Please use this instead of http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/76274 Update to version 3.2.2, including Security Fix: SECURITY ADVISORY ================== A serious Denial-of-Service issue has been discovered in UnrealIRCd. ==[ AFFECTED VERSIONS ]== Affected: - - Unreal3.2: beta18, beta19, RC-1, RC-2, 3.2, 3.2.1, 3.2.2 Unaffected: - - versions older than beta18 (OLD, UNSUPPORTED) - - 3.1* (VERY OLD, UNSUPPORTED) - - If you have NO servers and NO services linked and you are using a vulnerable version then this problem does not occur (this is however an uncommon configuration) Fixed in/by: - - Hot-patched 3.2* servers (see FIX) - - The newly released 3.2.2b (for fresh installs) - - CVS from January 15 03:00 GMT and later ==[ PROBLEM ]== There's a severe crashbug present in UnrealIRCd that can quite easily be triggered by users. No code execution or anything like that is possible (it's a NULL pointer dereference), but it does cause a crash, which is of course serious enough. Server admins should apply the fix (which does not require a server restart) as soon as possible before an exploit will become widespread (within 24h is recommended). During the time of writing (Jan15 19:00 GMT) there are no signs of "bad users" causing crashes, but we expect that this will happen after public announcement of this bug. ==[ WORKAROUND ]== There's no safe workaround, but see next for an easy fix. ==[ FIX ]== Thanks to modulized commands we have created a "hot patch" utility that will fix the issue WITHOUT requiring a server restart, all you will have to do is install it and rehash. This patch can be used on Unreal3.2-RC2, 3.2, 3.2.1 and 3.2.2. Older version (eg: beta's) are not supported, in that case we suggest you to upgrade to 3.2 (and apply this patch) or 3.2.2b.
Trying this, it appears that the list of master sites has changed, and 3.2.2 has been withdrawn from the mirrors to be replaced with 3.2.2b. Here's an updated version of the patch that uses 3.2.2b, and changes the list of download sites to match the project's download page (<http://www.unrealircd.com/?page=downloads>). It also omits files/patch-m_kick.c, as this patch appears to have been included in 3.2.2b. cheers -- Scott ---------------- diff -Nur unreal.orig/Makefile unreal.updated/Makefile --- unreal.orig/Makefile Wed Jul 21 20:01:55 2004 +++ unreal.updated/Makefile Mon Jan 17 04:57:41 2005 @@ -1,34 +1,39 @@ # Ports collection makefile for: Unreal-IRCd # Date created: 15 April 2004 # Whom: Gerrit Beine (<tux@pinguru.net>) -# ToDo: Make the configuration more flexible using -DOPTION for the -# configuration values, especially support for IPv6. # # $FreeBSD: ports/irc/unreal/Makefile,v 1.3 2004/07/22 02:01:55 ijliao Exp $ # PORTNAME= Unreal -PORTVERSION= 3.2.1 +PORTVERSION= 3.2.2b CATEGORIES= irc -MASTER_SITES= http://mirror.nimsay-networks.com/unrealircd/ \ - http://unrealircd.za.net/ \ - ftp://unrealircd.za.net/pub/UnrealIRCd/ +MASTER_SITES= http://unreal.atlanti-ka.org/ \ + http://unreal.stfu-n00b.net/ \ + http://unrealircd.funny-chat.net/ \ + http://unrealircd.fyrebird.net/ \ + http://unrealircd.chaosteam.hu/ \ + http://64.84.10.70/download/ \ + http://www.gower.net/unrealircd/ \ + http://www.ilmarinen.us/unreal/ \ + http://unrealircd.alert-net.com/ \ + http://www1.dnwt.net/unreal/ \ +# http://www.tiefighter.org/~unreal/downloads/ \ # file missing +# http://mirror.nimsay-networks.com/unrealircd/ \ # file missing +# http://unrealircd.za.net/ \ # file missing +# ftp://unrealircd.za.net/pub/UnrealIRCd/ \ # connect refused + DISTNAME= ${PORTNAME}${PORTVERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX} MAINTAINER= tux@pinguru.net COMMENT= Unreal - the next generation ircd -SQLMOD= Unreal/SQLMod.tar.gz - WRKSRC= ${WRKDIR}/${PORTNAME}3.2 HAS_CONFIGURE= yes -CONFIGURE_ARGS= --enable-nospoof \ - --enable-hub \ - --enable-ziplinks \ - --with-listen=5 \ +CONFIGURE_ARGS= --with-listen=5 \ --with-dpath=${PREFIX}/Unreal \ --with-spath=${PREFIX}/Unreal/ircd \ --with-nick-history=2000 \ @@ -38,15 +43,28 @@ --with-fd-setsize=1024 \ --enable-dynamic-linking +OPTIONS= HUB "Configure as a hub (otherwise configure as a leaf)" on \ + NOSPOOF "Enable anti-spoof protection" off \ + ZIPLINKS "Enable ziplinks support" off \ + SSL "Support SSL connecions" off \ + IPV6 "Enable ipv6 support" off \ + PREFIXAQ "Enable prefixes for chanadmin and chanowner" off +# REMOTE "Enable remote includes" off \ this does not work at the moment + +SQLMOD= Unreal/SQLMod.tar.gz + .include <bsd.port.pre.mk> -.if exists(${DISTDIR}/${SQLMOD}) -USE_MYSQL= yes -WITH_SQLMOD= yes -MAKE_ARGS= all custommodule MODULEFILE=m_sqlmod -PLIST_FILES+= Unreal/modules/m_sqlmod.so Unreal/m_sqlmod.conf \ - Unreal/doc/Changes.sqlmod Unreal/doc/README.sqlmod \ - Unreal/doc/LICENSE.sqlmod +.if defined(WITH_HUB) +CONFIGURE_ARGS+= --enable-hub +.endif + +.if defined(WITH_NOSPOOF) +CONFIGURE_ARGS+= --enable-nospoof +.endif + +.if defined(WITH_ZIPLINKS) +CONFIGURE_ARGS+= --enable-ziplinks .endif .if defined(WITH_IPV6) @@ -58,6 +76,24 @@ USE_OPENSSL= yes .endif +.if defined(WITH_REMOTE) +LIB_DEPENDS+= curl.3:${PORTSDIR}/ftp/curl +CONFIGURE_ARGS+= --enable-libcurl=/usr/local +.endif + +.if defined(WITH_PREFIXAQ) +CONFIGURE_ARGS+= --enable-prefixaq +.endif + +.if exists(${DISTDIR}/${SQLMOD}) +USE_MYSQL= yes +WITH_SQLMOD= yes +MAKE_ARGS= all custommodule MODULEFILE=m_sqlmod +PLIST_FILES+= Unreal/modules/m_sqlmod.so Unreal/m_sqlmod.conf \ + Unreal/doc/Changes.sqlmod Unreal/doc/README.sqlmod \ + Unreal/doc/LICENSE.sqlmod +.endif + post-extract: .if defined(WITH_SQLMOD) @${TAR} xfz ${DISTDIR}/${SQLMOD} -C ${WRKSRC} @@ -69,6 +105,9 @@ .if defined(WITH_SQLMOD) @${PATCH} -d ${WRKSRC} < ${WRKSRC}/SQLMod/patch .endif + +pre-configure: + @${ECHO} ${CONFIGURE_ARGS} post-install: .if defined(WITH_SQLMOD) diff -Nur unreal.orig/distinfo unreal.updated/distinfo --- unreal.orig/distinfo Wed Jul 21 20:01:55 2004 +++ unreal.updated/distinfo Sun Jan 16 20:00:42 2005 @@ -1,2 +1,2 @@ -MD5 (Unreal3.2.1.tar.gz) = ebe56fd42fc229681f527932eaa173cc -SIZE (Unreal3.2.1.tar.gz) = 1614434 +MD5 (Unreal3.2.2b.tar.gz) = d6a90889ce937d77e6e63787d7b31b51 +SIZE (Unreal3.2.2b.tar.gz) = 1708120
State Changed From-To: open->closed Committed, thanks!