pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-30 19:06:37 +02:00
Code Activity

Update doc/RELEASE-NOTES.old. Now contains 4.2.0 and 4.2.1 release notes,

Browse Source 
I forgot the 4.2.0 one earlier..
This commit is contained in:
Bram Matthys
2019-01-18 13:20:28 +01:00
parent 4681603c52
commit e82dbdce1a
1 changed files with 204 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/RELEASE-NOTES.old
+204
View File
@@ -3,6 +3,210 @@ See doc/RELEASE-NOTES for the latest release notes.
This file (doc/RELEASE-NOTES.old) contains the release notes
of OLDER releases for historical purposes.
==[ CHANGES BETWEEN 4.2.1 AND 4.2.1.1 ]==
The 4.2.1.1 version includes a compile fix for Debian.
==[ CHANGES BETWEEN 4.2.0 AND 4.2.1 ]==
This version enhances support for authentication for clients that do not
support SASL. Also new is a module to combat mixed UTF8 character spam,
a rewrite of the operclass privileges and more secure password hashing.
If you missed the 4.2.0 release, then consider looking at the previous
release announcement as well, since it introduced a lot of new features:
https://forums.unrealircd.org/viewtopic.php?f=1&t=8843
NOTE: There will be no further 4.0.x releases. Current stable is 4.2.x.
https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series
Enhancements:
* Support for authentication prompt:
Since 4.2.0 you can require specific users to authenticate themselves with
their nickname and password via SASL. We now offer a new experimental
module called 'authprompt' which will help non-SASL users by showing a
notice and asking them to authenticate to their account using the command
/AUTH <user>:<pass>. See the new authentication article on the wiki for
an overview: https://www.unrealircd.org/docs/Authentication and also
https://www.unrealircd.org/docs/Set_block#set::authentication-prompt
* New optional module 'antimixedutf8' to combat mixed UTF8 character spam
(also called freenode spam) that has been plaguing networks.
See: https://www.unrealircd.org/docs/Set_block#set::antimixedutf8
* Support for Argon2 password hashing, which is more resilient against
brute force cracking.
* Indicate 's' in WHO reply flags if the user is secure (SSL/TLS).
Configuration changes:
* The require sasl { } block is now called require authentication { }
* The operclass privileges have been redone. Since there were 50+ changes
to the 100+ privileges it makes little sense to list the changes here.
If, like 99% of the users, you use default operclasses such as "globop"
and "admin-with-override" then you don't need to do anything.
However, if you have custom operclass { } blocks then the privileges
will have to be redone. For more information on the conversion process,
see https://www.unrealircd.org/docs/FAQ#New_operclass_permissions
For the new list of permissions, with much better naming and grouping:
https://www.unrealircd.org/docs/Operclass_permissions
* In the configuration file you can now use } instead of };
Both forms are accepted. There's no need to change if you don't like it.
* A /* comment in the configuration file is now terminated at the
first occurrence of */, instead of two /* /* requiring two */ */.
See https://www.unrealircd.org/docs/FAQ#Nesting_comments
Major issues fixed:
* The blacklist module did not act on IPv6 users listed in DNSBLs.
Minor issues fixed:
* By default a user shouldn't be allowed to change to a banned nick,
unless (s)he has +hoaq in the channel. This was broken since 4.0.0.
This feature can be disabled via set { check-target-nick-bans no; };
* Rehash error messages sent to opers regarding remote includes now no
longer include authentication information (replaced with ***:***).
Deprecated:
* The authentication types 'md5', 'sha1' and 'ripemd160' have been
deprecated because they can be cracked at high speeds. They still
work, but a warning will be shown on boot and on rehash.
Please use the new 'argon2' type instead. Type /MKPASSWD argon2 passwd
on IRC, or "./unrealircd mkpasswd argon2" on the command line.
Module coders:
* Priorities in command overrides were reversed (was added in 4.2.0).
Future versions:
* We intend to change the default plaintext oper policy from 'warn' to 'deny'
in the year 2019. This will deny /OPER when used from a non-SSL connection.
For security, IRC Operators should really use SSL/TLS!
==[ CHANGES BETWEEN 4.0.18 AND 4.2.0 ]==
There have been so many changes in this and the last few 4.0.x versions,
it justifies calling this new release "UnrealIRCd 4.2.0".
Marking the beginning of the 4.2 series, this release introduces features
such as "soft klines" and "soft actions". A significant number of optional
modules are now loaded as default, including timed channel bans and
textbans. Also, a lot more smaller changes are included in this release,
such as fixes for TLSv1.3 and experimental WHOX support.
See further down for a full list of changes.
NOTE: Version 4.2.0 is the direct successor to 4.0.18. There will be
no further 4.0.x releases (in particular there will be no 4.0.19).
https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series
Enhancements:
* New option to disable a module: blacklist-module "modulename";
This will cause any 'loadmodule' lines for that module to be ignored.
This is especially useful if you only want to disable a few modules
that are (normally) automatically loaded by conf/modules.default.conf.
https://www.unrealircd.org/docs/Blacklist-module_directive
* Next three new features have to do with SASL. More information on SASL
in general can be found at https://www.unrealircd.org/docs/SASL
* A new require sasl { } block which allows you to force users on the
specified hostmask to use SASL. Any unauthenticated users matching
the specified hostmask are are rejected.
