Fedora 36: FEDORA-2023-b1375d2423 Major: PostgreSQL Security Patch

UnrealIRCd is an Open Source IRC server based on the branch of IRCu called

Dreamforge, formerly used by the DALnet IRC network. Since the beginning of

development on UnrealIRCd in May of 1999, it has become a highly advanced

IRCd with a strong focus on modularity, an advanced and highly configurable

configuration file. Key features include SSL/TLS, cloaking, advanced anti-flood and anti-spam systems, swear filtering and module support.

# UnrealIRCd 6.0.2 UnrealIRCd 6.0.2 comes with several nice feature

enhancements along with some fixes. It also includes a fix for a crash bug that

can be triggered by ordinary users. ## Fixes * Fix crash that can be

triggered by regular users if you have any `deny dcc` blocks in the config or

any spamfilters with the `d` (DCC) target. * Fix infinite hang on "Loading

IRCd configuration" if DNS is not working. For example if the 1st DNS server in

`/etc/resolv.conf` is down or refusing requests. * Some `MODE` server-to-server commands were missing a timestamp at the end, even though this is

mandatory for modes coming from a server. * The

[channeldb](https://www.unrealircd.org/docs/Set_block#set::channeldb) module now

converts letter extbans to named extbans (e.g. `~a` to `~account`). Previously

it did not, which caused letter extbans to appear in the banlist. Later on, when

linking servers, this would cause duplicate entries to appear as well, with both

the old and new format. The extbans were still effective though, so this is

mostly a visual `+b`/`+e`/`+I` list issue. * Some [Extended Server

Bans](https://www.unrealircd.org/docs/Extended_server_bans) were not working

correctly for WEBIRC proxies. In particular, a server ban or exempt (ELINE) on

`~country:XX` was only checked against the WEBIRC proxy. ## Enhancements *

Support for [logging to a

channel](https://www.unrealircd.org/docs/Log_block#Logging_to_a_channel).

Similar to snomasks but then for channels. * Command line interface changes:

* The CLI tool now communicates to the running UnrealIRCd process via a UNIX

socket to send commands and retrieve output. * The command `unrealircdctl

rehash` will now show the rehash output, including warnings and errors, and

return a proper exit code. * The same for `unrealircdctl reloadtls` *

The command `unrealircdctl status` to show if UnrealIRCd is running, the

version, channel and user count, .. * The command `unrealircdctl

genlinkblock` is now

[documented]()) and

is referred to from the [Linking servers

tutorial](https://www.unrealircd.org/docs/Tutorial:_Linking_servers). * New

option [set::server-notice-show-event](https://www.unrealircd.org/docs/Set_block#set::server-notice-show-event)

which can be set to `no` to hide the event information (e.g.

`connect.LOCAL_CLIENT_CONNECT`) in server notices. This can be overridden per-oper in the [Oper block](https://www.unrealircd.org/docs/Oper_block) via

`oper::server-notice-show-event`. * Support for IRC over UNIX sockets (on the

same machine), if you specify a file in the [listen

block](https://www.unrealircd.org/docs/Listen_block) instead of an ip/port. This

probably won't be used much, but the option is there. Users will show up with a

host of `localhost` and IP `127.0.0.1` to keep things simple. * The `MAP`

command now shows percentages of users * Add `WHO` option to search clients by

time connected (e.g. `WHO <300 t` to search for less than 300 seconds) * Rate

limiting of `MODE nick -x` and `-t` via new `vhost-flood` option in [set::anti-flood block](https://www.unrealircd.org/docs/Anti-flood_settings). ## Changes

* Update Russian `help.ru.conf`. ## Protocol * `SVSMODE #chan -b nick` will

now correctly remove extbans that prevent `nick` from joining. This fixes a bug

where it would remove too much (for `~time`) or not remove extbans (most other

extbans, e.g. `~account`). `SVSMODE #chan -b` has also been fixed accordingly

(remove all bans preventing joins). Note that all these commands do not remove

bans that do not affect joins, such as `~quiet` or `~text`. # UnrealIRCd

6.0.1.1 ## Fixes * In 6.0.1.1: extended bans were not properly synced

between U5 and U6. This caused missing extended bans on the U5 side (MODE was

working OK, this only happened when linking servers) * Text extbans did not

have any effect (`+b ~text:censor:*badword*`) * Timed bans were not expiring

if all servers on the network were on U6 * Channel mode `+f` could place a

timed extban with `~t` instead of `~time` * Crash when unloading any of the

vhoaq modules at runtime * Some log messages being wrong (`CHGIDENT`,

`CHGNAME`) * Remove confusing high cpu load warning ## Enhancements *

Error on unknown snomask in `set::snomask-on-oper` and `oper::snomask`. * TKL

add/remove/expire messages now show `[duration: 60m]` instead of the `[expires:

ZZZ GMT]` string since that is what people are more interested in and is not

affected by time zones. The format in all the 3 notices is also consistent now.

