ngIRCd Release 20.3

Correctly handle return code of Handle_Write() There have been code paths that ignored the return code of Handle_Write() when sending "notice auth" messages to new clients connecting to the server. But because Handle_Write() would have closed the client connection again if an error occurred, this would have resulted in new errors and assert()'s later on that could have crashed the server (denial of service). Only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default. CVE-2013-5580. (cherry picked from commit 309122017ebc6fff039a7cab1b82f632853d82d5)

ngIRCd Release 20.2

KICK: Fix denial of service bug Test if the user that it is to be kicked is on the channel before user channel modes are tested. Otherwise assert( cl2chan != NULL ); in line 742 would fail and stop the service. (cherry picked from commit 0e63fb3fa7ac4ca048e8c2b648d2be3fd0572311)

"WHO <hostmask>": use displayed hostname for matching Use the currently "displayed hostname" (which can be cloaked!) for hostname matching, not the real one. In other words: don't display all the cloaked users on a specific real hostname! Thanks to DNS <dns@rbose.org> for reporting this issue. (cherry picked from commit 1e8b775a7a6d0c390e037bd73332072e7c510525)

autogen.sh: Don't use "egrep -o", use "sed" "egrep -o" isn't portable and not available on OpenBSD, for example. So let's use sed instead to get the automake version. The expression used now is less specific but should work as well ... (cherry picked from commit 419ff38a07cb0b1637b444c96cd6868a7a9e5524)

configure: "netinet/in_systm.h" is optional The header file "netinet/in_systm.h" already is optional in ngIRCd, so don't require it in the configure script. Now ngIRCd can be built on Minix 3 again :-) (cherry picked from commit fd260404caa7ce174ada663024d19cd789c152b5)

Return better "Connection not registered as server link" errors Now ngIRCd returns a more specific error message for numeric ERR_NOTREGISTERED(451) when a regular user tries to use a command that isn't allowed for users but for servers: ERR_NOTREGISTEREDSERVER(451). (cherry picked from commit 508ca3044dd6d1a88686efceda92a7f2a9b4a926)

MODE: don't report error on "more modes than parameters" Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes than nicknames is handled, as well as for channel limit and key changes without specifying the limit or key parameters. This is how a lot (all?) other IRC servers behave, including ircd2.11, InspIRCd, and ircd-seven. And because of clients (tested with Textual and mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the expected result as well as correct but misleading error messages ... If ngIRCd is compiled using "strict mode", these errors are still reported. Reported-by: Tim <tim@stackwatch.net> (cherry picked from commit d8f2964710985597281de73aecd0a1ece30ecb03)

Correctly detect when SSL subsystem must be initialized This patch introduces the new function Conf_SSLInUse() to check when the current server configuration requires the SSL subsystem to be initialized and accounts incoming as well as outgoing connections -- so this fixes commit bb20aeb9 ("Initialize SSL when needed only, and disable SSL on errors") which only handled the inbound case ... Tested-by: Brett Smith <brett@w3.org> (cherry picked from commit ab009976984ede815c31c9a6b318c80006823b81)

autogen.sh: Enforce serial test harness on automake >=1.13 (cherry picked from commit 0703fcd71983bd04f70101fd0143660174d22f84)

ngIRCd Release 20.1

Update Copyright notices for 2013

Allow ERROR command on server and service links only Ignore it and add a penalty time on all other link types.

Get rid of Conn_ResetPenalty(), it is unused

Mode setting: only check channel user modes when on channel Only check the channel user modes of the initiator if he is joined to this channel and not an IRC operator enforcing modes (which requires the configuration option "OperCanUseMode" to be enabled), because trying to check channel user modes of a non-member results in this assertion: Assertion failed: (cl2chan != NULL), function Channel_UserModes, file channel.c, line 742. This closes bug #147, thanks to James Kirwill <james.kirwill@bk.ru> for tracking this down!

Add some more casts in assert() statemens This fixes the following warning messages of gcc 4.5.3 on Cygwin when building with debug code enabled: ng_ipaddr.c: In function ‘ng_ipaddr_init’: ng_ipaddr.c:52:2: warning: comparison between signed and unsigned integer expressions ng_ipaddr.c:53:20: warning: comparison between signed and unsigned integer expressions resolve.c: In function ‘ForwardLookup’: resolve.c:271:3: warning: comparison between signed and unsigned integer expressions

Makefiles: Correctly quote sed expressions Now the Makefiles support spaces in "$sysconfdir", which isn't uncommon for Cygwin for example, when $HOME contains whitespaces ("/home/User Name") and ngIRCd is installed into the user home ("./configure --prefix=$HOME").

Add Cygwin binaries (*.exe) to .gitignore files

Add a cast in ForwardLookup() to fix a gcc warning on Cygwin This fixes the following warning message of 4.5.3 on Cygwin: resolve.c: In function ‘ForwardLookup’: resolve.c:273:21: warning: comparison between signed and unsigned integer expressions

ngIRCd Release 20

Update NEWS and ChangeLog files

Allow user names up to 20 characters This patch allows user names up to 20 characters when ngIRCd has not been configured for "strict RFC mode". Patch suggested by Brett Smith <brett@w3.org>, see <http://arthur.barton.de/pipermail/ngircd-ml/2012-October/000579.html>.

ngIRCd 20~rc2

Update NEWS and ChangeLog files