Updates for new repository name of test framework.

was not possible since the configuration code was missing.
Reported by HeXiLeD in https://bugs.unrealircd.org/view.php?id=5327

.CHANGES.NEW

@@ -7,7 +7,7 @@
  \___/|_| |_|_|  \___|\__,_|_|\___/\_| \_| \____/\__,_|
 
                                Configuration Program
-                                for UnrealIRCd 4.2.3
+                                for UnrealIRCd 4.2.4.1
                                     
 This program will help you to compile your IRC server, and ask you
 questions regarding the compile-time settings of it during the process. 

.gitmodules

@@ -3,4 +3,4 @@
 	url = https://github.com/unrealircd/ircfly.git
 [submodule "extras/tests/functional-tests"]
 	path = extras/tests/functional-tests
-	url = https://github.com/unrealircd/unrealircd-tests.git
+	url = https://github.com/unrealircd/unrealircd-tests-old.git

Config

@@ -147,6 +147,11 @@ else
 echo "SSL certificate exists in $CONFDIR/ssl/server.cert.pem, no need to regenerate."
 fi
 fi
+
+# Silently force a 'make clean' as otherwise part (or whole) of the
+# compiled source could be using different settings than the user
+# just requested when re-running ./Config.
+make clean 1>/dev/null 2>&1
 }
 
 RUN_ADVANCED () {
@@ -383,6 +388,22 @@ else
         n="-n"
 fi
 
+date|grep 2019 1>/dev/null 2>&1
+if [ "$?" -ne 0 ]; then
+	echo "*** WARNING ***"
+	echo "UnrealIRCd 4.x will no longer be supported after December 31, 2020."
+	echo "You should upgrade to UnrealIRCd 5 before that date."
+	echo "See https://www.unrealircd.org/docs/UnrealIRCd_4_EOL"
+	echo $n . $c
+	sleep 1
+	echo $n . $c
+	sleep 1
+	echo $n . $c
+	echo ""
+	sleep 1
+	echo "Press ENTER to continue"
+	read xyz
+fi
 
 #parse arguments
 NOCACHE=""

autoconf/m4/unreal.m4

@@ -192,14 +192,34 @@ SAVE_LIBS="$LIBS"
 LIBS="$LIBS $CRYPTOLIB"
 AC_TRY_LINK([#include <openssl/ssl.h>],
 	[SSL_CTX *ctx = NULL; SSL_CTX_set1_curves_list(ctx, "test");],
-	has_curves=1,
-	has_curves=0)
+	has_function=1,
+	has_function=0)
 LIBS="$SAVE_LIBS"
 AC_LANG_POP(C)
-if test $has_curves = 1; then
+if test $has_function = 1; then
 	AC_MSG_RESULT([yes])
 	AC_DEFINE([HAS_SSL_CTX_SET1_CURVES_LIST], [], [Define if ssl library has SSL_CTX_set1_curves_list])
 else
 	AC_MSG_RESULT([no])
 fi
 ])
+
+AC_DEFUN([CHECK_SSL_CTX_SET_MIN_PROTO_VERSION],
+[
+AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version in SSL library])
+AC_LANG_PUSH(C)
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+AC_TRY_LINK([#include <openssl/ssl.h>],
+	[SSL_CTX *ctx = NULL; SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);],
+	has_function=1,
+	has_function=0)
+LIBS="$SAVE_LIBS"
+AC_LANG_POP(C)
+if test $has_function = 1; then
+	AC_MSG_RESULT([yes])
+	AC_DEFINE([HAS_SSL_CTX_SET_MIN_PROTO_VERSION], [], [Define if ssl library has SSL_CTX_set_min_proto_version])
+else
+	AC_MSG_RESULT([no])
+fi
+])

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unrealircd 4.2.3.
+# Generated by GNU Autoconf 2.69 for unrealircd 4.2.4.1.
 #
 # Report bugs to <https://bugs.unrealircd.org/>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unrealircd'
 PACKAGE_TARNAME='unrealircd'
-PACKAGE_VERSION='4.2.3'
-PACKAGE_STRING='unrealircd 4.2.3'
+PACKAGE_VERSION='4.2.4.1'
+PACKAGE_STRING='unrealircd 4.2.4.1'
 PACKAGE_BUGREPORT='https://bugs.unrealircd.org/'
 PACKAGE_URL='https://unrealircd.org/'
 
@@ -625,6 +625,7 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 UNRLINCDIR
+IRCDLIBS
 URL
 PTHREAD_CFLAGS
 PTHREAD_LIBS
@@ -673,7 +674,6 @@ HARDEN_BINCFLAGS
 HARDEN_LDFLAGS
 HARDEN_CFLAGS
 MKPASSWDLIBS
-IRCDLIBS
 OBJEXT
 EXEEXT
 ac_ct_CC
@@ -764,6 +764,7 @@ with_system_cares
 enable_ssl
 enable_dynamic_linking
 enable_werror
+enable_asan
 enable_libcurl
 '
       ac_precious_vars='build_alias
@@ -1336,7 +1337,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unrealircd 4.2.3 to adapt to many kinds of systems.
+\`configure' configures unrealircd 4.2.4.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1402,7 +1403,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unrealircd 4.2.3:";;
+     short | recursive ) echo "Configuration of unrealircd 4.2.4.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1421,6 +1422,8 @@ Optional Features:
                           rather than dynamically (noone knows if disabling
                           dynamic linking actually does anything or not)
   --enable-werror         Turn compilation warnings into errors (-Werror)
+  --enable-asan           Enable address sanitizer, not recommended for
+                          production servers!
   --enable-libcurl=DIR    enable libcurl (remote include) support
 
