Sebastian Köhler discovered a severe bug in ngIRCd 20 and 20.1 which can be
exploited by arbitrary users to crash the daemon and to lead to denial of
service. So here is the next "bug fix only" release for the ngIRCd 20 series:
Please note that all releases before 20 are NOT affected by the bug mentioned
above. But in the end, all installations should upgrade, ngIRCd 20.2 is the
most complete release we have so far, and there should be no reasons to stay
with old versions -- besides distributions not having newer releases ...
Besides the fix for the DoS mentioned above, ngIRCd 20.2 contains other fixes.
The complete ChangeLog lists the following changes:
• Security: Fix a denial of service bug in the function handling KICK
commands that could be used by arbitrary users to to crash the daemon.
• WHO command: Use the currently "displayed hostname" (which can be cloaked!)
for hostname matching, not the real one. In other words: don't display all
the cloaked users on a specific real hostname!
• configure: The header file "netinet/in_systm.h" already is optional in
ngIRCd, so don't require it in the configure script. Now ngIRCd can be
built on Minix 3 again :-)
• Return better "Connection not registered as server link" errors: Now ngIRCd
returns a more specific error message for numeric ERR_NOTREGISTERED(451)
when a regular user tries to use a command that isn't allowed for users but
• Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes
than nicknames is handled, as well as for channel limit and key changes
without specifying the limit or key parameters.
This is how a lot (all?) other IRC servers behave, including ircd2.11,
InspIRCd, and ircd-seven. And because of clients (tested with Textual and
mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the
expected result as well as correct but misleading error messages ...
• Correctly detect when SSL subsystem must be initialized and take
outgoing connections (server links!) into account, too.
• autogen.sh: Enforce serial test harness on GNU automake >=1.13. The
new parallel test harness which is enabled by default starting with
automake 1.13 isn't compatible with our test suite.
And don't use "egrep -o", insetead use "sed", because it isn't portable
and not available on OpenBSD, for example.
More information can be found on the homepage <http://ngircd.barton.de/>
and its mirror <http://ngircd.berlios.de/>.
The primary download locations are:
Over the past month or so I've received complaints from multiple users,
using different clients, about the fact that ngIRCd disconnects them
when they send lines longer than the RFC permits. It seems like most
ircds simply truncate the line, and this behavior is commonly expected.
I think this is something that clients really ought to be more careful
about, but unfortunately there are still too many that aren't, and it
feels bad to me to punish the user with a disconnect for not manually
counting their bytes. Would all consider truncating the line, or some
other less disruptive way to handle this case? Maybe the disconnect
behavior could stay when STRICT_RFC is defined.
Does anyone know how to let ngircd prints the latest 10 or 20 history
messages on a user joining a channel?
For the 'recent-offline-message-push', is that working with server side or
just some bot could do?