All webadmin skins are broken in this release due to a bug in webadmin itself. This is fixed in the next release.
High-impact security bugs
There was a path traversal bug in ZNC which allowed attackers write access to any place to which ZNC has write access. The attacker only needed a user account (with BounceDCCs enabled). Details are in the commit message. (r1570)
This is CVE-2009-2658.
All ZNC versions since ZNC 0.022 (Initial import in SVN) are affected.
/msg *status uptimeis now accessible to everyone. (r1526)
- ZNC can now optionally use c-ares for asynchronous DNS resolving. (r1548) (r1549) (r1550) (r1551) (r1552) (r1553) (r1556) (r1565) (r1566)
- The new config option
AnonIPLimitlimits the number of unidentified connections per IP. (r1561) (r1563) (r1567)
znc --no-color --makeconfstill used some color codes. (r1519)
- Webadmin favicons were broken since (r1481). (r1524)
- znc.pc was installed to the wrong directory in multilib systems. (r1530)
- Handle flags like e.g. --allow-root for
/msg *status restart. (r1531) (r1533)
- Fix channel user mode tracking. (r1574)
- Fix a possible crash if users are deleted while they are connecting to IRC. (r1557)
- Limit HTTP POST data to 1 MiB. (r1559)
OnStatusCommand()wasn't called for commands executed via
- On systems where sizeof(off_t) is 4, all ZNC-originated DCCs failed with "File too large (>4 GiB)". (r1568)
- ZNC didn't properly verify paths when checking for directory traversal attacks (Low impact). (r1569)
- Minor speed optimizations. (r1527) (r1532)
- stickychan now accepts a channel list as module arguments. (r1534)
- Added a clear command to nickserv. (r1554)
- Added an execute command to perform. (r1558)
- Added a swap command to perform. (r1560)
- fail2ban clears all bans on rehash. (r1564)
- The API for traffic stats changed. (r1521) (r1523)
- Some optimizations to
- CString now accepts an optional precision for converting floating point numbers. (r1525)
- Made home dir optional in
- Stuff. (r1537) (r1550)
- EMFILE in CSockets is handled by closing the socket. (r1544)
Special thanks to cnu and flakes!