– IRC News

All about Internet Relay Chat

Konversation Bugfix Release 1.3.1

The KDE IRC client Konversation pushed out a bugfix release shortly after its 1.3 milestone which brought support for DCC Whiteboard, a collaborative drawing extension.

According to their announcement, this minor release brings quite a few bugfixes and also reverts a regression that causes “data corruption or even loss of Watched Nicknames Online lists on application quit”.

Another thing to take note of is the improvement of RFC 1459 PING/PONG handling which might have caused users of bouncers to flood the IRCd when they attach to the same connection multiple times, possibly resulting in them getting kicked off of the network.

Konversation also moved their VCS repository again – to a self-hosted solution which is the second move after migrating to Setting up their own platform was necessary after it became clear that they couldn’t reach an agreement with Gitorious’ company Shortcut AS.

For the full announcement including all changes and bugfixes in Konversation 1.3.1 click here.

  Copyright secured by Digiprove

Atheme IRC Services 5.2.0 released

The Atheme project just tagged version 5.2.0 of their IRC services package which contains quite a few interesting changes from the previous version, 5.1.1.

Atheme IRC Services Logo

Atheme IRC Services Logo

Atheme 5.2.0 introduces a new database format called “OpenSEX” which is available as a technology preview in this release and will be mandatory once Atheme 6.0 is released. According to developer nenolod, the revised format was introduced to “remove legacy stuff and provide an extendable API“.

HostServ gained the OFFER command which allows opers to – surprise – offer vHosts to their users. All of ChanServ and NickServs SET commands are now seperate modules which can be loaded individually, allowing networks fine-grained choosing of which functionality they provide to their users.

When users register, NickServ can now make use of CrackLib which checks for weak passwords and either warns the user or even prevents registering when it determined the password isn’t secure.

The converter for databases from IRCServices has been improved and now is “generally more robust”. The rate-limiting feature has been expanded and now supports limiting commands to HostServ/Request, ChanServ/Register and NickServ/Register to prevent the services server from being overloaded.

The complete changelog can be found here and the download is available here.

  Copyright secured by Digiprove

KVIrc 4.0.0 "Insomnia" is available for download

The KVIrc project just announced the final version in the new stable branch of their IRC client, KVIrc 4.0.0 “Insomnia”.

2 months after the latest release candidate and more than 500 bugfixes from the bugtracker alone this new version now depends on Qt4 of which the developers say is “a great framework to base KVIrc on, far better than Qt3″.

Noteable changes from the last stable, KVIrc 3.4.2, are added support for server extensions such as CAPs, SASL, STARTTLS and services packages. DCC support has been enhanced with UPnP which automatically opens ports in routers so you don’t need to worry about proper port-forwarding anymore.

Compatability with various operating systems such as Mac OS X, Windows 7 and KDE4 has been improved and the “totally rewritten” MDI subsystem allows for a clean integration with your OS, adapting to the look and feel you’re used to.

Scripters will find a plethora of changes and additions and a visual class editor has been added to ease the development of custom scripts. KVIrcs support for user avatars has been improved too – now you can have animated avatars and getting the avatar from one person doesn’t require to CTCP the whole channel anymore.

An interesting addition in 4.0.0 is the ability to have a video chat over DCC – but other nice-to-have improvements made it into this release too: A graphical addon-manager, an improved and rewritten bandwidth monitor and direct media playback using the Phonon library – just to name a few.

If you got curious and would like to try out the new KVIrc 4.0.0 stable, you can find the download (currently sourcecode only) here and to read the full announcement click here.

  Copyright secured by Digiprove

Anope IRC Services 1.9.2 released, adds InspIRCd 2.0 support [Update 2]

chaz of the Anope project announced version 1.9.2 of their services package in the development branch.

New features since the release of 1.9.1-p1 are the “modestacker” which allows setting and removing several modes by services in one line, the binary databases have been replaced by flatfile plaintext ones and an option for persistent channels which keeps BotServ bots in the channel even when it is empty has been added.

Anope now supports linking over IPv6 and also reconnects automatically if it detects the uplink has died. Where it was only possible to have one encryption method of your users precious passwords, you can now set to have two or even more – useful if an application which interfaces with Anope only supports old and broken hashing algorithms like MD5. InspIRCd development also continued at a high pace and this release now supports linking to the 2.0 versions of their IRCd.

Finally, this release features something that closely resembles Live SQL: Anope reads from a special “commands” table which contains normal Anope commands and is executed as a FIFO-style queue. The database gets updated immediately when commands are issued and commands executed from SQL are also near-instant, however developer Adam says he has “an evil plan for that”. chaz writes in his announcement that this feature will be “further developed/re-engineered in 1.9.3″ but he says it’s a “good start”.

