- update to 1.10.1:
* Fix use-after-free in capabilities handling. The visible effect of this was
either crash, or some capabilities having wrong state
* Fix nullptr dereference in TAGMSG handling
* Preserve `DisableClientCap/DisableServerCap` settings when writing config
* The listening unix socket can now be configured to belong to a specific
group and/or to have a specific file access mode. The syntax for AddPort
command is `unix:ssl,group=mygroup,mode=666:/path`, some of these options
can be skipped if the feature is not needed
OBS-URL: https://build.opensuse.org/request/show/1290133
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=108
- update to 1.10.0:
* SASL v3.1 and v3.2 for clients
* Added a way to disable capabilities
* Warn user if flood protection is delaying the messages for too long
* Added experimental support for unix sockets
* `znc --makepem` now takes the CN from `gethostname()` and `uname()` if available
* Fixed high CPU usage when ZNC is connecting to a server
* Sped up capability negotiation with the server
* Don't forward client JOINs during registration
* Fixed the translation pipeline again
* Fixed sending server passwords with spaces in them
* CTCP sent to `*status` shouldn't reach server
* Made PING skip the flood protection queue just like PONG does
* Made CTCP flood timer use monotonic time
* certauth: it's no longer required to send a garbage password via `PASS` command, if
the client uses SASL EXTERNAL
* log: don't log user quits to logs of channels that are disabled
* modperl: removed usage of deprecated keywords `given`/`when`
* sasl: if RequireAuth is set, but SASL failed, don't disable the network anymore
* webadmin:
- fixed editing fields which are allowed to be edited while
`DenySetNetwork` is set.
- removed old compatibility code for pre-0.090 versions of parsing
arguments to module to open another web port.
OBS-URL: https://build.opensuse.org/request/show/1284526
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=106
- Update to 1.9.1 (boo#1227393, CVE-2024-39844)
* This is a security release to fix CVE-2024-39844: remote code
execution vulnerability in modtcl.
To mitigate this for existing installations, simply unload the
modtcl module for every user, if it's loaded. Note that only
users with admin rights can load modtcl at all.
* Improve tooltips in webadmin.
OBS-URL: https://build.opensuse.org/request/show/1185717
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=101
- Update to version 1.9.0:
* Fixed crash when receiving SASL lines from server without having negotiated SASL via CAP.
* Fixed build with SWIG 4.2.0.
* Fixed build with LibreSSL.
* Fixed handling of timezones when parsing server-time tags received from server.
* Use module names as the module ident, otherwise some clients were merging conversations with different modules together.
* Stopped sending invalid 333 (`RPL_TOPICWHOTIME`) to client if topic owner is unknown.
* Fixed an ODR violation.
* Better hide password in PASS debug lines, sometimes it was not hidden.
* CAP REQ sent by client without CAP LS now suspends the registration as the spec requires.
* Removed 1841.patch (upstreamed).
* Modified harden_znc.service.patch to apply to latest release.
OBS-URL: https://build.opensuse.org/request/show/1171441
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=99
- Update to 1.8.2:
* Polish translation
* List names of translators in TRANSLATORS.md file in source,
as this contribution isn't directly reflected in git log
* During --makeconf warn about listening on port 6697 too, not only about 6667 (#1734)
* webadmin: When confirming deletion of a network and selecting No,
redirect to the edituser page instead of listusers page (#1751)
* Make more client command results translateable, which were missed before
OBS-URL: https://build.opensuse.org/request/show/832996
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=92
- Update to 1.8.0:
* Output of various commands (e.g. /znc help) was switched from a table to a list
* Support IP while verifying SSL certificates (#1504)
* Make it more visible that admins have lots of privileges
* Fix null dereference on startup when reading invalid config (#1585)
* Don't show server passwords on ZNC startup (#1599)
* Fix build with newer OpenSSL (#1688)
* Fix in-source CMake build
* Fix echo-message for *status (#1705)
* controlpanel: Add already supported NoTrafficTimeout User variable to help output
* Support python 3.9 (#1702)
* modtcl: Added GetNetworkName (#1658)
* partyline: Module is removed (#1632)
* q: Module is removed (#786)
* route_replies: Handle more numerics (#1421) (#1659) (#1660)
* sasl: Fix sending of long authentication information (#942)
* shell: Unblock signals when spawning child processes (#1590)
* simple_away: Convert to UTC time (#1506)
* watch: Better support multiple clients (#1701)
* webadmin: Better wording for TrustPKI setting (#1670) (#1711) (#1713)
* Refactor the way how SSL certificate is checked to simplify
future socket-related refactors (#1697)
* Various improvements for translation CI
* Normalize variable name sUserName/sUsername (#1546)
* Make de-escaping less lenient (#1715)
OBS-URL: https://build.opensuse.org/request/show/800722
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=86
- Update to version 1.7.1:
* Security critical fixes[edit]
+ CVE-2018-14055: non-admin user could gain admin privileges and shell access by injecting values into znc.conf.
+ CVE-2018-14056: path traversal in HTTP handler via ../ in a web skin name.
* Core
+ Fix znc-buildmod to not hardcode the compiler used to build ZNC anymore in CMake build (#1536)
+ Fix language selector. Russian and German were both not selectable.
