To create new wiki account, please join us on #znc at freenode or efnet and ask admins to create a wiki account for you.

ChangeLog/0.072

From ZNC
Jump to: navigation, search


All webadmin skins are broken in this release due to a bug in webadmin itself. This is fixed in the next release.

High-impact security bugs

There was a path traversal bug in ZNC which allowed attackers write access to any place to which ZNC has write access. The attacker only needed a user account (with BounceDCCs enabled). Details are in the commit message. (r1570)

This is CVE-2009-2658.

Affected versions

All ZNC versions since ZNC 0.022 (Initial import in SVN) are affected.

New stuff

Fixes

  • znc --no-color --makeconf still used some color codes. (r1519)
  • Webadmin favicons were broken since (r1481). (r1524)
  • znc.pc was installed to the wrong directory in multilib systems. (r1530)
  • Handle flags like e.g. --allow-root for /msg *status restart. (r1531) (r1533)
  • Fix channel user mode tracking. (r1574)
  • Fix a possible crash if users are deleted while they are connecting to IRC. (r1557)
  • Limit HTTP POST data to 1 MiB. (r1559)
  • OnStatusCommand() wasn't called for commands executed via /znc. (r1562)
  • On systems where sizeof(off_t) is 4, all ZNC-originated DCCs failed with "File too large (>4 GiB)". (r1568)
  • ZNC didn't properly verify paths when checking for directory traversal attacks (Low impact). (r1569)

Minor stuff

Internal stuff

  • The API for traffic stats changed. (r1521) (r1523)
  • Some optimizations to CSmartPtr. (r1522)
  • CString now accepts an optional precision for converting floating point numbers. (r1525)
  • Made home dir optional in CDir::ChangeDir(). (r1536)
  • Stuff. (r1537) (r1550)
  • EMFILE in CSockets is handled by closing the socket. (r1544)

Special thanks to cnu and flakes!