# UnrealIRCd 6.0.0 Many thanks (by upstream) to k4be for his help during

development, other contributors for their feedback and patches, the people who

tested the beta's and release candidates, translators and everyone else who made

this release happen! ## Summary UnrealIRCd 6 comes with a completely redone

logging system (with optional JSON support), named extended bans, four new IRCv3

features, geoip support and remote includes support built-in. Additionally,

things are more customizable such as what gets sent to which snomask. All the

+vhoaq channel modes are now modular as well, handy for admins who don't want or

need halfops or `+q`/`+a`. For `WHOIS` it is now customizable in detail who gets

to see what. A summary of the features is available at [What's new in

UnrealIRCd 6]('s_new_in_UnrealIRCd_6). For

complete information, continue reading the release notes below. The sections

below contain all the details. ## Upgrading from UnrealIRCd 5 When upgrading

from UnrealIRCd 5 to 6 then you can use your existing configuration and files.

There's no need to start from scratch. However, you will need to make a few

updates, see [Upgrading from 5.x to

6.x](https://www.unrealircd.org/docs/Upgrading_from_5.x). ## Enhancements *

Completely new log system and snomasks overhaul * Both logging and snomask

sending is done by a single logging function * Support for [JSON

logging](https://www.unrealircd.org/docs/JSON_logging) to disk, instead of the

default text format. JSON logging adds lot of detail to log messages and

consistently expands things like *client* with properties like *hostname*,

*connected_since*, *reputation*, *modes*, etc. * The JSON data is also sent

to all IRCOps who request the `unrealircd.org/json-log` capability. The data is

then sent in a message-tag called `unrealircd.org/json-log`. This makes it ideal

for client scripts and bots to do automated things. * A new style `log { }`

block is used to map what log messages should be logged to disk, and which ones

should be sent to snomasks. * The default logging to snomask configuration

is in `snomasks.default.conf` which everyone should include from

unrealircd.conf. That is, unless you wish to completely reconfigure which

logging goes to which snomasks yourself, which is also an option now. * See

[Snomasks](https://www.unrealircd.org/docs/Snomasks#UnrealIRCd_6) on the new

snomasks - lots of letters changed! * See [FAQ: Converting log { }

block](https://www.unrealircd.org/docs/FAQ#old-log-block) on how to change your

existing `log { }` blocks for disk logging. * We now have a consistent log

format and log messages can be multiline. * Colors are enabled by default in

snomask server notices, these can be disabled via [set::server-notice-colors](https://www.unrealircd.org/docs/Set_block#set::server-notice-colors) and

also in [oper::server-notice-colors](https://www.unrealircd.org/docs/Oper_block)

* Support for [logging to a

channel](https://www.unrealircd.org/docs/Log_block#Logging_to_a_channel).

Similar to snomasks but then for channels. *Requires UnrealIRCd 6.0.2 or later*

* Almost all channel modes are modularized * Only the three list modes

(`+b`/`+e`/`+I`) are still in the core * The five level modes (`+vhoaq`) are

now also modular. They are all loaded by default but you can blacklist one or

more if you don't want them. For example to disable halfop: `blacklist-module

chanmodes/halfop`; * Support for compiling without `PREFIX_AQ` has been

removed because people often confused it with disabling `+a`/`+q` which is

something different. * Named extended bans * Extbans now no longer show up

with single letters but with names. For example `+b ~c:#channel` is now `+b

~channel:#channel`. * Extbans are automatically converted from the old to

the new style, both from clients and from/to older UnrealIRCd 5 servers. The

auto-conversion also works fine with complex extbans such as `+b

~t:5:~q:nick!user@host` to `+b ~time:5:~quiet:nick!user@host`. * New IRCv3

features * [MONITOR](https://ircv3.net/specs/extensions/monitor.html): an

alternative for `WATCH` to monitor other users ("notify list"). *

draft/extended-monitor: extensions for `MONITOR`, still in draft. * [invite-notify](https://ircv3.net/specs/extensions/invite-notify): report channel

invites to other chanops (or users) in a machine readable way. *

[setname](https://ircv3.net/specs/extensions/setname.html): notify clients about

realname (gecos) changes. * GeoIP lookups can be configured * This shows

the country of the user to IRCOps in `WHOIS` and in the "user connecting" line.

* By downstream default, no module is loaded. * Options are the

`geoip_maxmind` and `geoip_csv` modules. * Configure `WHOIS` output in a very

precise way * You can now decide which fields (e.g. modes, geo, certfp, etc)

you want to expose to who (everyone, self, oper). * See [set::whois-details](https://www.unrealircd.org/docs/Set_block#set::whois-details) for more

details. * We now ship with 3 cloaking modules and you need to load 1

explicitly via `loadmodule`: * `cloak_sha256`: the recommended module for

anyone starting a *new* network. It uses the SHA256 algorithm under the hood.