 Optional Packages:
@@ -1562,7 +1565,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unrealircd configure 4.2.3
+unrealircd configure 4.2.4.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2168,7 +2171,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unrealircd $as_me 4.2.3, which was
+It was created by unrealircd $as_me 4.2.4.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2577,7 +2580,7 @@ _ACEOF
 
 
 # Minor version number (e.g.: Z in X.Y.Z)
-UNREAL_VERSION_MINOR="3"
+UNREAL_VERSION_MINOR="4"
 
 cat >>confdefs.h <<_ACEOF
 #define UNREAL_VERSION_MINOR $UNREAL_VERSION_MINOR
@@ -2587,7 +2590,7 @@ _ACEOF
 # The version suffix such as a beta marker or release candidate
 # marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a
 # string instead of an integer because it contains arbitrary data.
-UNREAL_VERSION_SUFFIX=""
+UNREAL_VERSION_SUFFIX=".1"
 
 cat >>confdefs.h <<_ACEOF
 #define UNREAL_VERSION_SUFFIX "$UNREAL_VERSION_SUFFIX"
@@ -3972,7 +3975,6 @@ fi
 
 
 
-
 # We want to check for compiler flag support, but there is no way to make
 # clang's "argument unused" warning fatal.  So we invoke the compiler through a
 # wrapper script that greps for this message.
@@ -8580,9 +8582,9 @@ SSL_CTX *ctx = NULL; SSL_CTX_set1_curves_list(ctx, "test");
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  has_curves=1
+  has_function=1
 else
-  has_curves=0
+  has_function=0
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
@@ -8593,7 +8595,7 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-if test $has_curves = 1; then
+if test $has_function = 1; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
@@ -8604,6 +8606,53 @@ else
 $as_echo "no" >&6; }
 fi
 
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_min_proto_version in SSL library" >&5
+$as_echo_n "checking for SSL_CTX_set_min_proto_version in SSL library... " >&6; }
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/ssl.h>
+int
+main ()
+{
+SSL_CTX *ctx = NULL; SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  has_function=1
+else
+  has_function=0
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS="$SAVE_LIBS"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+if test $has_function = 1; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAS_SSL_CTX_SET_MIN_PROTO_VERSION /**/" >>confdefs.h
+
+else
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
 # Check whether --enable-dynamic-linking was given.
 if test "${enable_dynamic_linking+set}" = set; then :
   enableval=$enable_dynamic_linking; enable_dynamic_linking=$enableval
@@ -8773,6 +8822,14 @@ else
 fi
 
 
+# Check whether --enable-asan was given.
+if test "${enable_asan+set}" = set; then :
+  enableval=$enable_asan; ac_cv_asan="$enableval"
+else
+  ac_cv_asan="no"
+fi
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if FD_SETSIZE is large enough to allow $ac_fd file descriptors" >&5
 $as_echo_n "checking if FD_SETSIZE is large enough to allow $ac_fd file descriptors... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -10153,6 +10210,13 @@ if test "$ac_cv_werror" = "yes" ; then
 	CFLAGS="$CFLAGS -Werror"
 fi
 
+if test "$ac_cv_asan" = "yes" ; then
+	CFLAGS="$CFLAGS -O0 -fno-inline -fsanitize=address -fno-omit-frame-pointer -DNOCLOSEFD"
+	IRCDLIBS="-fsanitize=address $IRCDLIBS"
+fi
+
+
+
 
 
 ac_config_files="$ac_config_files Makefile src/Makefile src/modules/Makefile src/modules/chanmodes/Makefile src/modules/usermodes/Makefile src/modules/snomasks/Makefile src/modules/extbans/Makefile src/modules/cap/Makefile src/modules/third/Makefile unrealircd"
@@ -10663,7 +10727,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unrealircd $as_me 4.2.3, which was
+This file was extended by unrealircd $as_me 4.2.4.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -10726,7 +10790,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unrealircd config.status 4.2.3
+unrealircd config.status 4.2.4.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -8,7 +8,7 @@ dnl src/win32/unrealinst.iss
 dnl .CHANGES.NEW
 dnl src/version.c.SH
 
-AC_INIT([unrealircd], [4.2.3], [https://bugs.unrealircd.org/], [], [https://unrealircd.org/])
+AC_INIT([unrealircd], [4.2.4.1], [https://bugs.unrealircd.org/], [], [https://unrealircd.org/])
 AC_CONFIG_SRCDIR([src/ircd.c])
 AC_CONFIG_HEADER([include/setup.h])
 AC_CONFIG_AUX_DIR([autoconf])
@@ -36,13 +36,13 @@ UNREAL_VERSION_MAJOR=["2"]
 AC_DEFINE_UNQUOTED([UNREAL_VERSION_MAJOR], [$UNREAL_VERSION_MAJOR], [Major version number (e.g.: Y for X.Y.Z)])
 
 # Minor version number (e.g.: Z in X.Y.Z)
-UNREAL_VERSION_MINOR=["3"]
+UNREAL_VERSION_MINOR=["4"]
 AC_DEFINE_UNQUOTED([UNREAL_VERSION_MINOR], [$UNREAL_VERSION_MINOR], [Minor version number (e.g.: Z for X.Y.Z)])
 
 # The version suffix such as a beta marker or release candidate
 # marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a
 # string instead of an integer because it contains arbitrary data.
-UNREAL_VERSION_SUFFIX=[""]
+UNREAL_VERSION_SUFFIX=[".1"]
 AC_DEFINE_UNQUOTED([UNREAL_VERSION_SUFFIX], ["$UNREAL_VERSION_SUFFIX"], [Version suffix such as a beta marker or release candidate marker. (e.g.: -rcX for unrealircd-3.2.9-rcX)])
 
