Skip to content

v2.6.1 - a security fix
Compare
Choose a tag to compare
@slingamn slingamn released this 26 Apr 01:18
· 795 commits to master since this release
v2.6.1
This tag was signed with the committer’s verified signature.
slingamn Shivaram Lingamneni
GPG key ID: 1996B89DF018DCAB
Verified
Learn about vigilant mode.
937b9b0

Oragono 2.6.1 is a bugfix release, fixing a security issue that is critical for some private server configurations. We regret the oversight.

The issue affects two classes of server configuration:

  1. Private servers that use server.password (i.e., the PASS command) for protection. If accounts.registration.allow-before-connect is enabled, the REGISTER command can be used to bypass authentication. Affected operators should set this field to false, or upgrade to 2.6.1, which disallows the insecure configuration. (If the field does not appear in the configuration file, the configuration is secure since the value defaults to false when unset.)
  2. Private servers that use accounts.require-sasl for protection. If these servers do not additionally set accounts.registration.enabled to false, the REGISTER command can potentially be used to bypass authentication. Affected operators should set accounts.registration.enabled to false; this recommendation appeared in the operator manual but was not emphasized sufficiently. (Configurations that require SASL but allow open registration are potentially valid, e.g., in the case of public servers that require everyone to use a registered account; accordingly, Oragono 2.6.1 continues to permit such configurations.)

This release includes no changes to the config file format or the database.

Many thanks to @ajaspers for reporting the issue.

Security

  • Fixed and documented potential authentication bypasses via the REGISTER command (#1634, thanks [@ajaspers](https://
    github.com/ajaspers)!)
Assets 13
Loading