Hi all!
Florian Westphal found a serious bug in ngIRCd release 14 which affects all servers compiled with SSL-support linked in, whereas it is irrelevant whether SSL support is actually in use or not. This bug is remotely triggerable and causes the daemon to crash (DoS).
So EVERYBODY using ngIRCd release 13 or 14 with SSL-support linked in SHOULD UPGRADE to nIRCcd release 14.1 as soon as possible!
You can use the "ngircd --version" command to check the options your daemon provides: if it lists "SSL", you are affected! (e. g. "ngircd 14.1-SYSLOG+ZLIB+SSL+IRCPLUS+IPv6-i386/apple/darwin9.6" is affected)
The full changelog lists (since release 14):
- Security: fix remotely triggerable crash in SSL/TLS code. - BSD start script contrib/ngircd.sh has been renamed to ngircd-bsd.sh. - New start/stop script for RedHat-based distributions: contrib/ngircd-redhat.init, thanks to Naoya Nakazawa naoya@sanow.net. - Doxygen: update source code repository link to GIT. - Debian: build ngircd-full-dbg package. - Allow ping timeout quit messages to show the timeout value. - Fix error handling on compressed links. - Fix server list announcement. - Do not remove hostnames from info text.
Direct download links for the source archive:
ftp://ftp.berlios.de/pub/ngircd/ngircd-14.1.tar.gz ftp://ngircd.barton.de/pub/ngircd/ngircd-14.1.tar.gz
The ChangeLog can be found here:
http://ngircd.barton.de/doc/ChangeLog http://ngircd.berlios.de/doc/ChangeLog
GnuPG signatures and a patches from release 14 are available and can be downloaded from here:
ftp://ngircd.barton.de/pub/ngircd/ ftp://ftp.berlios.de/pub/ngircd/
The relevant MD5 sums are:
MD5 (ngircd-14.1.tar.gz) = eef90855414c35bfb6590d17e24ee06f MD5 (ngircd-14-14.1.patch.gz) = 896814187a7a350272ab5fb4119a381a
You can habe a look at the complete history and every single patch using the GIT web-frontend located at:
http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git
Please let us know if you encounter any bugs or need more/better documentation (best is to file bugs using the bug tracker or to mail to this list). Thanks!
Regards Alex
Alexander Barton alex@barton.de wrote:
Florian Westphal found a serious bug in ngIRCd release 14 which affects all servers compiled with SSL-support linked in, whereas it is irrelevant whether SSL support is actually in use or not.
I am also the one who put that crap in there in the first place...
So EVERYBODY using ngIRCd release 13 or 14 with SSL-support linked in SHOULD UPGRADE to nIRCcd release 14.1 as soon as possible!
Also, running ngircd standalone (i.e. the irc network is a single server) is OK, as the bug is triggered when an MOTD ("Message of the day") request from a client that is connected to a different server is received.
On Wed, 6 May 2009, Florian Westphal wrote:
Alexander Barton alex@barton.de wrote:
Florian Westphal found a serious bug in ngIRCd release 14 which affects all servers compiled with SSL-support linked in, whereas it is irrelevant whether SSL support is actually in use or not.
I am also the one who put that crap in there in the first place...
Are you also a person one can ask for chained CA certificate support? :)
-- kolla, wishful optimist
Kolbjørn Barmen irc@kolla.no wrote:
Alexander Barton alex@barton.de wrote:
Florian Westphal found a serious bug in ngIRCd release 14 which affects all servers compiled with SSL-support linked in, whereas it is irrelevant whether SSL support is actually in use or not.
I am also the one who put that crap in there in the first place...
Are you also a person one can ask for chained CA certificate support? :)
yes, but since i am no longer a student there is not much time for working on that.
In case someone else wants to look into implementing certificates, http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/ngircd-tls.git;a=commitdiff... contains the (abandoned) efforts to get certificate handling to work.
I will see if I can rebase this on top of the ngircd head code and move the unrelated cruft into a separate commit (not before next sunday).
Hopefully I will then start to remember what worked and what didn't 8-/
-
Alexander Barton -
Florian Westphal -
Kolbjørn Barmen