See https://www.unrealircd.org/docs/Require_sasl_block
* New "soft kline" and "soft gline". These will not be applied to users
that are authenticated to services using SASL.
These are just GLINE/KLINE's but prefixed with a percent sign:
Example: /GLINE %*@10.* 0 Only SASL allowed from here
* New "soft" ban actions for spamfilter, blacklist, antirandom, etc.
Actions such as "soft-kline" and "soft-kill" will only be applied to
unauthenticated users. Users who are authenticated to services (SASL)
are exempt from the corresponding spamfilter/blacklist/antirandom/..
See https://www.unrealircd.org/docs/Actions for the full action list.
* WARNING: If your network also contains UnrealIRCd servers below v4.2.0
then it is not recommended to use global soft bans (such as soft gline
or any spamfilter with soft-xx actions). There won't be havoc, but the
bans won't be effective on parts of the network.
* The following extban modules are not new but are now enabled by default:
extbans/textban, extbans/timedban and extbans/msgbypass.
In case you don't like them, use blacklist-module as mentioned earlier.
Just as a reminder, they provide the following functionality:
* TextBan: +b ~T:block:*badword* to block sentences with 'badword'
* Timed bans: ~t:duration:mask
These are bans that are automatically removed by the server.
The duration is in minutes and the mask can be any ban mask.
Some examples:
* A 5 minute ban on a host:
+b ~t:5:*!*@host
* A 5 minute quiet ban on a host (unable to speak):
+b ~t:5:~q:*!*@host
* An invite exception for 24 hours (1440 minutes):
+I ~t:1440:*!*@host
* A temporary exempt ban for a services account:
+e ~t:1440:~a:Account
* Allows someone to speak through +m for the next 24hrs:
+e ~t:1440:~m:moderated:*!*@host
* And any other crazy ideas you can come up with...
* Ban exception ~m:type:mask to allow bypassing of message restrictions.
Valid types are: 'external' (bypass +n), moderated (bypass +m/+M),
'censor' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T).
Some examples:
* Let LAN users bypass +m: +e ~m:moderated:*!*@192.168.*
* Let ops in #otherchan bypass +m: +e ~m:moderated:~c:@#otherchan
* Make GitHub commit bot bypass +n: +e ~m:external:*!*@ipmask
* Allow a services account to use color: +e ~m:color:~a:ColorBot
* Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
* AntiRandom: The module will now (by default) exempt WEBIRC gateways
from antirandom checking because they frequently cause false positives.
This new behavior can be disabled via:
set { antirandom { except-webirc no; }; };
* Server linking attempts and errors are now also put in the log file.
* A new module that provides WHOX support, an enhanced and more standard
version of WHO (NOTE: the command is still "WHO").
This allows, among other things, the client to request additional
information, such as which services account each channel member is using.
The module is currently experimental. To use it, add this to your conf:
loadmodule "m_whox";
Major issues fixed:
* Blacklist: Potential crash issue when concurrently checking DNSBL
for the WEBIRC gateway and the spoofed host.
* Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists
were not always checked properly.
Minor issues fixed:
* Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18
(and possibly other Linux distributions as well)
* Timeouts during server linking attempts were not displayed.
* Delayjoin: Halfops did not see JOIN's when channel mode +D was set.
* IRCOps with minimal privileges lost their user modes on MODE change.
* IRCOps could not override channel mode +z (when not using SSL/TLS)
* Channel names sometimes truncated if using accents or special chars.
* TLSv1.3 ciphersuite setting was changed to reflect OpenSSL's behavior.
There is now set::ssl::ciphersuites, specifically for TLSv1.3.
Note that the default is perfectly fine so at this point in time it
shouldn't need any adjustment (but the option is there...).
* Windows: conf\modules.optional.conf was missing.
Removed:
* allow::options::sasl has been removed. Use the new and more flexible
require sasl { } block instead.
Other changes:
* Windows users may be prompted to install the Visual C++ redistributable
package for Visual Studio 2017. This is because we now build on VS 2017
instead of VS 2012.
* We now use standard formatted messages for all K-Lines, G-Lines and
any other bans that will cause the user to be disconnected.
For technical details see the banned_client() function.
* The except throttle { } block now also overrides any limitations from
set::max-unknown-connection-per-ip. Useful for WEBIRC/cgiirc gateways.
* Localhost connections are considered secure, so these can be used even
if you have a plaintext-policy of 'deny' or 'warn'. (This was already
the case for servers, but now also for users and opers)
* Allow slashes in vhost/chghost/sethost/.. (but not through DNS)
Module coders:
* Windows: Be aware that we now build with Visual Studio 2017. This means
3rd party modules should be compiled with VS 2017 (or VS 2015) as well.
Future versions:
* We intend to change the default plaintext oper policy from 'warn' to 'deny'
later this year. This will deny /OPER when used from a non-SSL connection.
For security, IRC Operators should really use SSL/TLS!
==[ CHANGES BETWEEN 4.0.17 AND 4.0.18 ]==
Enhancements: