UnrealIRCd 4.0.11 Release Notes ================================ ==[ CHANGES BETWEEN 4.0.10 AND 4.0.11 ]== Major issues fixed: * Fix crash issue that can be triggered by regular users * Fix crash if TOPIC_NICK_IS_NUHOST is enabled (rarely enabled) * Fix crash if services send an incorrect raw command Minor issues fixed: * Now properly support 'z' when used in set::modes-on-join Other changes: * Show a warning if you don't have any SSL listeners ==[ UNREALIRCD 4 INTRODUCTION ]== UnrealIRCd 4 is here! We have been working hard over the past few years to replace the successful 3.2.x series with a more modern code base. At the same time we have been incorporating requests from our bug tracker, ideas from ourselves and many suggestions that came up during the UnrealIRCd survey from Q4 2013. UnrealIRCd is far more modular and configurable than before. For a brief overview of what's new in UnrealIRCd 4 have a look at: https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_4 ==[ DOCUMENTATION ]== All documentation has been moved to our wiki: * Documentation: https://www.unrealircd.org/docs/ * FAQ: https://www.unrealircd.org/docs/FAQ Be sure not to use any other (older) documentation as it isn't fully compatible with UnrealIRCd 4. In particular, do NOT use unreal32docs*html. ==[ UPGRADING FROM 3.2.x ]== If you are upgrading from 3.2.x then there are three important things to know: 1) NEW FILE LOCATIONS In UnrealIRCd 4 the location of the configuration files and other files have been changed. On *NIX the directory where you compile the IRCd from (previously 'Unreal3.2.X', now 'unrealircd-4.0.X') is no longer the same as the directory where the IRCd will be running from. By default the IRCd is installed to /home/yourusername/unrealircd on *NIX On Windows UnrealIRCd will install to C:\Program Files (x86\UnrealIRCd 4 The new directory structure is as follows (both on Windows and *NIX): conf/ contains all configuration files logs/ for log files modules/ all modules (.so files on *NIX, .dll files on Windows) 2) CONFIGURATION FILE CHANGES There have also been changes in various configuration blocks and settings. Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to UnrealIRCd 4 format. There's no need to start from scratch. Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x !! 3) THIRD PARTY MODULES If you are using 3rd party modules then they will need an update to run on UnrealIRCd 4. Due to the many core changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work out-of-the-box on 4.x. Contact your developer for a new version or ask on our Modules forum where someone may be kind enough to convert the module for you if you ask nicely: https://forums.unrealircd.org/viewforum.php?f=52 ==[ END OF THE 3.2.X SERIES ]== UnrealIRCd 3.2.x is no longer supported after December 31, 2016. See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated ==[ SUPPORT ]== Before you seek support, please check our documentation and FAQ: * https://www.unrealircd.org/docs/Main_Page * https://www.unrealircd.org/docs/FAQ For support you have two choices: * Forums: https://forums.unrealircd.org/ * IRC: irc.unrealircd.org / #unreal-support ==[ CHANGES BETWEEN 4.0.9 AND 4.0.10 ]== Improvements: * Added "websocket" module. This provides support for WebSocket (RFC6455), allowing JavaScript (internet browsers) to connect directly to IRC without the need of a "gateway". This module is experimental and not loaded by default. See https://www.unrealircd.org/docs/WebSocket_support for more information on the module. For a very crude client example check https://www.unrealircd.org/files/dev/ws/websocket_unrealircd.html This module was sponsored by Aberrant Software Inc. * UnrealIRCd already has the ability to configure SSL settings via the set::ssl block. Now you can also override these settings for a link block and listen block. One possible use for this would be having a long-lived self-signed certificate for server linking on a serversonly port, and a short-lived certificate for your users on the other ports (such as a certificate from Let's Encrypt). Another example would be to force TLSv1.2 for server linking but not for users. Etc. Etc. General