IRC-Junkie.org – IRC News

UnrealIRCd, the IRCd that still dominates the usage statistics of all IRCds, has seen another stable release and is now at version 3.2.9.

After 2 release candidates and with 212 changes and bugfixes – almost the same amount as the last three stable releases combined – among which is a “substantial amount of new features” as Syzop writes in their announcement.

He thanks everyone that made this release possible but especially mentions binki who did a “considerable amount of work to make this release possible”.

And indeed, there is a large amount of changes – for example:

Syzop of the UnrealIRCd project just posted an announcement on their mailinglist and forums that some versions of their IRCd have been compromised and had a backdoor added which went unnoticed for quite a while.

The first signs of the compromise have been traced back to November 2009 and Syzop writes that “Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check”.

In a posting on the UnrealIRCd project website, coder Syzop announced a module that can help mitigate and completely stop the so-called “Firefox XPS Attack” (NSFW link).

The attack, which exploits the fact that malicious JavaScript can send arbitrary data to a wide range of ports, gained publicity when it was used against the freenode network over a period of a few weeks.

Even though the Mozilla project has a blocklist of ports that are specifically not allowed to be communicated to, the port commonly used by IRC networks (6667) was not on those lists.

The UnrealIRCd project released a bugfix release of version 3.2.8 and the current release is now 3.2.8.1.

The bugfix became necessary as a crash has been found in the option allow::options::noident.

In a short interview developer nate explains how the crash is being triggered and how to avoid it:

There was an issue in allow::options::noident, where if it was enabled in an allow block that a user could potentially crash a server due to a buffer overflow. As far as we’ve been able to see, there’s no risk of remote code execution as much as it just causing a segfault.  The main ways of resolving it are updating to 3.2.8.1 or simply making sure no allow blocks specifically have noident (which most by default won’t thankfully).

A little less than 4 weeks after the -rc1 release, there now is a -rc2 release of UnrealIRCd 3.2.8 available where some of the still present bugs have been fixed.

Fixes in this release include a bug that prevented you from compiling the IRCd on Mac OS X , problems with OperOverride that prevented you from -q/-a’ing someone when you were halfop, an issue with SuSE Linux 10.3 on AMD64 arch where the IRCd core-dumped on start, prevention of throttling client connections and stalling the IRCd when there are big adjustments made to the systems time after starting the IRCd and, last but not least, the documentation has been updated to reflect the latest additions and changes.