 AC_PATH_PROG(RM,rm)
@@ -85,7 +85,6 @@ AC_CHECK_LIB(nsl, inet_ntoa,
 AC_CHECK_LIB(crypto, RAND_egd,
 		AC_DEFINE(HAVE_RAND_EGD, 1, [Define if the libcrypto has RAND_egd]))
 
-AC_SUBST(IRCDLIBS)
 AC_SUBST(MKPASSWDLIBS)
 
 dnl HARDENING START
@@ -700,6 +699,7 @@ AC_ARG_WITH(system-argon2, [AS_HELP_STRING([--without-system-argon2], [Use bundl
 AC_ARG_WITH(system-cares, [AS_HELP_STRING([--without-system-cares], [Use bundled version instead of system c-ares. Normally autodetected via pkg-config.])], [], [with_system_cares=yes])
 CHECK_SSL
 CHECK_SSL_CTX_SET1_CURVES_LIST
+CHECK_SSL_CTX_SET_MIN_PROTO_VERSION
 AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])],
 	[enable_dynamic_linking=$enableval], [enable_dynamic_linking="yes"])
 AS_IF([test $enable_dynamic_linking = "yes"],
@@ -712,6 +712,12 @@ AC_ARG_ENABLE([werror],
   [ac_cv_werror="$enableval"],
   [ac_cv_werror="no"])
 
+AC_ARG_ENABLE([asan],
+  [AS_HELP_STRING([--enable-asan],
+    [Enable address sanitizer, not recommended for production servers!])],
+  [ac_cv_asan="$enableval"],
+  [ac_cv_asan="no"])
+
 AC_MSG_CHECKING([if FD_SETSIZE is large enough to allow $ac_fd file descriptors])
 AC_COMPILE_IFELSE([
 #include <sys/types.h>
@@ -970,6 +976,14 @@ if test "$ac_cv_werror" = "yes" ; then
 	CFLAGS="$CFLAGS -Werror"
 fi
 
+dnl Address sanitizer build
+if test "$ac_cv_asan" = "yes" ; then
+	CFLAGS="$CFLAGS -O0 -fno-inline -fsanitize=address -fno-omit-frame-pointer -DNOCLOSEFD"
+	IRCDLIBS="-fsanitize=address $IRCDLIBS"
+fi
+
+AC_SUBST(IRCDLIBS)
+
 AC_SUBST(UNRLINCDIR)
 
 AC_CONFIG_FILES([Makefile

doc/RELEASE-NOTES

@@ -1,115 +1,60 @@
-UnrealIRCd 4.2.3 Release Notes
-===============================
+UnrealIRCd 4.2.4.1 Release Notes
+=================================
 
-This UnrealIRCd release adds new modules to combat drones, it bumps the
-default concurrent user limit, and UnrealIRCd can now easily deal with
-1 million *LINE's placed on *@IP without any noticeable performance impact.
+This version, 4.2.4.1, fixes an issue with Debian 10. On Debian 10 the
+list of permitted SSL/TLS protocols was ignored (set::ssl::protocols).
+Other than that, set::ssl::outdated-protocols and set::ssl::outdated-ciphers
+are now configurable (rarely needed, though).
 
-There is also one important change with regards to old style 'posix'
-spamfilters (see under "Deprecated"), these will raise a warning but
-will continue to work for now.
+Below are the release notes of previous release, 4.2.4.
+
+==[ 4.2.4 release notes ]==
+This release fixes a crash issue if UnrealIRCd is configured to use utf8 or
+chinese character sets in set::allowed-nickchars.  This is not the default.
+We don't expect many users to run their IRCd with this enabled, as the utf8
+support was tagged as experimental and the chinese/gbk implementation is
+incomplete.
+
+In addition to the bug fix from above, this release also contains a number
+of other fixes and enhancements.  In particular there were some Windows
+fixes and the reputation and connthrottle modules are now working better.
 
 Enhancements:
-* New optional modules 'reputation' and 'connthrottle' to fight drones:
-  * The 'reputation' module will learn what users (IP addresses) are
-    frequently seen on your server and classify these as "known IP's".
-    For every 5 minutes that someone is connected, the IP address receives
-    +1 point. IP's with registered users receive +2 points per 5 minutes.
-    An IRCOp can /WHOIS a user to view this "reputation score".
-    The "/REPUTATION nick" and "/REPUTATION ip" commands are also available.
-    Note that the reputation score is capped at a maximum of 10000 and
-    entries expire if the IP has not been seen online for 30 days (or
-    even sooner for very low reputation scores).
-  * The 'connthrottle' module puts users in one of these two groups:
-    * "known users" with IP addresses that have been online before on
-      your network for some time. By default: 2+ hours past 30 days.
-    * "new users" who have not been seen online before (or too short).
-    Users in the "known users" group can connect without any limitation.
-    Similarly, users who authenticate to services using SASL can also
-    always get in. However, "new users" can be limited, for example
-    at a maximum rate of 20 "new users" per minute.
-    The end result and goal is that in case of a drone attack, 99% of
-    your regular users can still connect as usual. This, while drones
-    and other unknown IP's are limited at, for example, 20 per minute.
-    By limiting the connection rate for drones and other unknown users
-    the damage is limited. It also gives IRCOps a chance to react and
-    take additional countermeasures, if possible.
-  * The modules are not loaded by default. If you want to use them,
-    then have a look at their example configuration in the file
-    conf/modules.optional.conf
-  * The reputation module needs to be running for some time before it
-    contains a meaningful database of "known users". Therefore the
-    connthrottle module will be disabled until the reputation module
-    has gathered sufficient data. This defaults to 1 week.
-  * Full documentation: https://www.unrealircd.org/docs/Connthrottle
-* On *NIX we now default to 'auto' mode to discover MAXCONNECTIONS.
-  On systems that support it this means UnrealIRCd supports up to 8192
-  connections by default. It automatically falls back to a lower value
-  such as 2048 or 1024 if the user account has a lower limit or if the OS
-  does not support it. We recommend users to no longer set any specific
-  value in ./Config and just leave it at 'auto'. If you want to see the
-  effective limit, then look at this message when you start the server
-  on the console: "This server can handle XYZ concurrent sockets".
-* UnrealIRCd now uses a technique that makes KLINE's, GLINE's and (G)ZLINE's
-  placed on individual IP's (*@IP) extremely fast. Just to illustrate:
-  * Previously it took 129 seconds to add 100k ZLINE's, now it takes 2.5 secs.
-  * Checking a connection against 100,000 ZLINE's is now 250 times faster.
-  * Previously 7,500 clients could connect per minute, now 33,560 per minute.
-  * Even with 1 million ZLINE's on *@IP it can handle 30,000 connections p/m.
-  * Rejecting Z-lined users is even faster at 435,000 connections per minute
-    with 100,000 active ZLINE's.
-  Benchmarked on a 2GHz Intel Xeon Skylake CPU with Linux 4.15.
-  To benefit from these speed improvements, just place a *LINE on *@IP.
-* When the server has just been restarted, many users will reconnect and
-  rejoin channels. We now disable the join flood limit in channel mode +f
-  during the first 75 seconds since startup. This so the channel does not
-  become +i or +R due to "flooding". See:
-  https://www.unrealircd.org/docs/Set_block#set::modef-boot-delay
-
-Deprecated:
-* Spamfilter has 3 matching methods: 'simple', 'regex' and 'posix'.
-  The old method 'posix' is deprecated as this uses the TRE regex library
-  which contains bugs and has not been maintained for more than 10 years.
-  On *NIX the 'make install' script will try to upgrade the example
-  spamfilter.conf. This may not work if you have customizations in that
-  file or if it was originating from 3.2.x. Helpful warnings or error
-  messages are printed when you try to start UnrealIRCd, to guide the
-  user in this upgrade process. For details see:
-  https://www.unrealircd.org/docs/FAQ#spamfilter-posix-deprecated
-  https://www.unrealircd.org/docs/FAQ#old-spamfilter-conf
+* Improve server linking error messages
+* Enhance WHOX to WHO auto-conversion for "WHO +s serv.er.name"
 
 Major issues fixed:
-* None
+* A crash issue if using utf8 or chinese in set::allowed-nickchars.
+* The Windows version only accepted very few clients.
+* The Windows version should warn and not error if using old-style regex.
+* The Windows version did not save the reputation database.
 
 Minor issues fixed:
-* Changing the set::anti-flood::invite-flood setting had no effect.
-* Sometimes when a server (re)links to the network via 2+ connections it
-  could trigger a race condition where the server would be delinked again.
+* The 'connthrottle' module incorrectly allowed 0 unknown users in when
+  it was throttling, rather than the set rate.
+* The 'reputation' module did not show scores for remote users in /WHOIS,
+  only after 5 minutes had passed.
+* Some users may have experienced a "Registration Timeout" error when
+  connecting. This happened because their ident server accepted the TCP/IP
+  connection but after that failed to respond to the ident request. We
+  have now lowered set::ident::read-timeout to 15 seconds to fix this.
+* If successfully logged in using SASL then avoid an "You are already
+  logged in" error message that could happen due to PASS forwarding.
+  The message was harmless, but annoying in some setups.
 
 Module coders / Developers:
-* We now compile with a lot more compiler warnings enabled by default.
-  Similarly, our Travis-CI compiles with --with-werror which enables the
-  -Werror compiler option, which you may want to use as well. This enables
-  the compiler to detect more possible bugs and sketchy code.
-* Some modules still prepend DLLFUNC to functions. This is unnecessary.
-* Similarly, if (!cep->ce_varname) is unnecessary, it never happens.
-* The functions del_Command() and such have been removed. You never needed
-  to use this. Just use CommandAdd() and UnrealIRCd takes care of the rest.
-* For command functions we encourage you to use CMD_FUNC(m_something),
-  this is not new. New is that we now also have something similar for
-  command overrides, namely: CMD_OVERRIDE_FUNC(override_something).
-  This way you don't have to type yourself the int parc, char *parv[] etc.
-  stuff and this way we can also easily change the passed parameters in
-  the future in an automatic way. Eg: provide more variables.
-* If you use linked lists and you use AddListItem() or DelListItem() then
-  you should always have pointers to prev and next at the beginning of
-  your struct (and in that order!), otherwise you risk memory corruption.
-  Because this is an easy mistake to make we will now abort() we detect
-  such an error at runtime in AddListItem or DelListItem (on *NIX).
+* If you are debugging or developing modules then we encourage you to
+  use AddressSanitizer. This does come at a 10x performance slowdown
+  and can consume a lot more memory, but it is very useful in tracing
+  common C mistakes such as out of bounds read/writes, double frees,
+  and so on. You will see exactly where a mistake was made.
+  To use this, in the last ./Config question you answer: --enable-asan
 
 IRC protocol:
-* Many things changed in previous release (4.2.2).
-* No changes in this release.
+* No changes
+
+Other changes:
+* Various HELPOP updates
 
 Future versions:
 * We intend to change the default plaintext oper policy from 'warn' to 'deny'

doc/RELEASE-NOTES.old

@@ -3,7 +3,124 @@ See doc/RELEASE-NOTES for the latest release notes.
 This file (doc/RELEASE-NOTES.old) contains the release notes
 of OLDER releases for historical purposes.
 
