diff --git a/configure b/configure index 488cf20c1..358cd1c1d 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72 for unrealircd 6.2.5-git. +# Generated by GNU Autoconf 2.72 for unrealircd 6.2.5. # # Report bugs to . # @@ -604,8 +604,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unrealircd' PACKAGE_TARNAME='unrealircd' -PACKAGE_VERSION='6.2.5-git' -PACKAGE_STRING='unrealircd 6.2.5-git' +PACKAGE_VERSION='6.2.5' +PACKAGE_STRING='unrealircd 6.2.5' PACKAGE_BUGREPORT='https://bugs.unrealircd.org/' PACKAGE_URL='https://unrealircd.org/' @@ -1359,7 +1359,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures unrealircd 6.2.5-git to adapt to many kinds of systems. +'configure' configures unrealircd 6.2.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1425,7 +1425,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unrealircd 6.2.5-git:";; + short | recursive ) echo "Configuration of unrealircd 6.2.5:";; esac cat <<\_ACEOF @@ -1598,7 +1598,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unrealircd configure 6.2.5-git +unrealircd configure 6.2.5 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. @@ -1905,7 +1905,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unrealircd $as_me 6.2.5-git, which was +It was created by unrealircd $as_me 6.2.5, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw @@ -2713,7 +2713,7 @@ printf "%s\n" "#define UNREAL_VERSION_MINOR $UNREAL_VERSION_MINOR" >>confdefs.h # The version suffix such as a beta marker or release candidate # marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a # string instead of an integer because it contains arbitrary data. -UNREAL_VERSION_SUFFIX="-git" +UNREAL_VERSION_SUFFIX="" printf "%s\n" "#define UNREAL_VERSION_SUFFIX \"$UNREAL_VERSION_SUFFIX\"" >>confdefs.h @@ -10713,7 +10713,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unrealircd $as_me 6.2.5-git, which was +This file was extended by unrealircd $as_me 6.2.5, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -10778,7 +10778,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -unrealircd config.status 6.2.5-git +unrealircd config.status 6.2.5 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 5194252ae..43e3ab008 100644 --- a/configure.ac +++ b/configure.ac @@ -7,7 +7,7 @@ dnl src/windows/unrealinst.iss dnl doc/Config.header dnl src/version.c.SH -AC_INIT([unrealircd], [6.2.5-git], [https://bugs.unrealircd.org/], [], [https://unrealircd.org/]) +AC_INIT([unrealircd], [6.2.5], [https://bugs.unrealircd.org/], [], [https://unrealircd.org/]) AC_CONFIG_SRCDIR([src/ircd.c]) AC_CONFIG_HEADER([include/setup.h]) AC_CONFIG_AUX_DIR([autoconf]) @@ -38,7 +38,7 @@ AC_DEFINE_UNQUOTED([UNREAL_VERSION_MINOR], [$UNREAL_VERSION_MINOR], [Minor versi # The version suffix such as a beta marker or release candidate # marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a # string instead of an integer because it contains arbitrary data. -UNREAL_VERSION_SUFFIX=["-git"] +UNREAL_VERSION_SUFFIX=[""] AC_DEFINE_UNQUOTED([UNREAL_VERSION_SUFFIX], ["$UNREAL_VERSION_SUFFIX"], [Version suffix such as a beta marker or release candidate marker. (e.g.: -rcX for unrealircd-3.2.9-rcX)]) AC_PATH_PROG(RM,rm) diff --git a/doc/Config.header b/doc/Config.header index 0a01dfcb3..8b9c098cc 100644 --- a/doc/Config.header +++ b/doc/Config.header @@ -7,7 +7,7 @@ \___/|_| |_|_| \___|\__,_|_|\___/\_| \_| \____/\__,_| Configuration Program - for UnrealIRCd 6.2.5-git + for UnrealIRCd 6.2.5 This program will help you to compile your IRC server, and ask you questions regarding the compile-time settings of it during the process. diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md index bb4abc94c..5c4c8ca5f 100644 --- a/doc/RELEASE-NOTES.md +++ b/doc/RELEASE-NOTES.md @@ -1,12 +1,27 @@ -UnrealIRCd 6.2.5-git -===================== +UnrealIRCd 6.2.5 +================= -This is the git version (development version) for future UnrealIRCd 6.2.5. -This is work in progress and may not always be a stable version. +This UnrealIRCd 6.2.5 release is mostly about improving IPv6 clone +detection. If your IRC network has IPv6 connectivity then hot-patching +without restart (see below), or upgrading, is highly recommended. +If you don't have IPv6 then this release is less important. -This version changes the way we deal with IPv6 clone detection. If you -run an IRC network with IPv6 connectivity, be sure to read the first 3 -points of the **Enhancements** section below carefully. +Without this, a user with IPv6 connectivity (e.g. a typical +residential connection) can connect thousands of clones using +their /64 prefix, bypassing per-host limits like `allow::maxperip` +and `connect-flood`. + +If you run UnrealIRCd 6.2.x then you also have the option of using our +**hot-patch**, which allows updating the server **without a restart**. +To do so, run: `./unrealircd hot-patch ipv6-clones` +For UnrealIRCd 6.2.3 and 6.2.4 this gives you nearly the same IPv6 clones +protection as this 6.2.5 release. For UnrealIRCd 6.2.0/6.2.1/6.2.2 it will +hot-patch only the maxperip /64 issue and not add the new connthrottle +functionality. + +This release has been tested on a couple of networks with hundreds of users, +without an impact on regular users, but it is still good to know these new +limits. ### Enhancements: * [allow::maxperip](https://www.unrealircd.org/docs/Allow_block#maxperip) @@ -20,23 +35,24 @@ points of the **Enhancements** section below carefully. now raise an error. * [ConnThrottle](https://www.unrealircd.org/docs/Connthrottle) now has a set::connthrottle::ipv6-unknown-users-limit (enabled by default). - This limits the number of *unknown IPv6 users* per /56, /48 and /32. This reduces the effect of an attacker launching many IPv6 clones at a server. Users in the "known-users" security-group are exempt (by default: identified to services, or [reputation](https://www.unrealircd.org/docs/Reputation_score) of 25 or more). Also exempt are users matching set::connthrottle::except or an except ban with type maxperip. -* New set::known-cloud-services (enabled by default) automatically - exempts large IRC platforms with stable published IP ranges from - [allow::maxperip](https://www.unrealircd.org/docs/Allow_block#maxperip) + * Difference from maxperip: maxperip counts everyone per /64. This counts + only unknown users and works on wider IPv6 prefixes (/56, /48 and /32). + So known users can connect while cloners are limited. +* New [set::known-cloud-services](https://www.unrealircd.org/docs/Set_block#set::known-cloud-services) + (enabled by default) exempts large IRC platforms with stable + published IP ranges from [allow::maxperip](https://www.unrealircd.org/docs/Allow_block#maxperip) and [connect-flood](https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood). - Currently only IRCCloud qualifies. This is more reliable than the DNS-based + Currently only IRCCloud qualifies. This is more reliable than the `except ban { mask *.irccloud.com; ... }` block that `example.conf` - has shipped since 2023, which can fail during outages or restarts - when DNS isn't fully resolving. The new maxperip and connthrottle limits - make this even more important. To disable, use: - `set { known-cloud-services no; }`. + has shipped since 2023, as DNS can fail during outages or restarts. + The new maxperip and connthrottle limits make this even more important. + To disable, use: `set { known-cloud-services no; }`. * New [snomask](https://www.unrealircd.org/docs/Snomasks) `+x` for rejections from [allow::maxperip](https://www.unrealircd.org/docs/Allow_block#maxperip) and [ConnThrottle](https://www.unrealircd.org/docs/Connthrottle). @@ -56,13 +72,32 @@ points of the **Enhancements** section below carefully. * Update shipped libs: Sodium (1.0.22) * The event names `CONNTHROTLE_*` were renamed to `CONNTHROTTLE_*` as the former was a typo. +* `link::verify-certificate` is now deprecated and a config warning is + shown when set. It verified the peer certificate against CA trust. + However, newly issued certs from CAs (such as Let's Encrypt) tend to + no longer have the Client Authentication EKU, so linking with + `verify-certificate` often fails nowadays. Admins should switch to + `spkifp` for server linking, like everyone else. ### Fixes: * [set::connthrottle::disabled-when::reputation-gathering](https://www.unrealircd.org/docs/Connthrottle) has been set to 1 week in example.conf since 2019, but if you did not have that item it defaulted to 0 (no delay). Now 1 week. +* OOB write if a URL callback returns a response that is more than + 2GB. This only affects memory-backed callbacks: centralblocklist, + spamreport and log with destination webhook. In practice these + are likely all trusted servers. +* [WEBIRC](https://www.unrealircd.org/docs/WebIRC_block): + if you had an `except ban` block with type `connect-flood` for the + gateway then we were accidentally also exempting the end-users + behind it, rendering connect-flood useless. ### Developers and protocol: +* `OutgoingWebRequest` has a new `max_size` field (in bytes) that caps + the response size for memory-backed downloads. It defaults to + `DOWNLOAD_MAX_SIZE` (1MB). Ignored for file-backed downloads. This + protects against rogue or misbehaving webservers sending huge + responses that could otherwise fill server memory. UnrealIRCd 6.2.4 ================= diff --git a/doc/conf/modules.default.conf b/doc/conf/modules.default.conf index c1dcb47f1..53ce4acb2 100644 --- a/doc/conf/modules.default.conf +++ b/doc/conf/modules.default.conf @@ -1,4 +1,4 @@ -/* [6.2.5-git] +/* [6.2.5] * This file will load (nearly) all modules available on UnrealIRCd. * So all commands, channel modes, user modes, etc.. * diff --git a/extras/doxygen/Doxyfile b/extras/doxygen/Doxyfile index 97f73d104..89d6a1fec 100644 --- a/extras/doxygen/Doxyfile +++ b/extras/doxygen/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = "UnrealIRCd" # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 6.2.5-git +PROJECT_NUMBER = 6.2.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff --git a/include/windows/setup.h b/include/windows/setup.h index ab35c24f4..20b75cd93 100644 --- a/include/windows/setup.h +++ b/include/windows/setup.h @@ -76,6 +76,6 @@ /* Version suffix such as a beta marker or release candidate marker. (e.g.: -rcX for unrealircd-3.2.9-rcX) */ -#define UNREAL_VERSION_SUFFIX "-git" +#define UNREAL_VERSION_SUFFIX "" #endif diff --git a/src/version.c.SH b/src/version.c.SH index 63b655413..dc7d0c1a7 100644 --- a/src/version.c.SH +++ b/src/version.c.SH @@ -7,7 +7,7 @@ echo "Extracting src/version.c..." if [ -d ../.git ]; then SUFFIX="-$(git rev-parse --short HEAD)" fi -id="6.2.5-git$SUFFIX" +id="6.2.5$SUFFIX" echo "$id" if test -r version.c diff --git a/src/windows/unrealinst.iss b/src/windows/unrealinst.iss index dcbbe7213..b105d6330 100755 --- a/src/windows/unrealinst.iss +++ b/src/windows/unrealinst.iss @@ -6,7 +6,7 @@ [Setup] AppName=UnrealIRCd 6 -AppVerName=UnrealIRCd 6.2.5-git +AppVerName=UnrealIRCd 6.2.5 AppPublisher=UnrealIRCd Team AppPublisherURL=https://www.unrealircd.org AppSupportURL=https://www.unrealircd.org