* `cloak_md5`: for anyone who is upgrading their network from older UnrealIRCd

versions. Use this so your cloaked host bans remain the same. *

`cloak_none`: if you don't want any cloaking, not even as an option to your

users (rare) * Remote includes are now supported everywhere in the config

file. * Support for ` fetching is now always available, even if you

don't compile with libcurl support. * Anywhere an URL is encountered on its

own, it will be fetched automatically. This makes it work not only for includes

and motd (which was already supported) but also for any other file. * To

prevent something from being interpreted as a remote include URL you can use

'value' instead of "value". * Invite notification: set `set::normal-user-invite-notification yes;` to make chanops receive information about normal users

inviting someone to their channel. The name of this setting may change in a

later version. * Websocket: you can add a `listen::options::websocket::forward

1.2.3.4` option to make unrealircd accept a `Forwarded` (RFC 7239) header from a

reverse proxy connecting from `1.2.3.4` (plans to accept legacy `X-Forwarded-For` and a proxy password too). This feature is currently experimental. ##

Changes * TLS cipher and some other information is now visible for remote

clients as well, also in `[secure: xyz]` connect line. * Error messages in

remote includes use the url instead of a temporary file * Downgrading from

UnrealIRCd 6 is only supported down to 5.2.0 (so not lower like 5.0.x). If this

is a problem then make a copy of your db files (e.g.: `reputation.db`). ##

Removed * `/REHASH -motd` and `-opermotd` are gone, just use `/REHASH` ##

Breaking changes See https://www.unrealircd.org/docs/Upgrading_from_5.x, but in

short: You can use the unrealircd.conf from UnrealIRCd 5, but you need to make

a few changes: * You need to add `include "snomasks.default.conf"`; * You

need to load a cloaking module explicitly. Assuming you already have a network

then add: `loadmodule "cloak_md5"`; * The log block(s) need to be updated, use

something like: ``` log { source { !debug; all;

} destination { file "ircd.log" { maxsize 100M; } }

} ``` ## Server protocol * When multiple related `SJOIN` messages are

generated for the same channel then we now only send the current channel modes

(e.g. `+sntk key`) in the first SJOIN and not in the other ones as they are

unneeded for the immediate followup SJOINs, they waste unnecessary bytes and

CPU. Such messages may be generated when syncing a channel that has dozens of

users and/or bans/exempts/invexes. Ideally this should not need any changes in

other software, since we already supported such messages in the past and code

for handling it exists way back to 3.2.x, but you better check to be sure! *

If you send `PROTOCTL NEXTBANS` then you will receive extended bans with Named

EXTended BANs instead of letters (e.g.: `+b ~account:xyz`), otherwise you

receive them with letters (e.g.: `+b ~a:xyz`). * Some ModData of users is

(also) communicated in the UID message while syncing using a message tag that

only appears in server-to-server traffic, `s2s-md/moddataname=value`. Thus, data

such as operinfo, tls cipher, geoip, certfp, sasl and webirc is communicated at

the same time as when a remote connection is added. This makes it that a

"connecting from" server notice can include all this information and also so

code can make an immediate decission on what to do with the user in hooks.

ModData modules need to set `mreq.sync = MODDATA_SYNC_EARLY`; if they want this.

Servers of course need to enable `MTAGS` in `PROTOCTL` to see this. * The

`SLOG` command is used to broadcast logging messages. This is done for

`log::destination` remote, as used in doc/conf/snomasks.default.conf, for

example for link errors, oper ups, flood messages, etc. It also includes all

JSON data in a message tag when `PROTOCTL MTAGS` is used. * Bounced modes are

gone: these were MODEs that started with a `&` which servers were to act on with

reversed logic (add becoming remove and vice versa) and never to send something

back to that server. In practice this was almost never used and complicated the

code (way) too much. ## Client protocol * Extended bans now have names

instead of letters. If a client sends the old format with letters (e.g. `+b

~a:XYZ`) then the server will convert it to the new format with names (e.g.: `+b

~account:XYZ`) * Support for `MONITOR` and the other IRCv3 features (see

*Enhancements*)

* Mon Mar 21 2022 Robert Scheck 6.0.2-1

- Upgrade to 6.0.2 (#2038245)

* Sat Jan 22 2022 Fedora Release Engineering - 6.0.1.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

* Fri Dec 31 2021 Robert Scheck 6.0.1.1-1

- Upgrade to 6.0.1.1 (#2033813)

* Thu Dec 30 2021 Robert Scheck 6.0.1-1

- Upgrade to 6.0.1 (#2033813)

[ 1 ] Bug #2048669 - unrealircd: Denial of service when a certain command is sent

https://bugzilla.redhat.com/show_bug.cgi?id=2048669

su -c 'dnf upgrade --advisory FEDORA-2022-a9349c1299' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure