Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also .
base repository: atheme/atheme
base: v7.2.11
Choose a base ref
head repository: atheme/atheme
compare: v7.2.12
Choose a head ref
  • 9 commits
  • 25 files changed
  • 4 contributors

Commits on Feb 28, 2021

  1. Git tree (not tarballs): include/mkserno.sh: remove --broken switch

    Some very old gits do not support this; it was added in 2.13.0 (2017).
    
    We already sort of detect broken submodules in the configure script,
    so this should be safe to remove. Unless the user deliberately
    corrupts their repository, there's no difference.
    aaronmdjones committed Feb 28, 2021

Commits on Mar 2, 2021

  1. include/mkserno.sh: exit early in presence of an environment variable

    This makes life easier for people who want to package snapshots
    of a git branch. They must provide their own serno.h in this
    case, containing also, perhaps, the date the snapshot was
    downloaded or such.
    aaronmdjones committed Mar 2, 2021

Commits on Mar 11, 2021

  1. configure: put directory macros in a header file, not in CPPFLAGS

    This will be necessary for my near-future intention to change the contrib
    modules repository to be self-building; i.e. to have its own configure
    script and build system.
    
    Also don't try to expand directories like MODDIR for pretty printing,
    because it sometimes doesn't work depending on the directory arguments
    given to ./configure. Yeah, the config output looks worse, but oh well.
    aaronmdjones committed Mar 11, 2021

Commits on Mar 18, 2021

  1. modules/contrib/: transition to independent build system

    Having to duplicate configure tests in all supported Atheme release and
    development branches, to enable contrib modules to be built reliably on
    all of our supported platforms, was quickly becoming untenable.
    aaronmdjones committed Mar 18, 2021

Commits on Jun 1, 2021

Commits on Jun 2, 2021

  1. Merge pull request #785 from fasterthanlime/patch-1

    Comment typo: nore ➡️ node
    alyx committed Jun 2, 2021

Commits on Sep 29, 2021

  1. corestorage: don't try to write if we couldn't open a database

    (cherry picked from commit f26b1b7)
    aaronmdjones authored and ilbelkyr committed Sep 29, 2021

Commits on Jan 30, 2022

  1. modules/saslserv/main: backport 7.3 commits for pending EID login

    This backports commits 4e664c7 & ceb0235
    from the master branch.
    
    The IRCv3.1 SASL specification contains the following wording:
    
        If the client completes registration (with CAP END, NICK, USER
        and any other necessary messages) while the SASL authentication
        is still in progress, the server SHOULD abort it and send a 906
        numeric, then register the client without authentication.
    
    We were relying on this behaviour (which was our mistake; it's a
    SHOULD, not a MUST), which turned out to be implemented in every
    IRC server daemon (that supports SASL) that we are aware of. This
    means that if someone completes registration without having completed
    an SASL negotiation, the SASL session would be aborted before the
    client is introduced to the network. At that point, the session would
    not exist and the client would not be logged in.
    
    The InspIRCd developers changed this behaviour in the
    inspircd/inspircd@407b2e004cf66e442771 commit. It no longer aborts
    negotiation when a client prematurely completes registration.
    
    This means that if the client is attempting a multi-step (challenge-
    response) authentication mechanism, and that mechanism caches user
    credentials at some point before completion, the client can pre-
    maturely end negotiation and get logged in as that user.
    
    Worse still, SASL impersonation lets the attacker set the authzid to
    their intended victim, allowing them to login as anyone, even if they
    don't have a challenge-response authentication credential configured.
    This does not exist in version 7.1; the victim's account there has to
    have such a credential to be vulnerable to this attack.
    
    Vulnerable configurations are as follows:
    
    - All of:
      - InspIRCd 3+
      - Any of:
        - Atheme 7.1 (any version)
        - Atheme 7.2 (any version before 7.2.12; this commit)
        - Atheme 7.3 (any version before commit 4e664c7)
      - Any of:
        - The saslserv/scram module is loaded
        - The saslserv/ecdh-x25519-challenge module is loaded
        - The saslserv/ecdsa-nist256p-challenge module is loaded
    
    This is a fix for a security vulnerability. The master (7.3) branch
    was already fixed in 4e664c7, but the scope of the
    problem was not fully known at that time. The 7.1 branch is no longer
    supported, is not receiving security updates, and will not be patched;
    users of the 7.1 series (using an IRCd that does not abort the SASL
    session when the client prematurely completes registration) must
    upgrade, or unload the `saslserv/ecdsa-nist256p-challenge` module.
    
    This problem was discovered by and reported by @edk0.
    aaronmdjones committed Jan 30, 2022