+ Fix build without SSL support (#1554)
+ Fix several broken strings
+ Stop spamming users about debug mode. This feature was added in 1.7.0, now reverted. (#1541)
* New
+ Add partial Spanish, Indonesian, and Dutch translations
* Modules
+ adminlog: Log the error message again (regression of 1.7.0) (#1557)
+ admindebug: New module, which allows admins to turn on/off --debug in runtime (#1556)
+ flooddetach: Fix description of commands (#1548)
+ modperl: Fix memory leak in NV handling
+ modperl: Fix functions which return VCString (#1543)
+ modpython: Fix functions which return VCString (#1543)
+ webadmin: Fix fancy CTCP replies editor for Firefox. It was showing the plain version even when JS is enabled
* Internal
+ Deprecate one of the overloads of CMessage::GetParams(), rename it to CMessage::GetParamsColon()
+ Don't throw from destructor in the integration test
+ Fix a warning with integration test / gmake / znc-buildmod interaction.
- Drop upstream patches:
* znc-inject2.patch
* znc-inject.patch
* znc-traversal.patch
- Fix boo#1101280 CVE-2018-14056
OBS-URL: https://build.opensuse.org/request/show/623567
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/znc?expand=0&rev=15
* Security critical fixes[edit]
+ CVE-2018-14055: non-admin user could gain admin privileges and shell access by injecting values into znc.conf.
+ CVE-2018-14056: path traversal in HTTP handler via ../ in a web skin name.
* Core
+ Fix znc-buildmod to not hardcode the compiler used to build ZNC anymore in CMake build (#1536)
+ Fix language selector. Russian and German were both not selectable.
+ Fix build without SSL support (#1554)
+ Fix several broken strings
+ Stop spamming users about debug mode. This feature was added in 1.7.0, now reverted. (#1541)
* New
+ Add partial Spanish, Indonesian, and Dutch translations
* Modules
+ adminlog: Log the error message again (regression of 1.7.0) (#1557)
+ admindebug: New module, which allows admins to turn on/off --debug in runtime (#1556)
+ flooddetach: Fix description of commands (#1548)
+ modperl: Fix memory leak in NV handling
+ modperl: Fix functions which return VCString (#1543)
+ modpython: Fix functions which return VCString (#1543)
+ webadmin: Fix fancy CTCP replies editor for Firefox. It was showing the plain version even when JS is enabled
* Internal
+ Deprecate one of the overloads of CMessage::GetParams(), rename it to CMessage::GetParamsColon()
+ Don't throw from destructor in the integration test
+ Fix a warning with integration test / gmake / znc-buildmod interaction.
- Drop upstream patches:
* znc-inject2.patch
* znc-inject.patch
* znc-traversal.patch
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=72
* Add CMake build. Minimum supported CMake version is 3.1. For now ZNC can be built with either CMake or autoconf. In future autoconf is going to be removed.
* Currently znc-buildmod requires python if CMake was used; if that's a concern for you, please open a bug.
* Increase minimum GCC version from 4.7 to 4.8. Minimum Clang version stays at 3.2.
* Make ZNC UI translateable to different languages (only with CMake), add partial Russian and German translations. (#1237) (#1354) (#1462)
* If you want to translate ZNC to your language, please join https://crowdin.com/project/znc-bouncer
* Configs written before ZNC 0.206 can't be read anymore (#929)
* Implement IRCv3.2 capabilities away-notify, account-notify, extended-join (#315) (#316)
* Implement IRCv3.2 capabilities echo-message, cap-notify on the "client side" (#950)
* Update capability names as they are named in IRCv3.2: znc.in/server-time-iso→server-time, znc.in/batch→batch. Old names will continue working for a while, then will be removed in some future version.
* Make ZNC request server-time from server when available (#839)
* Increase accepted line length from 1024 to 2048 to give some space to message tags
* Separate buffer size settings for channels and queries (#967)
* Support separate SSLKeyFile and SSLDHParamFile configuration in addition to existing SSLCertFile (#1192)
* Add "AuthOnlyViaModule" global/user setting (#331)
* Added pyeval module
* Added stripcontrols module (#387)
* Add new substitutions to ExpandString: %empty% and %network%. (#1049) (#1139)
* Stop defaulting real name to "Got ZNC?" (#818)
* Make the user aware that debug mode is enabled. (#1446)
* Added ClearAllBuffers command (#852)
* Don't require CSRF token for POSTs if the request uses HTTP Basic auth. (#946)
* Set HttpOnly and SameSite=strict for session cookies (#1077) (#1450)
* Add SNI SSL client support (#1200)
* Add support for CIDR notation in allowed hosts list and in trusted proxy list (#207) (#1219)
* Add network-specific config for cert validation in addition to user-supplied fingerprints: TrustAllCerts, defaults to false, and TrustPKI, defaults to true. (#866)
* Add /attach command for symmetry with /detach. Unlike /join it allows wildcards.
* Timestamp format now supports sub-second precision with %f. Used in awaystore, listsockets, log modules and buffer playback when client doesn't support server-time (#1455)
* Build on macOS using ICU, Python, and OpenSSL from Homebrew, if available (#894)
* Remove --with-openssl=/path option from ./configure. SSL is still supported and is still configurable
OBS-URL: https://build.opensuse.org/package/show/server:irc/znc?expand=0&rev=64