settings (already existed) are in the set::ssl block: https://www.unrealircd.org/docs/Set_block#set::ssl::certificate Per-port settings go via listen::ssl-options: https://www.unrealircd.org/docs/Listen_block Per-link block settings go via link::outgoing::ssl-options: https://www.unrealircd.org/docs/Link_block * You can now exempt IP's from (DNSBL) blacklist checking via: except blacklist { mask 1.2.3.4; }; * All free modules from vulnscan.org (by Syzop) are now included in UnrealIRCd itself. Note that only the "privdeaf" and "jumpserver" modules are loaded by default. The others you will need to load explicitly. The new modules are: * extbans/textban - Channel specific word filter (+b ~T:censor:*badword*) https://www.unrealircd.org/docs/Extended_Bans * usermodes/privdeaf - Do not permit PM's from others (User Mode +D) * jumpserver - Redirect users to another server during maintenance www.unrealircd.org/docs/User_%26_Oper_commands#JUMPSERVER * antirandom - Detect drones with random nicks / ident / etc. https://www.unrealircd.org/docs/Set_block#set::antirandom * hideserver - Hide servers in /MAP and /LINKS (Note that this does not truly enhance security) * m_ircops - Show which ircops are online (/IRCOPS command) * m_staff - Show custom file (/STAFF command) * nocodes - Makes chanmode +S/+c also strip/block bold and underline Major issues fixed: * Incorrect bans being added during server linking * Compile fixes for Ubuntu 16 LTS / gcc 5.4.x * Crash if you had an invalid crypt password in your unrealircd.conf * Crash if you did not load the chanmodes/nocolor module or changed the order in which modules were loaded Minor issues fixed: * Delayjoin (channel mode +D) sending QUITs for hidden users, double JOIN, .. * You no longer need to place 'class' blocks before 'allow' blocks * Some error messages were not throttled * WHO now supports multi-prefix * Date in Windows log file for the first few messages was always 1970. For services and module coders: * Services coders: "SVSMODE Nick +d" will now mark a client as deaf. Don't confuse this with "SVSMODE Nick +d ". The parameter makes all the difference. * Module coders: changed return value handling of HOOKTYPE_RAWPACKET_IN -1 indicates to stop parsing (return) and 0 indicates don't parse but proceed to next packet. If you kill a client in this hook then be sure to return -1. ==[ CHANGES BETWEEN 4.0.8.4 AND 4.0.9 ]== * Fix "ghost" bug which could cause annoyed users and a memory leak in UnrealIRCd. For more information see https://forums.unrealircd.org/viewtopic.php?f=1&t=8625 ==[ CHANGES BETWEEN 4.0.8 AND 4.0.8.4 ]== * Fix build on FreeBSD with clang / without gcc * If using remote includes and system curl not available then install it during ./Config and no longer use /home/xyz/curl. * More fixes for self-compiled remote includes * Fix build if --with-system-cares is specified explicitly (which is unnecessary anyway, as system c-ares this is auto-detected). * More build fixes for older GCC compilers ==[ CHANGES BETWEEN 4.0.7 AND 4.0.8 ]== Improvements: * *NIX: As part of defense-in-depth UnrealIRCd now compiles with several hardening options by default. This makes several type of exploits more difficult and in some cases even impossible. Tech: this enables full RELRO (GOT and PLT being read-only), everything compiled as PIE making ASLR possible, stack protector canaries are added, etc. * Windows: releases are now signed. If you download the UnrealIRCd installer you will no longer see "Unknown publisher" but rather "Open Source Developer, Bram Matthys". Similarly all the EXE and DLL module files have been signed which should make it easy for anti virus software to see if something is an official UnrealIRCd release file or not. Major issues fixed: * Possible crash if you have several blacklist blocks Minor issues fixed: * User mode +d (deaf) did not work Other changes: * We've always printed big warnings when running UnrealIRCd as root. In this version we still do, but in future versions we will simply refuse to boot. https://www.unrealircd.org/docs/Do_not_run_as_root * System c-ares is preferred over our own shipped c-ares * System cURL is preferred over ~/curl (if it has AsynchDNS) * Our shipped libraries are no longer built as static * Now that shipped libraries are dynamic they need to be installed somewhere (if used). The default location is ~/unrealircd/lib and can be changed via --with-privatelibdir. (Although, if you are a package builder then you will probably use --with-system-xxx and then private libraries are not used at all) ==[ CHANGES BETWEEN 4.0.6 AND 4.0.7 ]== Improvements: * UnrealIRCd now ships with a default ciphersuite list to have more secure SSL/TLS defaults (rather than relying on your OS/Distro). You can still customize ciphersuites through set::ssl::ciphers. Details: https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols * set::ssl::protocols allows you to specify which SSL/TLS protocols are permitted. The default is (still): TLSv1,TLSv1.1,TLSv1.2. * Windows: remote includes now support IPv6 Major issues fixed: * FreeBSD: unstable SSL links to other servers Minor issues fixed: * It was impossible to set both +b ~r:xyz and +b ~R:xyz Removed the following rarely used build-time options: * CHROOTDIR: Never worked in 4.0.x anyway. You can use AppArmor, SELinux, FreeBSD jails, etc. as an alternative. * IRC_USER/IRC_GROUP: Since this only applies to users installing UnrealIRCd system-wide you should use your system services to do this as well, such as: systemd's User=xx or start-stop-daemon. Other changes: * PCRE2 and c-ares libraries updated to latest versions ==[ CHANGES BETWEEN 4.0.5 AND 4.0.6 ]== Major issues fixed: * Fix SASL security issue with AUTHENTICATE ==[ CHANGES BETWEEN 4.0.4 AND 4.0.5 ]== Major issues fixed: * Crash issue (read-after-free) * Bans on IPv6 cloaked hosts had no effect * Prevent flood from unknown connection (with bugfix) ==[ CHANGES BETWEEN 4.0.4 AND 4.0.3(.1) ]== New: * Italian /HELPOP translation (help.it.conf) * set::options::no-connect-ssl-info to hide SSL-related connect info Major issues fixed: * GLINE/KLINE on usermask@ did not have any effect * Crash if you have a listen block with port 0 * Infinite loop on invalid operclass::parent reference Minor issues fixed: * files { } block only worked with absolute paths * delayjoin: hidden users were not always joined on +vhoaq * Fix small memory leak * Duplicate replies on /VERSION * When doing /VERSION on IRC as an IRCOp it showed the compile-time rather than runtime OpenSSL/LibreSSL version Other changes: * Documentation updates * Prevent installation in the same directory as the source ==[ CHANGES BETWEEN 4.0.3 AND 4.0.3.1 ]== * Fix compile problem on FreeBSD & OpenBSD Note: there is no 4.0.3.1 release for Windows since there were no changes for the Windows version. ==[ CHANGES BETWEEN 4.0.2 AND 4.0.3 ]== Major issues fixed: * Crash on RPING command (IRCOp-only!) * Crash on Windows on failed outgoing server connect * Crash if you had a link { } block with invalid syntax Minor issues fixed: * Windows: Remote includes did not support https Other: * Windows version compiled with Visual Studio 2012 rather than a mix * Windows version now using LibreSSL * Crash reporter produces more useful reports (important for us) ==[ CHANGES BETWEEN 4.0.1 AND 4.0.2 ]== The 4.0.2 release comes with the following new features: * Ability to hide quit messages from *LINEd users (set::hide-ban-reason) * Blacklist hits are now sent to new snomask +b rather than all ircops Major issues fixed: * None Minor issues fixed: * prefix-quit was not working * FreeBSD: fix kevent bug flood in error log * Incorrect server description in /LINKS * Logging to syslog was broken * OS X: Update ./Config to use Homebrew OpenSSL by default * Don't show UID to client in case of a SVSMODE ==[ CHANGES BETWEEN 4.0.0 AND 4.0.1 ]== The 4.0.1 release comes with the following minor improvements: * The blacklist module now supports %ip (=banned IP) in blacklist::reason. * *NIX: You can use cron again, see https://www.unrealircd.org/docs/Cron_job * /MODULE now lists only 3rd party modules by default so you don't get flooded. * *NIX: Added './unrealircd reloadtls' to reload TLS certificate and keys. Major issue fixed: * Crash if you removed a listen { } block with active clients on that port * MODEs set by a server (not