[ircd-ratbox] ircd-ratbox-3.0.8 released(urgent security update)

androsyn androsyn at ratbox.org
Mon Dec 31 17:01:07 EST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Well this is an embarrassing release for certain, turns out there was a
nasty little bug in the CAPAB handling code that allows for a remote
attacker to crash the ircd.  With that said, all admins are urged to
upgrade to ircd-ratbox-3.0.8 immediately.  See the link below for further
details, the link mentions Charybdis but really this impacts all ircd-ratbox
derived ircds.  

http://www.ratbox.org/ASA-2012-12-31.txt

If you happen to be running a vunerable server and for whatever reason
cannot upgrade immediately, a /quote modunload m_capab.so should mitigate
the effects of the bug.

- -Aaron

(now for the standard boiler plate release notice)


http://www.ratbox.org/download/ircd-ratbox-3.0.8.tar.bz2
Sig: http://www.ratbox.org/download/ircd-ratbox-3.0.8.tar.bz2.asc
sha1sum: 544a94032ec700897204acd50ca176539f731b05

Please note as of this release, the 3.0 branch is now marked as 'stable'. 
The 2.2 branch will no longer be maintained.

This is the current release version of the 'stable' tree of ircd-ratbox.

If you are upgrading from 2.2, you must read doc/whats-new-3.0.txt
If you are upgrading from 2.1, you must read doc/whats-new-2.2.txt
If you are upgrading from 2.0, you must also read doc/whats-new-2.1.txt
If you are upgrading from 1.x, you must also read doc/whats-new-2.0.txt

- -- ircd-ratbox-3.0.8
- - fix embarrassing CAPAB crash - All admins should upgrade immediately
- - various doc cleanups


- -- ircd-ratbox-3.0.7
- - remove sigio code. its buggyness makes it more trouble than its worth
- - stop logging to files when they are commented out in the ircd.conf
- - add help for GUNGLINE
- - make cross compiles work again 
- - fix error handling with GNUTLS
- - update included sqlite3 code to something recent
- - documentation cleanups/updates

- -- ircd-ratbox-3.0.6
- - fix a user-triggerable crash in /links handling when flatten_links is
  disabled 
- -- ircd-ratbox-3.0.5
- - fix a bug with reading help files
- - add debugging in for dealing with a kline removal bug
- - fix /rehash tdlines and /rehash bans so they actually do something with
  dlines
- - compute the number of file descriptors passed correctly on freebsd/amd64
  (and probably others) 
- - check for compiler support for various warning flags and add them
- - add -fno-strict-aliasing as this is now needed for gcc 4.4
- - GNUTLS code now picks up new keys/certificates on rehash

- -- ircd-ratbox-3.0.4
- - Actually release from the right branch.  Oops.

- -- ircd-ratbox-3.0.3
- - fix forward dns resolution, only used by connect::host with hostnames
- - check return values on rb_socketpair that can cause a crash if 
  socketpair fails
- - add autoconf checks for -fstack-protector
- - add warnings for certain functions who's return values should always 
  be checked
- - fix a CHALLENGE related core dump

- -- ircd-ratbox-3.0.2
- - fix ssl+zip close detection
- - fix openssl detection when openssl is a static library
- - add gungline support
- - fix a problem with ssl connections not being accepted on solaris
  and perhaps other platforms as well
- - attempt to report the real network errors on ssl connections a bit better
- - actually update the internal timekeeping when using sigio 
- - fix an off by one error in ziplink stats processing  

- -- ircd-ratbox-3.0.1
- - call rb_helper_close on bandb errors to kill off old bandb processes
- - report correct files/line numbers for spoof warnings
- - sid in the serverinfo struct should be 4 bytes, not 3
- - rebuild the included ircd_lexer.c 
- - fix ports and /dev/poll on solaris
- - report libratbox version on -version and /info
- - libratbox version info includes ssl info
- - fix installing when using install-sh
- - reenable ziplinks + ssl
- - fix a gnutls related core dump
- - add support for a serverinfo::bandb setting for the ban database
- - report adding throttles when an oper is set umode +r
- - report throttle stats in /stats T

- -- ircd-ratbox-3.0.0
- - fix a crash with the the global cidr code
- - fix a core dump in bantool if bantool cannot open the database
- - report failure to open logfiles in a more useful way
- - check to see if we have both read and write access to the ban database
- - fix a build error on OS X Leopard

