IRC-Junkie.org – IRC News

All about Internet Relay Chat

Atheme NickServ CertFP Vulnerability

A security vulnerability related to certificate fingerprints has been found in the Atheme IRC services package.

 

All versions that have CertFP functionality are affected, which are version 5.2.x, 6.x and the current testing release, version 7.x.

 

The vulnerability is triggered once a NickServ user is dropped or expires that has a CertFP entry attached to it which will not be cleaned up upon deletion of the user account.

This will cause the CertFP entry to be in limbo and might result in pointing the entry to an other account which will result in being able to identify as another user via that certificate fingerprint.

 

Atheme maintainer nenolod released an update for all currently maintained versions of the services package so it is advised that you upgrade your IRC services immediately.

 

The advisory can be found here and the original bug report can be found here.

EGs Project for Atheme

EGs (EpicGeeks Services) is the newest Open Source Web Interface for the Atheme IRC Services Package. It was developed by Joseph Newing (synmuffin), a developer living and working on Ontario, Canada. J. Newing is currently the only developer of the EGs Project.

The requirements for running the EGs Project

EGs currently has support for the following:

  • ChanServ – Channel Info, Topic Changes, Kick/Ban/Akick A User, Channel Flags.
  • NickServ – Nick Info, Password Changes, Email Changes.
  • MemoServ – Read/Send/Receive/Forward Memos.
  • HostServ – View Available vHosts, Request New vHost.
  • OperServ – Global Messages, Akill, Set SuperAdmins, Load/Unload Modules, Rehash Services.

The EGs Project is currently in 3.1 Beta Version, Released on Feb. 24th, 2012. It works with the latest stable version of Atheme IRC Sevices as well as a few older versions. The project has Https support as well as New User Registration.

EGs is currently taking feature requests, as well as allowing features to be developed and sent to synmuffin to review and possibly added to the public version. If you think you deserve access to the git repo, please come talk to synmuffin on IRCMojo

More information can be found at the EGs Development Page

Atheme IRC Services 5.2.0 released

The Atheme project just tagged version 5.2.0 of their IRC services package which contains quite a few interesting changes from the previous version, 5.1.1.

Atheme IRC Services Logo

Atheme IRC Services Logo

Atheme 5.2.0 introduces a new database format called “OpenSEX” which is available as a technology preview in this release and will be mandatory once Atheme 6.0 is released. According to developer nenolod, the revised format was introduced to “remove legacy stuff and provide an extendable API“.

HostServ gained the OFFER command which allows opers to – surprise – offer vHosts to their users. All of ChanServ and NickServs SET commands are now seperate modules which can be loaded individually, allowing networks fine-grained choosing of which functionality they provide to their users.

When users register, NickServ can now make use of CrackLib which checks for weak passwords and either warns the user or even prevents registering when it determined the password isn’t secure.

The converter for databases from IRCServices has been improved and now is “generally more robust”. The rate-limiting feature has been expanded and now supports limiting commands to HostServ/Request, ChanServ/Register and NickServ/Register to prevent the services server from being overloaded.

The complete changelog can be found here and the download is available here.

  Copyright secured by Digiprove

Atheme services packages releases version 5.1.0

The team developing the Atheme IRC services just tagged version 5.1.0 of their services package.

The new release brings a lot of bugfixes, feature additons and enhancements as well as a slew of modules that have been contributed to the project by other developers.

Also, a few changes have been made to the available IRCd protocols, mostly improvements and additions concerning InspIRCd support but also a new module which provides support for the Ithildin IRCd has been added. Support for the legacy hyperion daemon, previously used on freenode, has been dropped and support for ShadowIRCd has been updated.

Various helpfiles for the available *Serv’s have been added and updated, the same goes for all the added contributed modules. A taint subsystem has been added which “allows developers to programatically define unsupportable conditions”.

SaslServ has gained the AUTHCOOKIE SASL method which allows for integration with Iris, an AJAX IRC client that is a fork of and aims to be a drop-in replacement for qwebirc which is “designed to integrate with the Atheme IRC platform (including atheme-web) and with IRCv3 client protocol compliance in mind”.

NickServ was expanded with CERTFP support which allows for password-less authentication via SSL certificate fingerprints. The converter for Anope databases has been improved to support newer versions of Anope and has been reworked to be a bit more robust when handling encrypted passwords.

The download can be found here and the complete changelog is available here.

  Copyright secured by Digiprove

Atheme / InspIRCd m_invisible brouhaha

Those who closely follow either projects development will have noticed a few “odd” looking commits to their sourcecode in the past few days.

The commits all concerned InspIRCds m_invisible module which provides similar functionality as the old mode +I in UnrealIRCd 3.1.x.

Quoting the InspIRCd wiki page about m_invisible the module

adds support for quiet (invisible) opers. A quiet oper is invisible to normal users on channels. This can be used for surveillence of botnet channels, statistics bots, etc. Note that other opers CAN see invisible opers; +Q only hides the oper from non-opers.

The brawl emerged when Atheme developer nenolod commited a few changes to the services packages that would make such a join visible to channel members by announcing that “Channel security has been compromised” because an invisible user has joined.

This commit was followed up by danieldg of the InspIRCd developer team who moved the module out of the main – and therefore by default included – modules into the seperate “inspircd-extras” repository, but only in the 2.0 beta and 2.1 pre-alpha branches.

The initial commits to Atheme have since been reverted but there now are checks for m_invisible being loaded and the services package now refuses to link if it spots the module being present.

The module, referred to as “morally unacceptable” and “not … ethical” by nenolod, has legitimate uses such as “private networks inside offices, with special uses, those do need logging and accountability, most of them even disable private messages entirely” said developer Brain when asked about his views of this whole situation. They wrote it because “users asked for the module” and his opinion is that it “should be kept, and we’re keeping it, in third party”.

Brain says to him “it’s all about choice, the choice to run the modules or not to, we aren’t going to tell people whats right and wrong” and that “people are sensible enough and educated enough to decide for themselves”.

What’s your opinion about this? Do you use m_invisible on your network? And if so, do you tell your users that such a module is loaded? Guns don’t kill, people do?

  Copyright secured by Digiprove