-==[ CHANGES BETWEEN 4.2.2 AND 4.2.1.1 ]==
+==[ CHANGES BETWEEN 4.2.2 AND 4.2.3 ]==
+
+This UnrealIRCd release adds new modules to combat drones, it bumps the
+default concurrent user limit, and UnrealIRCd can now easily deal with
+1 million *LINE's placed on *@IP without any noticeable performance impact.
+
+There is also one important change with regards to old style 'posix'
+spamfilters (see under "Deprecated"), these will raise a warning but
+will continue to work for now.
+
+Enhancements:
+* New optional modules 'reputation' and 'connthrottle' to fight drones:
+  * The 'reputation' module will learn what users (IP addresses) are
+    frequently seen on your server and classify these as "known IP's".
+    For every 5 minutes that someone is connected, the IP address receives
+    +1 point. IP's with registered users receive +2 points per 5 minutes.
+    An IRCOp can /WHOIS a user to view this "reputation score".
+    The "/REPUTATION nick" and "/REPUTATION ip" commands are also available.
+    Note that the reputation score is capped at a maximum of 10000 and
+    entries expire if the IP has not been seen online for 30 days (or
+    even sooner for very low reputation scores).
+  * The 'connthrottle' module puts users in one of these two groups:
+    * "known users" with IP addresses that have been online before on
+      your network for some time. By default: 2+ hours past 30 days.
+    * "new users" who have not been seen online before (or too short).
+    Users in the "known users" group can connect without any limitation.
+    Similarly, users who authenticate to services using SASL can also
+    always get in. However, "new users" can be limited, for example
+    at a maximum rate of 20 "new users" per minute.
+    The end result and goal is that in case of a drone attack, 99% of
+    your regular users can still connect as usual. This, while drones
+    and other unknown IP's are limited at, for example, 20 per minute.
+    By limiting the connection rate for drones and other unknown users
+    the damage is limited. It also gives IRCOps a chance to react and
+    take additional countermeasures, if possible.
+  * The modules are not loaded by default. If you want to use them,
+    then have a look at their example configuration in the file
+    conf/modules.optional.conf
+  * The reputation module needs to be running for some time before it
+    contains a meaningful database of "known users". Therefore the
+    connthrottle module will be disabled until the reputation module
+    has gathered sufficient data. This defaults to 1 week.
+  * Full documentation: https://www.unrealircd.org/docs/Connthrottle
+* On *NIX we now default to 'auto' mode to discover MAXCONNECTIONS.
+  On systems that support it this means UnrealIRCd supports up to 8192
+  connections by default. It automatically falls back to a lower value
+  such as 2048 or 1024 if the user account has a lower limit or if the OS
+  does not support it. We recommend users to no longer set any specific
+  value in ./Config and just leave it at 'auto'. If you want to see the
+  effective limit, then look at this message when you start the server
+  on the console: "This server can handle XYZ concurrent sockets".
+* UnrealIRCd now uses a technique that makes KLINE's, GLINE's and (G)ZLINE's
+  placed on individual IP's (*@IP) extremely fast. Just to illustrate:
+  * Previously it took 129 seconds to add 100k ZLINE's, now it takes 2.5 secs.
+  * Checking a connection against 100,000 ZLINE's is now 250 times faster.
+  * Previously 7,500 clients could connect per minute, now 33,560 per minute.
+  * Even with 1 million ZLINE's on *@IP it can handle 30,000 connections p/m.
+  * Rejecting Z-lined users is even faster at 435,000 connections per minute
+    with 100,000 active ZLINE's.
+  Benchmarked on a 2GHz Intel Xeon Skylake CPU with Linux 4.15.
+  To benefit from these speed improvements, just place a *LINE on *@IP.
+* When the server has just been restarted, many users will reconnect and
+  rejoin channels. We now disable the join flood limit in channel mode +f
+  during the first 75 seconds since startup. This so the channel does not
+  become +i or +R due to "flooding". See:
+  https://www.unrealircd.org/docs/Set_block#set::modef-boot-delay
+
+Deprecated:
+* Spamfilter has 3 matching methods: 'simple', 'regex' and 'posix'.
+  The old method 'posix' is deprecated as this uses the TRE regex library
+  which contains bugs and has not been maintained for more than 10 years.
+  On *NIX the 'make install' script will try to upgrade the example
+  spamfilter.conf. This may not work if you have customizations in that
+  file or if it was originating from 3.2.x. Helpful warnings or error
+  messages are printed when you try to start UnrealIRCd, to guide the
+  user in this upgrade process. For details see:
+  https://www.unrealircd.org/docs/FAQ#spamfilter-posix-deprecated
+  https://www.unrealircd.org/docs/FAQ#old-spamfilter-conf
+
+Major issues fixed:
+* None
+
+Minor issues fixed:
+* Changing the set::anti-flood::invite-flood setting had no effect.
+* Sometimes when a server (re)links to the network via 2+ connections it
+  could trigger a race condition where the server would be delinked again.
+
+Module coders / Developers:
+* We now compile with a lot more compiler warnings enabled by default.
+  Similarly, our Travis-CI compiles with --with-werror which enables the
+  -Werror compiler option, which you may want to use as well. This enables
+  the compiler to detect more possible bugs and sketchy code.
+* Some modules still prepend DLLFUNC to functions. This is unnecessary.
+* Similarly, if (!cep->ce_varname) is unnecessary, it never happens.
+* The functions del_Command() and such have been removed. You never needed
+  to use this. Just use CommandAdd() and UnrealIRCd takes care of the rest.
+* For command functions we encourage you to use CMD_FUNC(m_something),
+  this is not new. New is that we now also have something similar for
+  command overrides, namely: CMD_OVERRIDE_FUNC(override_something).
+  This way you don't have to type yourself the int parc, char *parv[] etc.
+  stuff and this way we can also easily change the passed parameters in
+  the future in an automatic way. Eg: provide more variables.
+* If you use linked lists and you use AddListItem() or DelListItem() then
+  you should always have pointers to prev and next at the beginning of
+  your struct (and in that order!), otherwise you risk memory corruption.
+  Because this is an easy mistake to make we will now abort() we detect
+  such an error at runtime in AddListItem or DelListItem (on *NIX).
+
+IRC protocol:
+* Many things changed in previous release (4.2.2).
+* No changes in this release.
+
+Future versions:
+* We intend to change the default plaintext oper policy from 'warn' to 'deny'
+  in the summer of 2019. This will deny /OPER when used from a non-SSL
+  connection. For security, IRC Operators should really use SSL/TLS!
+
+==[ CHANGES BETWEEN 4.2.1 AND 4.2.2 ]==
 