- -- ircd-ratbox-3.0.0rc3
- - fix a leak that would cause the ircd to leak 128 bytes per connection
- - a few minor cleanups of cases where malloc/free were used instead of
  rb_malloc/rb_free
- - keep people from passing absurd non-numeric values to --with-nicklen
- - have stats T report cumulative connection times as a 64bit integer
  and keep track of those values as a 64bit integer as well so they do
  not wrap

- -- ircd-ratbox-3.0.0rc2
- - log ERROR commands to file regardless of hide_error_messages setting 
- - restrict JOIN 0 to only allow 0 by itself, no multiple zeros or zeros
  before or after commas
- - honor -logfile command line option
- - fix timerfd_create check

- -- ircd-ratbox-3.0.0rc1
- - fix a bug in comment parsing in the config file
- - have bandb honor -basedir option
- - if ssld to work on win32 should you ever desire such a thing and a 
  few other minor win32 fixes
- - fix up a few things so that the source code builds with gcc -pedantic
- - do not abort configure if the AC_CHECK_SQLITE3 check fails
- - drop configure option for ssl only channels, this is now controlled by
  channel {} use_sslonly option
- - attempt to override FD_SETSIZE when using select, and if this cannot 
  be overriden, lower maxconnections
- - fix signalfd code on 32bit platforms
- - add support for timerfd_create event handling on linux systems with 
  new enough kernels and glibc
- - fix our fake rb_sockaddr_storage so that it actually compiles
- - Add some work arounds to avoid OPENSSL_applink on some platforms


- -- ircd-ratbox-3.0.0beta12
- - add support for ssl only oper and auth blocks
- - do not show whowas ip info if the ip is 0
- - fix admindline to actually work
- - fix a compile error with vhost6_dns when no ipv6 exists
- - fix a logic inversion with duplicate dline checking
- - fix a minor buffer overrun in the identd checking code
- - default bursting of who set topics to on
- - tidy up some of the identd checking code
- - don't try to release a closed connection 
- - change a few instances where localtime was being used instead of 
  UTC
- - do not bother logging ERROR commands from non-servers
- - fix a crash in bantool
- - fix an issue in libratbox with storing event names incorrectly
- - put a bit of sanity checking in rb_vsnprintf_append
- - some portability cleanups 

- -- ircd-ratbox-3.0.0beta11
- - remove the remains of servlink_path from the config file parser
- - userlog now logs the users IP address as well as their hostname
- - whowas now supports showing the users IP address as well as 
  hostname.  the same rules apply to showing the whowas IP as 
  apply to showing whois_actually and uses the same numeric.
- - double the size of the whowas array for large networks.  this 
  comes at a hit of about 2MB or so of memory.
- - really, really fix the block heap garbage collection code 


- -- ircd-ratbox-3.0.0beta10
- - fix a case a passing a NULL to match()
- - properly fix a crash in the block heap garbage collection code

- -- ircd-ratbox-3.0.0beta9
- - fix a hang with the resolver using epoll
- - add dns source port randomization
- - add a vhost_dns/vhost6_dns option to control which IP addresses the
  resolver binds to
- - make /stats A work again
- - cleanup some remains of the old ident helper
- - work around a core dump in libratbox with accepting sockets that 
  appear to be open in the fd hash and log this condition
- - fix a buffer overrun in the arc4random code when there is no ssl
  library
- - fix a memory alignment issue on sparc where the ircd would crash
  with a SIGBUS accessing long long variables that were allocated
  via the block allocator


- -- ircd-ratbox-3.0.0beta8
- - some cleanups in the checksplit code
- - some cleanups in the /trace code
- - show reasons for failed outbound SSL handshakes to opers
- - log ssl errors for servers and handshakes in serverlog
- - make sqlite3 checking more robust
- - change the resolver to use the code from charybdis instead of adns
- - fix identd checking so it works again
- - fix a bug where the ircd could stop reading from the client on the CAP 
  command
- - add some functions for random number generation for the nossl case in
  libratbox

- -- ircd-ratbox-3.0.0beta7
- - my release building script manage to not include libratbox, oops

