Fedora 38 : unrealircd (2023-239f057b33)

high Nessus Plugin ID 187047

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-239f057b33 advisory.

# UnrealIRCd 6.1.3

The main focus of this release is adding countermeasures against large scale spam/drones. Upstream does this by offering a central API which can be used for accessing Central Blocklist, Central Spamreport and Central Spamfilter.

## Enhancements
* Central anti-spam services:
* The services from below require a central-api key, which you can [request here](https://www.unrealircd.org/central-api/).
* [Central Blocklist](https://www.unrealircd.org/docs/Central_Blocklist) is an attempt to detect and block spammers. It works similar to DNS Blacklists but the central blocklist receives many more details about the user that is trying to connect and therefore can make a better decision on whether a user is likely a spammer.
* [Central Spamreport](https://www.unrealircd.org/docs/Central_spamreport) allows you to send spam reports (user details, last sent lines) via the `SPAMREPORT` command. This information may then be used to improve [Central Blocklist](https://www.unrealircd.org/docs/Central_Blocklist) and/or [Central Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter).
* The [Central Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter), which provides `spamfilter { }` blocks that are centrally managed, is now fetched from a different URL if you have an Central API key set. This way, upstream can later provide `spamfilter { }` blocks that build on central blocklist scoring functionality, and also so upstream doesn't have to reveal all the central spamfilter blocks to the world.
* New option `auto` for [set::hide-ban-reason](https://www.unrealircd.org/docs/Set_block#set::hide-ban- reason), which is now the default. This will hide the \*LINE reason to other users if the \*LINE reason contains the IP of the user, for example when it contains a DroneBL URL which has `lookup?ip=XXX`. This to protect the privacy of the user. Other possible settings are `no` (never hide, the previous default) and `yes` to always hide the \*LINE reason. In all cases the user affected by the server ban can still see the reason and IRCOps too.
* Make [Deny channel](https://www.unrealircd.org/docs/Deny_channel_block) support escaped sequences like `channel #xyz\*;` so you can match a literal `*` or `?` via `\*` and `\?`.
* New option [listen::options::websocket::allow- origin](https://www.unrealircd.org/docs/Listen_block#options_block_(optional)): this allows to restrict websocket connections to a list of websites (the sites hosting the HTML/JS page that makes the websocket connection). It doesn't *securely* restrict it though, non-browsers will bypass this restriction, but it can still be useful to restrict regular webchat users.
* The [Proxy block](https://www.unrealircd.org/docs/Proxy_block) already had support for reverse proxying with the `Forwarded` header. Now it also properly supports `X-Forwarded-For`. If you previously used a proxy block with type `web`, then you now need to choose one of the new types explicitly. Note that using a reverse proxy for IRC traffic is rare (see the proxy block docs for details), but upstream offers the option.

## Changes
* Reserve more file descriptors for internal use. For example, when there are 10,000 fd's are available upstream now reserves 250, and when 2048 are available upstream reserves 32. This so upstream has more fds available to handle things like log files, do HTTPS callbacks to blacklists, etc.
* Make `$client.details` in logs follow the ident rules for users in the handshake too, so use the `~` prefix if ident lookups are enabled and identd fails etc.
* More validation for operclass names (`a-zA-Z0-9_-`)
* Hits for central-blocklist are now broadcasted globally instead of staying on the same server.

## Fixes
* When using a trusted reverse proxy with the [Proxy block](https://www.unrealircd.org/docs/Proxy_block), under some circumstances it was possible for end- users to spoof IPs.
* Crash issue when a module is reloaded (not unloaded) and that module no longer provides a particular moddata object, e.g. because it was renamed or no longer needed. This is rare, but did happen for one third party module recently.
* Fix memory leak when unloading a module for good and that module provided ModData objects for unknown users (users still in the handshake).
* Don't ask to generate TLS certificate if one already exists (issue introduced in 6.1.2).

## Developers and protocol
* New hooks: `HOOKTYPE_WATCH_ADD`, `HOOKTYPE_WATCH_DEL`, `HOOKTYPE_MONITOR_NOTIFICATION`.
* The hook `HOOKTYPE_IS_HANDSHAKE_FINISHED` is now properly called at all places.
* A new [URL API](https://www.unrealircd.org/docs/Dev:URL_API) to easily fetch URLs from modules.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected unrealircd package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2023-239f057b33

Plugin Details

Severity: High

ID: 187047

File Name: fedora_2023-239f057b33.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/17/2023

Updated: 11/15/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:unrealircd, cpe:/o:fedoraproject:fedora:38

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/9/2023

Vulnerability Publication Date: 12/9/2023

Reference Information