To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

ChangeLog/0.072

From ZNC
Revision as of 16:21, 17 December 2011 by DarthGandalf (talk | contribs) (Created page with "<!-- Last update at r1570 --> All webadmin skins are broken in this release due to a bug in webadmin itself. This is fixed in the next release. == High-impact security bugs ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.


All webadmin skins are broken in this release due to a bug in webadmin itself. This is fixed in the next release.

High-impact security bugs

There was a path traversal bug in ZNC which allowed attackers write access to any place to which ZNC has write access. The attacker only needed a user account (with BounceDCCs enabled). Details are in the commit message. (r1570)

This is CVE-2009-2658.

Affected versions

All ZNC versions since ZNC 0.022 (Initial import in SVN) are affected.

New stuff

Fixes

  • znc --no-color --makeconf still used some color codes. (r1519)
  • Webadmin favicons were broken since (r1481). (r1524)
  • znc.pc was installed to the wrong directory in multilib systems. (r1530)
  • Handle flags like e.g. --allow-root for /msg *status restart. (r1531) (r1533)
  • Fix channel user mode tracking. (r1574)
  • Fix a possible crash if users are deleted while they are connecting to IRC. (r1557)
  • Limit HTTP POST data to 1 MiB. (r1559)
  • OnStatusCommand() wasn't called for commands executed via /znc. (r1562)
  • On systems where sizeof(off_t) is 4, all ZNC-originated DCCs failed with "File too large (>4 GiB)". (r1568)
  • ZNC didn't properly verify paths when checking for directory traversal attacks (Low impact). (r1569)

Minor stuff

Internal stuff

  • The API for traffic stats changed. (r1521) (r1523)
  • Some optimizations to CSmartPtr. (r1522)
  • CString now accepts an optional precision for converting floating point numbers. (r1525)
  • Made home dir optional in CDir::ChangeDir(). (r1536)
  • Stuff. (r1537) (r1550)
  • EMFILE in CSockets is handled by closing the socket. (r1544)

Special thanks to cnu and flakes!