 This is the stable version of UnrealIRCd 4.2.2. It contains several
 major enhancements, in particular with regards to flood controls.

extras/build-tests/nix/run-tests

@@ -36,9 +36,9 @@ cd ..
 # Install 'cipherscan'
 git clone -q https://github.com/mozilla/cipherscan
 
-# Install 'unrealircd-tests'
-git clone -q https://github.com/unrealircd/unrealircd-tests.git
-cd unrealircd-tests
+# Install 'unrealircd-tests-old'
+git clone -q https://github.com/unrealircd/unrealircd-tests-old.git
+cd unrealircd-tests-old
 bundle install
 mv config.yaml.example config.yaml
 
@@ -56,7 +56,7 @@ cd ../extras/tests/tls
 ./tls-tests
 cd -
 
-# Back in unrealircd-tests, run the tests!
+# Back in unrealircd-tests-old, run the tests!
 if [[ "$OSTYPE" == "darwin"* ]]; then
 	bundle exec rake
 else

include/setup.h.in

@@ -43,6 +43,9 @@
 /* Define if ssl library has SSL_CTX_set1_curves_list */
 #undef HAS_SSL_CTX_SET1_CURVES_LIST
 
+/* Define if ssl library has SSL_CTX_set_min_proto_version */
+#undef HAS_SSL_CTX_SET_MIN_PROTO_VERSION
+
 /* Define to 1 if you have the `bcmp' function. */
 #undef HAVE_BCMP
 

include/win32/setup.h

@@ -54,6 +54,7 @@
 #define NEED_U_INT32_T
 #define PREFIX_AQ
 #define LIST_SHOW_MODES
+#define USE_TRE
 #ifndef mode_t
 #define GOT_STRCASECMP
 #define strcasecmp _stricmp
@@ -84,10 +85,10 @@
 #define UNREAL_VERSION_MAJOR 2
 
 /* Minor version number (e.g.: 1 for Unreal3.2.1) */
-#define UNREAL_VERSION_MINOR 3
+#define UNREAL_VERSION_MINOR 4
 
 /* Version suffix such as a beta marker or release candidate marker. (e.g.:
    -rcX for unrealircd-3.2.9-rcX) */
-#define UNREAL_VERSION_SUFFIX ""
+#define UNREAL_VERSION_SUFFIX ".1"
 
 #endif

src/events.c

@@ -46,6 +46,7 @@ ID_Copyright("(C) Carsten Munk 2001");
 MODVAR Event *events = NULL;
 
 extern EVENT(unrealdns_removeoldrecords);
+extern EVENT(deprecated_notice);
 
 void	LockEventSystem(void)
 {
@@ -213,6 +214,7 @@ void	SetupEvents(void)
 	EventAddEx(NULL, "garbage", GARBAGE_COLLECT_EVERY, 0, garbage_collect, NULL);
 	EventAddEx(NULL, "loop", 0, 0, loop_event, NULL);
 	EventAddEx(NULL, "unrealdns_removeoldrecords", 15, 0, unrealdns_removeoldrecords, NULL);
+	EventAddEx(NULL, "deprecated_notice", (86400*7)-(3600*8), 0, deprecated_notice, NULL);
 	EventAddEx(NULL, "check_pings", 1, 0, check_pings, NULL);
 	EventAddEx(NULL, "check_deadsockets", 1, 0, check_deadsockets, NULL);
 	EventAddEx(NULL, "check_unknowns", 1, 0, check_unknowns, NULL);