- -- ircd-ratbox-3.0.0beta6
- - change -lock klines and friends to now be ADMINKLINE etc
- - default to only supporting TS6 
- - fix remote kline reasons
- - have sqlite3 checking use pkg-config when possible
- - move identd checking back into the ircd, this seems to have been more
  problematic than what it was worth
- - add experimental gnutls support - note that CHALLENGE does not work when using just
  gnutls 
- - some helpfile cleanups
- - fix compile error when zlib is not found
- - remove some restrictions on k/d/x/resv reasons that are no longer needed

- -- ircd-ratbox-3.0.0beta5
- - fix things so that --enable-assert=soft compiles again
- - fix a typo in mkpasswd
- - add admin only -lock klines, doing KLINE -lock will allow admins to
  add klines that normal opers cannot remove. 
- - modify bantool to have a -u option that updates the database schema.
  if upgrading from previous betas, this needs to be run to support
  the -lock kline changes.
- - fix cidr klines so they work again
- - update included sqlite3 to the latest revision
- - allow kline/unkline of a bare host or address, this gets treated as 
  *@host
- - report when an invalid kline is passed, instead of silently ignoring
- - fix --enable-assert=soft
- - fix libratbox build on OS X and others

- -- ircd-ratbox-3.0.0beta4
- - some configure/makefile changes that are useful for package maintainers
- - various bantool fixes
- - fix a bug with the command hash that could cause the ircd to crash
- - fix an ident checking bug that would sometimes cause users to get the 
  wrong ident
- - fix an ssld crash due to mangling connection ids incorrectly
- - fix matching of cidr masks where the bit length was 0 
- - implement throttling of ssl connection handshake flooding 
- - fix build on bsd platforms that lack EVFILT_TIMER
- - fix kqueue from sometimes dropping updates
- - fix a possible crash with ssl connections closing quickly
- - perserve errno so that connect failures report the correct error

- -- ircd-ratbox-3.0.0beta3
- - fix an issue with CAP END releasing clients before it should
- - report bandb errors in a useful fashion
- - strip tabs when reading from help/motd etc
- - override default_max_clients if it is == 0
- - fix ssl issue with wanting reads/writes
- - fix some cases where /list can freeze a client
- - stop libltdl from installing an empty include directory
- - improve SIGCHLD handling in the ircd

- -- ircd-ratbox-3.0.0beta2
- - honor global_cidr setting
- - fix a bug in bantool that improperly parsed X-lines with spaces them
- - fix user at host spoofs
- - fix default maxclients to work correctly
- - fix libratbox build with openssl disabled
- - don't spin on openssl accepts when there is no data

- -- ircd-ratbox-3.0.0beta1
- - No release notes, see doc/whats-new-3.0.txt

$Id: RELNOTES 27412 2012-12-31 21:31:20Z androsyn $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ4gnHAAoJEGk+LSMgH/V+tTwQAKO9okDkdoLJXU3TuLgPCPXk
IWbLfVNPeZXlurkxDCEvbmWWRQ9jq/9uJyN6gfOYTbcz+IjQ7GCFwr4r7jU8lHUu
++IzhJ2ocv9bcjyK8d8ziLXcQm/KOZx/hXRbMTKRtlRzl4D+nQmsTtQ56QHYl1+2
Ky+MtMZbpxi29TlispJum4b2qVymVAXaKJaGMiVsno3Pysb9rYvt98w00sc63/v2
ArSK/rDkzEXffI7SLdYQfaztAaNheR7y0B9ra0uEQr4puW91k8tC4NIjPOsqg2cE
3gVip3zHqZ1cPBQn9Ks0ASN2aEbLUl/3bgHipP6cEWvp3lM6OiAlkj8S3lvrMa1/
EiTmPdS2avmQBASpo1Ayf4a5phXP6N/Hl5I4IoBgOdS5hPwk1JClPOxdZJe6IrDT
pcw2BduZUAB4I/DlHjgffOpZp5P3Ai1vIkLlqnzSRhjlxq0octa8zFUBmtpQj4ku
KhRVJOX47K/+ykVfXWzrU9SMwi0LfL243dqYM1Pq0Sg+rftFTh+xWrR/8CqII2VO
fPJJ0FscP5TkxeCkEDssySnFgqUGDlIMBZp50bRqcHN/xEBoyXUTzPrYBPnZky9T
JtYXSr3val8nm37hu1BAA3vy8xVrQo0M4HeUC25jxu4+IOJojX7y5O1IrAuUG8mN
DkD8IGWneapk1LlS+ehm
=uviu
-----END PGP SIGNATURE-----


More information about the ircd-ratbox mailing list