Hi all!
Florian Westphal found a serious bug in ngIRCd release 14 which affects all servers compiled with SSL-support linked in, whereas it is irrelevant whether SSL support is actually in use or not. This bug is remotely triggerable and causes the daemon to crash (DoS).
So EVERYBODY using ngIRCd release 13 or 14 with SSL-support linked in SHOULD UPGRADE to nIRCcd release 14.1 as soon as possible!
You can use the "ngircd --version" command to check the options your daemon provides: if it lists "SSL", you are affected! (e. g. "ngircd 14.1-SYSLOG+ZLIB+SSL+IRCPLUS+IPv6-i386/apple/darwin9.6" is affected)
The full changelog lists (since release 14):
- Security: fix remotely triggerable crash in SSL/TLS code. - BSD start script contrib/ngircd.sh has been renamed to ngircd-bsd.sh. - New start/stop script for RedHat-based distributions: contrib/ngircd-redhat.init, thanks to Naoya Nakazawa naoya@sanow.net. - Doxygen: update source code repository link to GIT. - Debian: build ngircd-full-dbg package. - Allow ping timeout quit messages to show the timeout value. - Fix error handling on compressed links. - Fix server list announcement. - Do not remove hostnames from info text.
Direct download links for the source archive:
ftp://ftp.berlios.de/pub/ngircd/ngircd-14.1.tar.gz ftp://ngircd.barton.de/pub/ngircd/ngircd-14.1.tar.gz
The ChangeLog can be found here:
http://ngircd.barton.de/doc/ChangeLog http://ngircd.berlios.de/doc/ChangeLog
GnuPG signatures and a patches from release 14 are available and can be downloaded from here:
ftp://ngircd.barton.de/pub/ngircd/ ftp://ftp.berlios.de/pub/ngircd/
The relevant MD5 sums are:
MD5 (ngircd-14.1.tar.gz) = eef90855414c35bfb6590d17e24ee06f MD5 (ngircd-14-14.1.patch.gz) = 896814187a7a350272ab5fb4119a381a
You can habe a look at the complete history and every single patch using the GIT web-frontend located at:
http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git
Please let us know if you encounter any bugs or need more/better documentation (best is to file bugs using the bug tracker or to mail to this list). Thanks!
Regards Alex