by a user) were not always propagated correctly accross the network. In practice this only affected /SAMODE and possibly some services that don't send MODEs from ChanServ/BotServ. Minor issues fixed: * When doing /LIST under mIRC it would hide empty +P channels. * Servers wouldn't link if link::outgoing::hostname was a CNAME. * SSL Certificate fingerprint not communicated properly to servers/services. * *NIX: ./unrealircd [stop|rehash] failed if not installed to ~/unrealircd. * Windows: IRCd could crash after showing the config error screen on startup. ==[ CHANGES BETWEEN 3.2.X AND 4.X ]== Below is a summary of the changes between UnrealIRCd 3.2.x and UnrealIRCd 4. For a complete list of all 1100+ changes you can use 'git log' or have a look at: https://github.com/unrealircd/unrealircd/commits/unreal40 ==[ NEW ]== * We moved a lot of functionality, including most channel modes, user modes and all extended bans into 138 separate modules. This makes it... A) possible to fully customize what exact functionality you want to load. You could even strip down UnrealIRCd to get something close to the basic RFC1459 features from the 1990s. (No idea why you would want that, but it's possible) B) easier for coders to see all source code related to a specific feature C) possible to fix bugs and just reload rather than restart the IRCd. Have a look at modules.default.conf which contains the "default" set of modules that you can load if you just want to load all functionality. If you want to customize the list of modules to load then simply make a copy of that file, give it a different name, and include that one instead. Since the file is fully documented, you can just comment out or delete the loadmodule lines of things you don't want to load. * Oper permissions have changed completely: [A4+] * All previous oper levels/ranks no longer exist (Netadmin, Admin, ..) * oper::flags has been removed. Instead you must specify an operclass in oper::operclass (for example, 'operclass netadmin'). * In operclass block(s) you define the privileges. You can now control exactly what an IRCOp can and cannot do. Have a look at operclass.default.conf which ships with UnrealIRCd, it contains a number of default operclass blocks suitable for the most common situations. See also the operclass block documentation: https://www.unrealircd.org/docs/Operclass_block * If you ask UnrealIRCd to convert your 3.2.x configuration file then it will try to select a suitable operclass for the oper. This will not always 100% match your current oper block rights, though. * Channel Mode +A (Admin Only) has been removed. You can use the new extended ban ~O:. This allows you to, for example, create an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin* * set::hosts has been removed, use oper::vhost instead. * Since oper levels have been removed you no longer see things like "OperX is a Network Administrator" in /WHOIS by default. If you want that, then you can set oper::swhois to "is a Network Administrator" (or any other text). * Entirely rewritten I/O and event loop. This allows the IRCd to scale more easily to tens of thousands of clients by using kernel-evented I/O mechanisms such as epoll and kqueue. * Memory pooling has been added to improve memory allocation efficiency and performance. * On-connect DNSBL/RBL checking via the new blacklist block. [B1] * The Windows version now has IPv6 support too. [B3] * On all OS's we compile with IPv6 support enabled. You can still disable IPv6 at runtime by setting set::options::disable-ipv6. [B3] * The local nickname length can be modified without recompiling the IRCd * Channel Mode +d: This will hide joins/parts for users who don't say anything in a channel. Whenever a user speaks for the first time they will appear to join. Chanops will still see everyone joining normally as if there was no +d set. * If you connect with SSL/TLS with a client certificate then your SSL Fingerprint (SHA256 hash) can be seen by yourself and others through /WHOIS. The fingerprint is also shared with all servers on the network. * ExtBan ~S: for ban exceptions / invex. This can be used like +iI ~S:000000000etc. * bcrypt has been added