|
|
| Author |
Message |
zeke
Idler
Joined: 04 Oct 2003
Posts: 320
|
 Posted: Jan 18, 2005 5:08am Post subject: Unreal fix |
 |
|
This is the exact reason why SearchIRC doesn't (and should continue not to) allow searching by IRCd version...
| Quote: | A serious Denial-of-Service issue has been discovered in UnrealIRCd.
==[ AFFECTED VERSIONS ]==
Affected:
- Unreal3.2: beta18, beta19, RC-1, RC-2, 3.2, 3.2.1, 3.2.2 |
That (from what I can tell) is a large proportion of SearchIRC's database.
Anyway...for those of you who run the above versions and haven't caught up with the new patch, see http://www.unrealircd.com/unreal3_2_2b_advisory.txt |
|
| Back to top |
|
 |
GreyMouser
Newbie
Joined: 04 Dec 2004
Posts: 74
|
| Posted: Jan 18, 2005 5:33pm Post subject: |
|
|
| here here!! |
|
| Back to top |
|
|
Dm7
none
Joined: 21 Jan 2005
Posts: 13
|
| Posted: Jan 26, 2005 5:55pm Post subject: |
|
|
| Thanks for letting me know. My network has been updated with that patch. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 334
Location: A box!
|
| Posted: Jan 27, 2005 12:19pm Post subject: |
|
|
No. This is why the Unreal project should practice stricter release engineering methods. Issues like these can be avoided if the IRCd code is run through Purify (or Valgrind if stskeeps can't afford a Purify license), splint, stackcheck and others.
Using tools like these will expose issues such as the Unreal crash issue before the code makes it to release.
I do find the methods under which SearchIRC tallies IRCd count to render inaccurate answers though, and unfairly favors the status quo (Unreal/Ultimate + Anope).
I also find it quite silly that people complain about the versioning when people can connect to the network and check for themselves via the /(quote|raw) version command.
Just my $0.02. |
|
| Back to top |
|
|
v0rtex
Lurker
Joined: 12 Sep 2004
Posts: 108
Location: IRC
|
| Posted: Jan 27, 2005 9:16pm Post subject: |
|
|
i was idleing in the chan when the guy pasted the bug in the chan! lol... OBV i noted it down!..
NO you cannot have it! |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Jan 28, 2005 10:54am Post subject: |
|
|
| nenolod wrote: | | No. This is why the Unreal project should practice stricter release engineering methods. Issues like these can be avoided if the IRCd code is run through Purify (or Valgrind if stskeeps can't afford a Purify license), splint, stackcheck and others. |
Please explain to me how one of these tools would have found this problem? Because you're completely wrong. The only way one of these tools can find a problem is if the code is executed. The reason this bug went unfound for so long was because the code is rarely executed! The particular error case was not one we had expected to occur. Secondly, are you actually going to say that we have poor release engineering methods because we've had ONE major bug? I mean, if MS released a single serious problem in Windows every 5 months, I think people would be hailing it as a great achievement! However, when it's Unreal, it's a release engineering flaw?
Oh and once again, you notice how I've never said a single bad thing about your ircd, yet here you are again criticizing Unreal! |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 334
Location: A box!
|
| Posted: Jan 29, 2005 4:14pm Post subject: |
|
|
| codemastr wrote: | | nenolod wrote: | | No. This is why the Unreal project should practice stricter release engineering methods. Issues like these can be avoided if the IRCd code is run through Purify (or Valgrind if stskeeps can't afford a Purify license), splint, stackcheck and others. |
Please explain to me how one of these tools would have found this problem? Because you're completely wrong. The only way one of these tools can find a problem is if the code is executed. The reason this bug went unfound for so long was because the code is rarely executed! The particular error case was not one we had expected to occur. Secondly, are you actually going to say that we have poor release engineering methods because we've had ONE major bug? I mean, if MS released a single serious problem in Windows every 5 months, I think people would be hailing it as a great achievement! However, when it's Unreal, it's a release engineering flaw?