src/ircd.c

@@ -402,6 +402,18 @@ EVENT(garbage_collect)
 		loop.do_garbage_collect = 0;
 }
 
+EVENT(deprecated_notice)
+{
+	/* Send a warning to opers currently online every week after June 1, 2020 */
+	if (TStime() > 1590962400)
+	{
+		char *msg = "[WARNING] UnrealIRCd 4.x is no longer supported after December 31, 2020. "
+		            "See https://www.unrealircd.org/docs/UnrealIRCd_4_EOL";
+		sendto_realops("%s", msg);
+		ircd_log(LOG_ERROR, "%s", msg);
+	}
+}
+
 /*
 ** try_connections
 **
@@ -1312,8 +1324,10 @@ int InitUnrealIRCd(int argc, char *argv[])
 	fprintf(stderr, "  using %s\n", SSLeay_version(SSLEAY_VERSION));
 #ifdef USE_LIBCURL
 	fprintf(stderr, "  using %s\n", curl_version());
+#endif
 #endif
 	check_user_limit();
+#ifndef _WIN32
 	fprintf(stderr, "\n");
 	fprintf(stderr, "This server can handle %d concurrent sockets (%d clients + %d reserve)\n\n",
 		maxclients+CLIENTS_RESERVE, maxclients, CLIENTS_RESERVE);
@@ -1385,6 +1399,12 @@ int InitUnrealIRCd(int argc, char *argv[])
 #ifndef _WIN32
 	fprintf(stderr, "Dynamic configuration initialized.. booting IRCd.\n");
 #endif
+	/* Warn about this starting March 1, 2020 */
+	if (time(NULL) > 1583017200)
+	{
+		fprintf(stderr, "WARNING: UnrealIRCd 4.x is no longer supported after December 31, 2020.\n"
+		                "See https://www.unrealircd.org/docs/UnrealIRCd_4_EOL\n");
+	}
 	open_debugfile();
 	if (portnum < 0)
 		portnum = PORTNUM;

src/modules/m_nick.c

@@ -275,7 +275,7 @@ CMD_FUNC(m_uid)
 	 * For remote clients, do a quick check by using do_remote_nick_name(),
 	 * if this returned false then reject and kill it. -- Syzop
 	 */
-	if (IsServer(cptr) && !do_remote_nick_name(nick))
+	if (IsServer(cptr) && (!do_remote_nick_name(nick) || !*nick))
 	{
 		sendto_one(sptr, err_str(ERR_ERRONEUSNICKNAME),
 		    me.name, sptr->name, parv[1], "Illegal characters");
@@ -593,7 +593,8 @@ CMD_FUNC(m_nick)
 	 * if this returned false then reject and kill it. -- Syzop
 	 */
 	if ((IsServer(cptr) && !do_remote_nick_name(nick)) ||
-	    (!IsServer(cptr) && !do_nick_name(nick)))
+	    (!IsServer(cptr) && !do_nick_name(nick)) ||
+	    !*nick)
 	{
 		sendto_one(sptr, err_str(ERR_ERRONEUSNICKNAME),
 		    me.name, sptr->name, parv[1], "Illegal characters");

src/modules/m_sinfo.c

@@ -20,6 +20,8 @@ CMD_FUNC(m_sinfo);
 
 MOD_INIT(sinfo)
 {
+	MARK_AS_OFFICIAL_MODULE(modinfo);
+
 	CommandAdd(modinfo->handle, "SINFO", m_sinfo, MAXPARA, M_USER|M_SERVER);
 
 	return MOD_SUCCESS;

src/modules/reputation.c

@@ -440,6 +440,12 @@ write_fail:
 	/* Everything went fine. We rename our temporary file to the existing
 	 * DB file (will overwrite), which is more or less an atomic operation.
 	 */
+#ifdef _WIN32
+	/* Exception: on Windows it cannot be atomic, as rename() fails to
+	 * overwrite existing files. Great.
+	 */
+	unlink(cfg.database);
+#endif
 	if (rename(tmpfname, cfg.database) < 0)
 	{
 		config_error("ERROR renaming '%s' to '%s': %s -- DATABASE *NOT* SAVED!!!",

src/s_bsd.c

@@ -517,6 +517,9 @@ void check_user_limit(void)
 	}
 #endif
 #endif
+#ifdef _WIN32
+	maxclients = MAXCONNECTIONS - CLIENTS_RESERVE;
+#endif
 }
 
 void init_sys(void)

src/s_conf.c

@@ -1469,7 +1469,7 @@ void config_setdefaultsettings(aConfiguration *i)
 	i->unknown_flood_amount = 4;
 	i->unknown_flood_bantime = 600;
 	i->oper_snomask = strdup(SNO_DEFOPER);
-	i->ident_read_timeout = 30;
+	i->ident_read_timeout = 15;
 	i->ident_connect_timeout = 3;
 	i->nick_count = 3; i->nick_period = 60; /* NICK flood protection: max 3 per 60s */
 	i->away_count = 4; i->away_period = 120; /* AWAY flood protection: max 4 per 120s */
@@ -6222,10 +6222,12 @@ int _test_spamfilter(ConfigFile *conf, ConfigEntry *ce)
 			if (match_type == MATCH_TRE_REGEX)
 			{
 #ifdef USE_TRE
+#ifndef _WIN32
 				config_warn("%s:%i: this spamfilter uses match-type 'posix' which is DEPRECATED. "
 				             "You should switch over to match-type 'regex' instead. "
 				             "See https://www.unrealircd.org/docs/FAQ#spamfilter-posix-deprecated",
 				             ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
+#endif
 #else
 				config_error("%s:%i: this spamfilter uses match-type 'posix' which is no longer supported. "
 				             "You must switch over to match-type 'regex' instead. "
@@ -6302,6 +6304,7 @@ int _test_spamfilter(ConfigFile *conf, ConfigEntry *ce)
 		need_34_upgrade = 1;
 	}
 
+#ifndef _WIN32
 	if (match && !strcmp(match, "^LOL! //echo -a \\$\\(\\$decode\\(.+,m\\),[0-9]\\)$"))
 	{
 		config_warn("*** IMPORTANT ***");
@@ -6310,6 +6313,7 @@ int _test_spamfilter(ConfigFile *conf, ConfigEntry *ce)
 		config_warn("Please read https://www.unrealircd.org/docs/FAQ#old-spamfilter-conf !!!");
 		config_warn("*****************");
 	}
+#endif
 	return errors;
 }
 
