Hello!
A severe bug in ngIRCd 18 up to and including 20.2 has been discovered which will crash the daemon (denial of service) and can happen when the daemon fails to send the optional "notice auth" message to new clients connecting to the server (CVE-2013-5580).
So here it is, our next release: ngIRCd 20.3.
Please note that only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default.
The only change in ngIRCd 20.3 is the fix for the above bug, all installations should upgrade.
But please stay tuned, ngIRCd 21 including new features like SSL fingerprints, and include directory for configuration files, better systemd(8) support etc. is the the works, too, and I hope that we can soon release a beta version for testing. I'll keep you informed!
Changes in ngIRCd 20.3:
• Security: Fix a denial of service bug (server crash) which could happen when the configuration option "NoticeAuth" is enabled (which is NOT the default) and ngIRCd failed to send the "notice auth" messages to new clients connecting to the server (CVE-2013-5580).
More information can be found on the homepage http://ngircd.barton.de/ and its mirror http://ngircd.berlios.de/.
The primary download locations are:
• ftp://ftp.berlios.de/pub/ngircd/ • http://ngircd.barton.de/pub/ngircd/
Regards Alex
On Fri, Aug 23, 2013 at 10:59:37PM +0200, Alexander Barton wrote:
A severe bug in ngIRCd 18 up to and including 20.2 has been discovered which will crash the daemon (denial of service) and can happen when the daemon fails to send the optional "notice auth" message to new clients connecting to the server (CVE-2013-5580).
And if you can't or don't want to upgrade to ngIRCd 20.3 immediately, you can disable "NoticeAuth" in your ngircd.conf file and "rehash" the daemon on runtime, either by "killall -HUP ngircd" (or equivalent) or by using the IRC "REHASH" command as IRC Operator.
No restart required.
And to make it clear: all (default) installations that don't have "NoticeAuth" enabled don't have to upgrade immediately: they are NOT affected at all ...
Regards Alex
On Fri, Aug 23, 2013 at 10:59:37PM +0200, Alexander Barton wrote:
A severe bug in ngIRCd 18 up to and including 20.2 has been discovered which will crash the daemon (denial of service) and can happen when the daemon fails to send the optional "notice auth" message to new clients connecting to the server (CVE-2013-5580).
This is _wrong_.
After even more checking by Christoph Biedl and myself, it turns out that ngIRCd 18 and 19.x are _NOT_ affected by this bug.
These ngIRCd releases contain an other (already known) bug that renders the "NoticeAuth" options quite dysfunctional and even incompatible with SSL-encrypted connections (this is fixed in ngIRCd 20), but can't crash the daemon as stated above.
So only ngIRCd 20, 20.1, and 20.2 are affected and sould be upgraded to ngIRCd 20.3 (or newer).
Please note that only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default.
This is still true, even for ngIRCd 20, 20.1, and 20.2.
Thanks Alex
-
Alexander Barton