Hi All!

An other exploitable bug in ngIRCd has been found, so here is jet an other update: ngIRCd 0.8.3 has been released!

The bug is only exploitable when the daemon is compiled to do IDENT lookups, which is not the default configuration. If you don't use IDENT lookups with your ngIRCd, you are safe. All other should update as soon as possible as this bugs allows remote attackers to execute arbitrary code with the priviledges of the ngIRCd.

The only change since version 0.8.2 is:

- Fixed a bug that could case a root exploit when the daemon is compiled to do IDENT lookups and is logging to syslog. Bug discovered by CoKi, coki@nosystem.com.ar, thanks a lot! (http://www.nosystem.com.ar/advisories/advisory-11.txt)

You can download ngIRCd 0.8.3 (~271 KB) from:

- ftp://ftp.berlios.de/pub/ngircd/ngircd-0.8.3.tar.gz - ftp://Arthur.Ath.CX/pub/Users/alex/ngircd/ngircd-0.8.3.tar.gz - http://download.berlios.de/ngircd/ngircd-0.8.3.tar.gz [soon ...]

And the patch from 0.8.2 to 0.8.3 (~3 KB) as well as GnuPG signatures can be found here:

- ftp://ftp.berlios.de/pub/ngircd/ - ftp://Arthur.Ath.CX/pub/Users/alex/ngircd/

This release has been tagged as "rel-0-8-3" in the CVS.

Regards Alex