@@ -7334,7 +7338,7 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
 								 "Valid protocols are: TLSv1,TLSv1.1,TLSv1.2",
 								 cepp->ce_fileptr->cf_filename, cepp->ce_varlinenum, config_var(cepp), name);
 #endif
-                }
+		                }
 
 				if (option)
 				{
@@ -7369,6 +7373,45 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
 		{
 			CheckNull(cepp);
 		}
+		else if (!strcmp(cepp->ce_varname, "outdated-protocols"))
+		{
+			char copy[512], *p, *name;
+			int v = 0;
+			int option;
+			char modifier;
+
+			CheckNull(cepp);
+			strlcpy(copy, cepp->ce_vardata, sizeof(copy));
+			for (name = strtoken(&p, copy, ","); name; name = strtoken(&p, NULL, ","))
+			{
+				if (!stricmp(name, "All"))
+					;
+				else if (!stricmp(name, "TLSv1"))
+					;
+				else if (!stricmp(name, "TLSv1.1"))
+					;
+				else if (!stricmp(name, "TLSv1.2"))
+					;
+				else if (!stricmp(name, "TLSv1.3"))
+					;
+				else
+				{
+#ifdef SSL_OP_NO_TLSv1_3
+					config_warn("%s:%i: %s: unknown protocol '%s'. "
+								 "Valid protocols are: TLSv1,TLSv1.1,TLSv1.2,TLSv1.3",
+								 cepp->ce_fileptr->cf_filename, cepp->ce_varlinenum, config_var(cepp), name);
+#else
+					config_warn("%s:%i: %s: unknown protocol '%s'. "
+								 "Valid protocols are: TLSv1,TLSv1.1,TLSv1.2",
+								 cepp->ce_fileptr->cf_filename, cepp->ce_varlinenum, config_var(cepp), name);
+#endif
+		                }
+			}
+		}
+		else if (!strcmp(cepp->ce_varname, "outdated-ciphers"))
+		{
+			CheckNull(cepp);
+		}
 		else if (!strcmp(cepp->ce_varname, "options"))
 		{
 			for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
@@ -7561,6 +7604,14 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
 			convert_to_absolute_path(&cepp->ce_vardata, CONFDIR);
 			safestrdup(ssloptions->trusted_ca_file, cepp->ce_vardata);
 		}
+		else if (!strcmp(cepp->ce_varname, "outdated-protocols"))
+		{
+			safestrdup(ssloptions->outdated_protocols, cepp->ce_vardata);
+		}
+		else if (!strcmp(cepp->ce_varname, "outdated-ciphers"))
+		{
+			safestrdup(ssloptions->outdated_ciphers, cepp->ce_vardata);
+		}
 		else if (!strcmp(cepp->ce_varname, "renegotiate-bytes"))
 		{
 			ssloptions->renegotiate_bytes = config_checkval(cepp->ce_vardata, CFG_SIZE);

src/ssl.c

@@ -257,6 +257,10 @@ static void setup_dh_params(SSL_CTX *ctx)
 /** Disable SSL/TLS protocols as set by config */
 void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
 {
+#ifdef HAS_SSL_CTX_SET_MIN_PROTO_VERSION
+	/* First, we need a starting point... */
+	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+#endif
 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); /* always disable SSLv2 */
 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); /* always disable SSLv3 */
 

src/version.c.SH

@@ -4,7 +4,7 @@ echo "Extracting src/version.c..."
 
 #id=`grep '$Id: Changes,v' ../Changes`
 #id=`echo $id |sed 's/.* Changes\,v \(.*\) .* Exp .*/\1/'`
-id="4.2.3"
+id="4.2.4.1"
 echo "$id"
 
 if test -r version.c

src/win32/UnrealIRCd.exe.manifest

@@ -3,7 +3,7 @@
 <assemblyIdentity
     processorArchitecture="X86"
     name="UnrealIRCd.UnrealIRCd.4"
-    version="4.2.3.0"
+    version="4.2.4.1"
     type="win32"
 />
 <description>Internet Relay Chat Daemon</description>

src/win32/unrealinst.iss

@@ -6,7 +6,7 @@
 
 [Setup]
 AppName=UnrealIRCd 4
-AppVerName=UnrealIRCd 4.2.3
+AppVerName=UnrealIRCd 4.2.4.1
 AppPublisher=UnrealIRCd Team
 AppPublisherURL=https://www.unrealircd.org
 AppSupportURL=https://www.unrealircd.org
@@ -108,7 +108,20 @@ var
 function InitializeSetup(): Boolean;
 var
   major: Cardinal;
+  d: Integer;
 begin
+	d := StrToInt(GetDateTimeString('yyyymm',#0,#0));
+	if (d > 201912) then
+	begin
+		MsgBox('You are installing the old UnrealIRCd 4.x stable series. This branch will receive security fixes only until December 31, 2020. ' +
+		       'After that date, all support for the UnrealIRCd 4.x series will stop. ' +
+		       'Please consider upgrading to UnrealIRCd 5. See https://www.unrealircd.org/docs/UnrealIRCd_4_EOL', mbInformation, MB_OK);
+		if (d > 201903) then
+		begin
+			ShellExec('open', 'https://www.unrealircd.org/docs/UnrealIRCd_4_EOL', '', '', SW_SHOWNORMAL,ewNoWait,ErrorCode);
+		end;
+	end;
+
 	Result := true;
   if Not RegQueryDWordValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86', 'Major', major) then
     begin