Since the whole Live SQL thing is a new feature and even though it was thoroughly tested, the announcement contains a few words that you should take precautions:

As always, we encourage early adopters of development releases to exercise caution and take frequent system back ups knowing full well it might destroy your plans on a Friday night. We have been running 1.9.2 on Teranova for some time now and only uncovered a few unseen bugs. (This was on both Unreal and subsequently our migration to InspIRCd 1.2).

Networks that are running their services daemon on Windows will be missing out on the whole Live SQL business – apparently MySQL support on Windows is broken but it’ll be added when 1.9.3 is released.

Another thing to look forward to is that there will be a webinterface included in one of the upcoming releases and the developers note that they “welcome suggestions on our forum for functionality this could include”.

Probably trying to reduce the possibility to be hit by a similarly disastrous hack like it happened to the guys of the UnrealIRCd project, chaz writes that future releases “may include further security measures such as GPG/etc” in addition to the provided MD5Sums.

Even though the changelog seems rather short there have been changes to no less than 279 files with 31458 insertions and almost as much deletions according to this diff stat.

The announcement which includes the download link and further instructions regarding the upgrade process from 1.9.1 and MySQL-support can be viewed here.

[Update]: Anope 1.9.2-p1 has been released as a direct result from a few bugreports. Issues resolved include Windows-specific problems and fixes to the database converter – if you’ve experienced problems with either you’re advised to update.

The project is also seeking contributors for their upcoming releases – whether you’re a coder, webdev or a tester – if you feel like helping the project out you should get in touch with them.

[Update 2]: Patch release 2 has just been made available on the Anope website: InspIRCd 2.0 support has been extended, full m_customprefix (allows custom prefixes to be created) support being one of the added features in this release. Users of Anope 1.9.2 and 1.9.2-p1 are advised to upgrade since both versions contain a bug that may crash services when a nick expires.

  Copyright secured by Digiprove

Some UnrealIRCd downloads trojaned [Update 3]

Syzop of the UnrealIRCd project just posted an announcement on their mailinglist and forums that some versions of their IRCd have been compromised and had a backdoor added which went unnoticed for quite a while.

The first signs of the compromise have been traced back to November 2009 and Syzop writes that “Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check”.

Only the source downloads (.tar.gz) are affected from this hack. Windows users, copies checked out from their CVS as well as users of older versions are safe and don’t need to check – everyone else should ensure they’re running a clean version of UnrealIRCd since the backdoor allows an attacker to issue and execute commands as the user the IRCd is running as, which essentially means your shell could easily compromised despite all other security measures.

Checking if your IRCd is one of those trojanized copies can easily be done either checking with md5sum or grep’ing the source for the backdoored code:

Run ‘md5sum Unreal3.2.8.1.tar.gz’ on it and compare the resulting sum to the checksums below:

Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

or use the command ‘grep DEBUG3_DOLOG_SYSTEM include/struct.h’ from your Unreal3.2 directory – if this outputs 2 lines you’re running the trojanized version and need to get yourself a fresh and clean copy of the IRCd and recompile it since the compromised section is in the IRCds core and “it is not possible to ‘clean’ UnrealIRCd without a restart or through a module”.

Syzop writes that they have take precautions so such a compromise can never happen again and if it does that it’ll be noticed more quickly. They’re also planning to reimplement PGP/GPG signing of the releases which “in practice (very) few people use” but “still [will] be useful for those people who do”.

Closing his announcement he writes that he’d like to “apologize about this security breach. We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have. We did not sign releases through PGP/GPG, but should have done so. Hope you’ll all continue to support UnrealIRCd”.

The full announcement can be read here and the advisory can be found here.

[Update]: Servers running the trojanized versions of UnrealIRCd should be updated as soon as possible since HD Moore, the creator of the Metasploit exploitation framework, already released a module for it – but even without that the security hole is really simple to exploit.

Also, here is a .sh script that might help you in the upgrade process – at least one user on the UnrealIRCd forums claimed it worked for him (although no kind of guarantee is given neither by the author nor by me).

[Update 2]: Syzop just posted a follow-up in which he writes that their releases are “from now on signed with GnuPG (PGP) again”.

[Update 3]: In an email to the UnrealIRCd mailinglist, Syzop elaborates on the GPG/PGP signing and says that there will be instructions on how to verify the key when you download the future releases. He also goes into some detail which precautions the team has taken that such an incident “will never ever happen again”. He rightfully criticizes certain news-outlets that claimed it was the fault of the Open Source model and even Linux (*cough*ZDNet*cough*) – some websites even confused the IRCd with EPIC softwares first-person shooter Unreal Tournament.

  Copyright secured by Digiprove