Oragono v2.6.1 Release Notes

Release Date: 2021-04-26 // almost 3 years ago
  • ๐Ÿ›  Oragono 2.6.1 is a bugfix release, fixing a security issue that is critical for some private server configurations. We regret the oversight.

    ๐Ÿ”ง The issue affects two classes of server configuration:

    โฌ†๏ธ 1. Private servers that use server.password (i.e., the PASS command) for protection. If accounts.registration.allow-before-connect is enabled, the REGISTER command can be used to bypass authentication. Affected operators should set this field to false, or upgrade to 2.6.1, which disallows the insecure configuration. (If the field does not appear in the configuration file, the configuration is secure since the value defaults to false when unset.) ๐Ÿ”ง 2. Private servers that use accounts.require-sasl for protection. If these servers do not additionally set accounts.registration.enabled to false, the REGISTER command can potentially be used to bypass authentication. Affected operators should set accounts.registration.enabled to false; this recommendation appeared in the operator manual but was not emphasized sufficiently. (Configurations that require SASL but allow open registration are potentially valid, e.g., in the case of public servers that require everyone to use a registered account; accordingly, Oragono 2.6.1 continues to permit such configurations.)

    ๐Ÿš€ This release includes no changes to the config file format or the database.

    Many thanks to @ajaspers for reporting the issue.

    ๐Ÿ”’ Security

    • ๐Ÿ›  Fixed and documented potential authentication bypasses via the REGISTER command (#1634, thanks @ajaspers!)