Oh and once again, you notice how I've never said a single bad thing about your ircd, yet here you are again criticizing Unreal! |
1) This is not criticism at UnrealIRCd. This is criticism at people whining about SearchIRC versioning.
2) Unreal is actually a very good ircd! Infact I am using it in production on a couple of networks i have been forced to run for various reasons, and on a network that I inherited control over.
3) Shadow is pretty much a dead project due to the fact that it just had too many design flaws! (dead for now, that is.)
k. thx. |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Jan 29, 2005 6:44pm Post subject: |
|
|
| Quote: | | 1) This is not criticism at UnrealIRCd. This is criticism at people whining about SearchIRC versioning. |
| Quote: | No. This is why the Unreal project should practice stricter release engineering methods. Issues like these can be avoided if the IRCd code is run through Purify (or Valgrind if stskeeps can't afford a Purify license), splint, stackcheck and others.
Using tools like these will expose issues such as the Unreal crash issue before the code makes it to release. |
I don't see the word "searchirc" mentioned once in there. All I see is you telling us that we have a bad release policy and that these tools would have found this problem (which they wouldn't because we do run these programs already). |
|
| Back to top |
|
|
zeke
Idler
Joined: 04 Oct 2003
Posts: 320
|
| Posted: Jan 30, 2005 5:12am Post subject: |
|
|
| Quote: | | This is the exact reason why SearchIRC doesn't (and should continue not to) allow searching by IRCd version... |
Yes it was mentioned.
You have taken the comment out of context however - it was stating a simple fact, that codemastr has kindly argued, that while releases of any software package may have been carefully checked, occasionally bugs make their way into production releases, and aren't found or reported for days, months, even years. Examples include the DCC issue in mIRC, between 6.0 up to 6.12 (or was it 6.11? can't remember exactly), and the infamous DSO exploit
| Quote: | Any application that hosts the WebBrowser control (5.5+) is affected since this exploit does not require Active Scripting or ActiveX. Some of these applications are:
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express |
(see http://www.greymagic.com/security/advisories/gm001-ie/ for more)
No software (that has any relatively decent purpose - don't go pulling "Hello World" on me...) is perfect - as long as humans are coding there will be some kind of exploit, or security hole, people to report them, and people to (hopefully) fix them.
It wasn't whining, it was stating an opinion, producing facts to back it, and assisting the Unreal team in getting the word out so people can start patching ASAP. imho, whining is when people make claims with no substance, eventually forming arguments by calling people names, because their argument is so obviously incorrect. Any more than this..and it will become..an argument..and..it already..has...so..i'll..stop...now....
PEACE! |
|
| Back to top |
|
|
squirrel
none
Joined: 29 Mar 2004
Posts: 19
Location: England
|
| Posted: Jan 30, 2005 8:53pm Post subject: |
|
|
awesome, thanks for the news.
maybe searchIRC should have the bot memoserv the listed admin of each network that is affected with the news if this ever happens again. maybe with some co-operation from the ircd authors, you could start some sort of prevention scheme. only the irc netmins would ever know they needed to patch that way.
just my 2c. |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Jan 30, 2005 8:56pm Post subject: |
|
|
| Hmm, that'd be a pretty cool idea. However, with this particular problem, detecting it involves more than simply checking the /version reply. This would work, but it would have many false positives (after applying the patch, the version number does not change). |
|
| Back to top |
|
|
zeke
Idler
Joined: 04 Oct 2003
Posts: 320
|
| Posted: Jan 30, 2005 9:01pm Post subject: |
|
|
| in guess the public /module command doesn't show it either for security reasons... bummer... |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Jan 31, 2005 8:12pm Post subject: |
|
|
| Yes, it's hidden from public view, though the module's version number is changed. |
|
| Back to top |
|
|
|
Register
Log in
