IRC-Junkie.org – IRC News

All about Internet Relay Chat

InspIRCd Updates & New Website

After quite a prolonged downtime, the InspIRCd website and Wiki is back up again, although not under its original domain any more but is now hosted on GitHub.

There have been new releases in all current branches as well as a new Beta release in the 2.1 branch.

Users of the 1.2 versions are strongly advised to upgrade their IRCds at least to version 1.2.9rc1 due to the recently found vulnerability and, if possible, they should update to InspIRCd 2.0.x as the 1.2 branch is nearing its end-of-life if no new maintainer is found.

People interested in maintaining the InspIRCd 1.2 branch should get in touch with the developers via their IRC channel on Chatspike.

InspIRCd 2.0.5 Vulnerability [Updated]

There has been a vulnerability reported in InspIRCd 2.0.5 and possibly other versions of the IRC daemon.

The problem lies in the buffer handling of dns.cpp, can be triggered by remote users and might result in arbitrary code execution according to the advisory.

 

There currently is a workaround in the form of a config setting, namely to set

<performance:nouserdns>

to yes.

 

There also have been pull requests on GitHub by Atheme developer nenolod which fix the underlying code, although those – as of now – haven’t been pulled in yet.

 

The fixes above have been pulled in and the official sources have been moved from Gitorious to GitHub.

 

Due to the serious nature of the vulnerability, watch the development of this closely and even though there currently are no reports of this vulnerability being exploited in the wild.

 

The advisory can be found here and one of the temporary InspIRCd websites (which is currently still down after a break-in into ChatSpike/InspIRCd servers) can be found here.

 

We’ll keep this entry updated on any new developments regarding this issue.

InspIRCd 1.2.7 stable is out, fixes DoS bugs

The InspIRCd team released version 1.2.7 of their stable branch yesterday which fixes 2 critical bugs that can result in DoS conditions, so an upgrade is advised.

The first crash that has been fixed is triggerable when a remote server has the same name as a local one which possibly crashes the linking IRCd. This bug was squashed by developer danieldg in this commit.

The second bug can lead to a Denial of Service condition due to memory exhaustion which is possible since ban exception masks weren’t limited in length and numbers according to MAXBANS.

This has been rectified by this commit and they are now restricted to 250 characters in length and adhere to the MAXBANS directive.

The download for InspIRCd 1.2.7 can be found here, the whole commit-log can be viewed here.

  Copyright secured by Digiprove

Atheme / InspIRCd m_invisible brouhaha

Those who closely follow either projects development will have noticed a few “odd” looking commits to their sourcecode in the past few days.

The commits all concerned InspIRCds m_invisible module which provides similar functionality as the old mode +I in UnrealIRCd 3.1.x.

Quoting the InspIRCd wiki page about m_invisible the module

adds support for quiet (invisible) opers. A quiet oper is invisible to normal users on channels. This can be used for surveillence of botnet channels, statistics bots, etc. Note that other opers CAN see invisible opers; +Q only hides the oper from non-opers.

The brawl emerged when Atheme developer nenolod commited a few changes to the services packages that would make such a join visible to channel members by announcing that “Channel security has been compromised” because an invisible user has joined.

This commit was followed up by danieldg of the InspIRCd developer team who moved the module out of the main – and therefore by default included – modules into the seperate “inspircd-extras” repository, but only in the 2.0 beta and 2.1 pre-alpha branches.

The initial commits to Atheme have since been reverted but there now are checks for m_invisible being loaded and the services package now refuses to link if it spots the module being present.

The module, referred to as “morally unacceptable” and “not … ethical” by nenolod, has legitimate uses such as “private networks inside offices, with special uses, those do need logging and accountability, most of them even disable private messages entirely” said developer Brain when asked about his views of this whole situation. They wrote it because “users asked for the module” and his opinion is that it “should be kept, and we’re keeping it, in third party”.

Brain says to him “it’s all about choice, the choice to run the modules or not to, we aren’t going to tell people whats right and wrong” and that “people are sensible enough and educated enough to decide for themselves”.

What’s your opinion about this? Do you use m_invisible on your network? And if so, do you tell your users that such a module is loaded? Guns don’t kill, people do?

  Copyright secured by Digiprove

InspIRCd 2.0 beta 4 released

The InspIRCd team brings us another fresh release of the upcoming generation of their IRCd – InspIRCd 2.0 beta4.

The features and enhancements that are introduced with the new branch are huge and tops those available in the 1.2 stable branch in every aspect.

And just as in the stable version, every feature, every mode and every module can either be enabled or disabled – customize your IRCd the way you want it.

The features the team ponders to implement are listed on their Roadmap page in their Wiki – a list with already programmed features can be found here.

If you want to try the upcoming generation of the IRCd, you can grab the current beta here – the changelog is available here.