as a password hashing algorithm and is now the preferred algorithm [A3] * './unreal mkpasswd' will now prompt you for the password to hash [A3] * Protection against SSL renegotiation attacks [A3] * When you link two servers the current timestamp is exchanged. If the time differs more than 60 seconds then servers won't link and it will show a message that you should fix your clock(s). This requires version alpha3 (or later) on both ends of the link [A3] * Configuration file converter that will upgrade your 3.2.x conf to 4.x. On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and after the config errors screen UnrealIRCd offers the conversion. [A3] * The IRCd can now better handle unknown channel modes which expect a parameter. This can be useful in a scenario where you are slowly upgrading all your servers. * If you want to unset a vhost but keep cloaked then use /MODE yournick -t * A "crash reporter" was added. When UnrealIRCd is started it will check if a previous UnrealIRCd instance crashed and (after booting a new instance) it will spit out a report and ask if you want to submit it to the UnrealIRCd developers. Doing so will help us a lot as many bugs are often not reported. Note that UnrealIRCd will always ask before sending any information and never do so automatically. [B3] * SSL: Support for ECDHE has been added to provide "forward secrecy". [B4] ==[ CHANGED ]== * Numerics have been removed. Instead we now use SIDs (Server ID's) and UIDs (User ID's). SIDs work very similar to server numerics and UIDs help us to fix a number of lag-related race conditions / bugs. * The module commands.so / commands.dll has been removed. All commands (those that are modular) are now in their own module. * Self-signed certificates are now generated using 4096 bits, a SHA256 hash and validity of 10 years. [A2] * Building with SSL (OpenSSL) is now mandatory [A2] * The link { } block has been restructured, see https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3] * Better yet, check out our secure server linking tutorial: https://www.unrealircd.org/docs/Tutorial:_Linking_servers * If you have no set::throttle block you now get a default of 3:60 [A3] * password entries in the conf no longer require specifying an auth-type like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3] * You will now see a warning when you link to a non-SSL server. [A3] * Previously we used POSIX Regular expressions in spamfilters and at some other places. We have now moved to PCRE Regular expressions. They look very similar, but PCRE is a lot faster. For backwards-compatibility we still compile with both regex engines. [A3] * Spamfilter command syntax has been changed, it now has an extra option to indicate the matching method: /SPAMFILTER [add|del|remove|+|-] [method] [type] .... Where 'method' can be one of: * -regex: this is the new fast PCRE2 regex engine * -simple: supports just strings and ? and * wildcards (super fast) * -posix: the old regex engine for compatibility with 3.2.x. [A3] * If you have both 3.2.x and 4.x servers on your network then the 4.x server will only send spamfilters of type 'posix' to the 3.2.x servers because 3.2.x servers don't support the other two types. So in a mixed network you probably want to keep using 'posix' for a while until all your servers are running UnrealIRCd 4. [A3] * set::oper-only-stats now defaults to "*" * oper::from::userhost and vhost::from::userhost are now called oper::mask and vhost::mask. The usermask@ part is now optional and it supports two syntaxes. For one entry you can use: mask 1.2.3.*; For multiple entries the syntax is: mask { 192.168.*; 10.*; }; * Because having both allow::ip and allow::hostname in the same allow block was highly confusing (it was an OR-match) you must now choose between either allow::ip OR allow::hostname. [A3] * cgiirc block is renamed to webirc and the syntax has changed [A4] * set::pingpong-warning is removed, warning always off now [A4] * More helpful configuration file parse error messages [A4] * You can use '/OPER username' without password if you use SSL certificate (fingerprint) authentication. The same is true for '/VHOST username'. [A4] * You must now always use 'make install' on *NIX [A4] * Changed (default) directory structure entirely, see the section titled 'CONFIGURATION CHANGES' about 100 lines up. [A4] * badword quit { } is removed, we use badword channel for it. [A4] * badwords.