There have been code paths that ignored the return code of Handle_Write() when sending "notice auth" messages to new clients connecting to the server. But because Handle_Write() would have closed the client connection again if an error occurred, this would have resulted in new errors and assert()'s later on that could have crashed the server (denial of service). Only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default. CVE-2013-5580. (cherry picked from commit 309122017ebc6fff039a7cab1b82f632853d82d5)

Test if the user that it is to be kicked is on the channel before user channel modes are tested. Otherwise assert( cl2chan != NULL ); in line 742 would fail and stop the service. (cherry picked from commit 0e63fb3fa7ac4ca048e8c2b648d2be3fd0572311)

Use the currently "displayed hostname" (which can be cloaked!) for hostname matching, not the real one. In other words: don't display all the cloaked users on a specific real hostname! Thanks to DNS <dns@rbose.org> for reporting this issue. (cherry picked from commit 1e8b775a7a6d0c390e037bd73332072e7c510525)

"egrep -o" isn't portable and not available on OpenBSD, for example. So let's use sed instead to get the automake version. The expression used now is less specific but should work as well ... (cherry picked from commit 419ff38a07cb0b1637b444c96cd6868a7a9e5524)

The header file "netinet/in_systm.h" already is optional in ngIRCd, so don't require it in the configure script. Now ngIRCd can be built on Minix 3 again :-) (cherry picked from commit fd260404caa7ce174ada663024d19cd789c152b5)

Now ngIRCd returns a more specific error message for numeric ERR_NOTREGISTERED(451) when a regular user tries to use a command that isn't allowed for users but for servers: ERR_NOTREGISTEREDSERVER(451). (cherry picked from commit 508ca3044dd6d1a88686efceda92a7f2a9b4a926)

Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes than nicknames is handled, as well as for channel limit and key changes without specifying the limit or key parameters. This is how a lot (all?) other IRC servers behave, including ircd2.11, InspIRCd, and ircd-seven. And because of clients (tested with Textual and mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the expected result as well as correct but misleading error messages ... If ngIRCd is compiled using "strict mode", these errors are still reported. Reported-by: Tim <tim@stackwatch.net> (cherry picked from commit d8f2964710985597281de73aecd0a1ece30ecb03)

This patch introduces the new function Conf_SSLInUse() to check when the current server configuration requires the SSL subsystem to be initialized and accounts incoming as well as outgoing connections -- so this fixes commit bb20aeb9 ("Initialize SSL when needed only, and disable SSL on errors") which only handled the inbound case ... Tested-by: Brett Smith <brett@w3.org> (cherry picked from commit ab009976984ede815c31c9a6b318c80006823b81)

(cherry picked from commit 0703fcd71983bd04f70101fd0143660174d22f84)

Ignore it and add a penalty time on all other link types.

Only check the channel user modes of the initiator if he is joined to this channel and not an IRC operator enforcing modes (which requires the configuration option "OperCanUseMode" to be enabled), because trying to check channel user modes of a non-member results in this assertion: Assertion failed: (cl2chan != NULL), function Channel_UserModes, file channel.c, line 742. This closes bug #147, thanks to James Kirwill <james.kirwill@bk.ru> for tracking this down!

This fixes the following warning messages of gcc 4.5.3 on Cygwin when building with debug code enabled: ng_ipaddr.c: In function ‘ng_ipaddr_init’: ng_ipaddr.c:52:2: warning: comparison between signed and unsigned integer expressions ng_ipaddr.c:53:20: warning: comparison between signed and unsigned integer expressions resolve.c: In function ‘ForwardLookup’: resolve.c:271:3: warning: comparison between signed and unsigned integer expressions

Now the Makefiles support spaces in "$sysconfdir", which isn't uncommon for Cygwin for example, when $HOME contains whitespaces ("/home/User Name") and ngIRCd is installed into the user home ("./configure --prefix=$HOME").

This fixes the following warning message of 4.5.3 on Cygwin: resolve.c: In function ‘ForwardLookup’: resolve.c:273:21: warning: comparison between signed and unsigned integer expressions

This patch allows user names up to 20 characters when ngIRCd has not been configured for "strict RFC mode". Patch suggested by Brett Smith <brett@w3.org>, see <http://arthur.barton.de/pipermail/ngircd-ml/2012-October/000579.html>.