f74ded362ece29f23e
--- ChangeLog
+++ ChangeLog
-- ChangeLog --
+ngIRCd 20.2 (2013-02-15)
+
+ - Security: Fix a denial of service bug in the function handling KICK
+ commands that could be used by arbitrary users to to crash the daemon.
+ - WHO command: Use the currently "displayed hostname" (which can be cloaked!)
+ for hostname matching, not the real one. In other words: don't display all
+ the cloaked users on a specific real hostname!
+ - configure: The header file "netinet/in_systm.h" already is optional in
+ ngIRCd, so don't require it in the configure script. Now ngIRCd can be
+ built on Minix 3 again :-)
+ - Return better "Connection not registered as server link" errors: Now ngIRCd
+ returns a more specific error message for numeric ERR_NOTREGISTERED(451)
+ when a regular user tries to use a command that isn't allowed for users but
+ for servers.
+ - Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes
+ than nicknames is handled, as well as for channel limit and key changes
+ without specifying the limit or key parameters.
+ This is how a lot (all?) other IRC servers behave, including ircd2.11,
+ InspIRCd, and ircd-seven. And because of clients (tested with Textual and
+ mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the
+ expected result as well as correct but misleading error messages ...
+ - Correctly detect when SSL subsystem must be initialized and take
+ outgoing connections (server links!) into account, too.
+ - autogen.sh: Enforce serial test harness on GNU automake >=1.13. The
+ new parallel test harness which is enabled by default starting with
+ automake 1.13 isn't compatible with our test suite.
+ And don't use "egrep -o", insetead use "sed", because it isn't portable
+ and not available on OpenBSD, for example.
+
ngIRCd 20.1 (2013-01-02)
- Allow ERROR command on server and service links only, ignore them and
blob - be743e681266239fc91caf1265f7e59b94e4acea
blob + 38f6029c5b32b397d3522d258da919f74aa109df
--- NEWS
+++ NEWS
terms of the GNU General Public License.
-- NEWS --
+
+
+ngIRCd 20.2 (2013-02-15)
+ - This release is a bugfix release only, without new features.
+ - Security: Fix a denial of service bug in the function handling KICK
+ commands that could be used by arbitrary users to to crash the daemon.
ngIRCd 20.1 (2013-01-02)
blob - 03c3df6804d0d863f5f0ee2bd6879893cb6454d4
blob + 2e39af03bb82030ea810427f700f846e0e851f83
--- contrib/Debian/changelog
+++ contrib/Debian/changelog
+ngircd (20.2-0ab1) unstable; urgency=high
+
+ * New "upstream" release, fixing a security related bug: ngIRCd 20.2.
+
+ -- Alexander Barton <alex@barton.de> Fri, 15 Feb 2013 12:17:00 +0100
+
ngircd (20.1-0ab1) unstable; urgency=low
* New "upstream" release: ngIRCd 20.1.
blob - fa0a6a1527dc7deddaf70e53e7005bda7a9a3a18
blob + e2448a42c9108d05751665d95f4cbe3450e63b9d
--- contrib/ngircd.spec
+++ contrib/ngircd.spec
%define name ngircd
-%define version 20.1
+%define version 20.2
%define release 1
%define prefix %{_prefix}