*.conf is now just one badwords.conf * To load all default modules you now include modules.default.conf. This file was called modules.conf in earlier alpha's. The file has been split up in sections and a lot of comments have been added to aid the user in deciding whether to load or not to load each module. [A4] * Snomask +s is now (always) IRCOp-only. [A4] * Previously there was little logic behind what modes halfops could set. Now the idea is as follows: halfops should be able to help out in case of a flood but not be able to change any 'policy decission modes' such as +G, +S, +c, +s. Due to this change halfops can now set modes +beiklmntIMKNCR (was: +beikmntI). [A4] * If no link::hub or link::leaf is specified then assume hub "*". [B1] * SWHOIS (Special whois title) has been extended in a number of ways: * We now "track" who or what set an swhois. This allows us to remove the swhois received via oper/vhost on de-oper/de-vhost. * You can now have multiple swhois lines * Multiple oper::swhois and vhost::swhois items are supported. [B1] * When trying to link two servers without link::outgoing::options::ssl (which is not recommended) we try to use STARTTLS in order to 'upgrade' the connection to use SSL/TLS anyway. This can be disabled via link::outgoing::options::insecure. [B2] * SSLv3 has now been disabled for security. This also means you can only link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4] ==[ MODULE CODERS / DEVELOPERS ]== * A lot of technical documentation for module coders has been added at https://www.unrealircd.org/docs/ describing things like how to write a module from scratch, the User & Channel Mode System, Commands, Command Overrides, Hooks, attaching custom-data to users/channels, and more. [A2+] * For commands: do not read from parv[0] anymore, doing so will lead to a crash. Use sptr->name instead. This change is necessary as the "name" in parv[0] could possibly point to a UID/SID rather than a nick name. Thus, if you would send parv[0] to a non-UID or non-SID capable server this would lead to serious issues (not found errors). * Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades) but disallows unloading of a module [A3] * There have been *a lot* of source code cleanups (ALL) * We now use the information from PROTOCTL CHANMODES= for parameter skipping if the channel mode is unknown. Also, when channel modes are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1] * The server protocol docs have been removed. The protocol is now documented at https://www.unrealircd.org/docs/Server_protocol See also https://www.unrealircd.org/docs/Server_protocol:Changes for a list of changes between the 3.2 and 4.0 server protocol. * GCC typechecking has been added to make sure your HookAdd... calls are adding hook functions with the correct parameter (types). ==[ REMOVED / DROPPED ]== * Numeric server IDs, see above. [A1] * PROTOCTL TOKEN and SJB64 are no longer implemented. [A1] * Ziplinks have been removed. [A1] * WebTV support. [A3] * Channel Mode +j was removed and replaced by the configuration setting set::anti-flood::join-flood (default: 3 per 90 seconds). [B1] * /CHATOPS: use /GLOBOPS instead which does the same /ADCHAT & /NACHAT: gone as we don't have such oper levels anymore Your opers should actually be in an #opers channel. If you also want special classes of oper channels like #admins then use +iI ~O:*admin* * User modes: * +N (Network Administrator): see 'Oper permissions' under NEW as for why * +a (Services Administrator): same * +A (Server Administrator: same * +C (Co Administrator): same * +O (Local IRC Operator): same * +h (HelpOp): all this did was add a line "is available for help" in WHOIS. You can use a vhost block with vhost::swhois as a replacement or for opers just add an oper::swhois item. * +g (failops): we already have snomasks and the +o usermode for this * +v (receive infected DCC SEND rejection notices): moved to snomask +D