Oragono v2.7.0-rc1 Release Notes

Release Date: 2021-05-30 // 21 days ago
  • ๐Ÿš€ We're pleased to be publishing Ergo 2.7.0-rc1, our first release candidate under our new name of Ergo. This release contains bug fixes and minor enhancements.

    ๐Ÿš€ This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. This release includes no changes to the database format.

    โšก๏ธ Because the name of the executable has changed from oragono to ergo (ergo.exe on Windows), you may need to update your system configuration (e.g., scripts or systemd unit files that reference the executable).

    ๐ŸŒ Many thanks to @ajaspers and @jesopo for contributing patches, to @ajaspers, @ChrisTX, @emersion, @jwheare, @kylef, @Mikaela, @mogad0n, and @ProgVal for reporting issues and helping test, and to our translators for contributing translations.

    ๐Ÿ”„ Changed

    • ๐Ÿ“Š The project was renamed from "Oragono" to "Ergo" (#897, thanks to everyone who contributed feedback or voted in the poll)

    Config changes

    • 0๏ธโƒฃ Entries in server.listeners now take a new key, min-tls-version, that can be used to set the minimum required TLS version; the recommended default value is 1.2 (#1611, thanks @ChrisTX!)
    • โž• Added max-conns (maximum connection count) and max-conn-lifetime (maximum lifetime of a connection before it is cycled) to datastore.mysql (#1622)
    • โž• Added massmessage operator capability to allow sending NOTICEs to all connected users (#1153, #1629, thanks @jesopo!)

    ๐Ÿ”’ Security

    • If require-sasl.enabled is set to true, tor-listeners.require-sasl will be automatically set to true as well (#1636)
    • ๐Ÿ”ง It is now possible to set the minimum required TLS version, using the min-tls-version key in listener configuration
    • ๐Ÿ”ง Configurations that require SASL but allow user registration now produce a warning (#1637)

    โž• Added:

    • Operators with the correct permissions can now send "mass messages", e.g. /NOTICE $$* will send a NOTICE to all users (#1153, #1629, thanks @jesopo!)
    • ๐Ÿš€ Operators can now extend the maximum (non-tags) length of the IRC line using the server.max-line-len configuration key. This is not recommended for use outside of "closed-circuit" deployments where IRC operators have full control of all client software. (#1651)

    ๐Ÿ›  Fixed

    • RELAYMSG now sends a full NUH ("nick-user-host"), instead of only the relay nickname, as the message source (#1647, thanks @ProgVal, @jwheare, and @Mikaela!)
    • ๐Ÿ›  Fixed a case where channels would remain visible in /LIST after unregistration (#1619, thanks @ajaspers!)
    • ๐Ÿ›  Fixed incorrect tags on JOIN lines in +u ("auditorium") channels (#1642)
    • ๐Ÿ›  Fixed an issue where LUSERS counts could get out of sync (#1617)
    • ๐Ÿ›  It was impossible to add a restricted set of snomasks to an operator's permissions; this has been fixed (#1618)
    • ๐Ÿ›  Fixed incorrect language in NS INFO responses (#1627, thanks @ajaspers!)
    • ๐Ÿ›  Fixed a case where the REGISTER command would emit an invalid error message (#1633, thanks @ajaspers!)
    • ๐Ÿ›  Fixed snomasks displaying in a nondeterministic order (#1669, thanks @Mikaela!)

    โœ‚ Removed

    • โœ‚ Removed the draft/resume-0.5 capability, and the associated RESUME and BRB commands (#1624)


    • โšก๏ธ Optimized MySQL storage of direct messages (#1615)

Previous changes from v2.6.1

  • ๐Ÿ›  Oragono 2.6.1 is a bugfix release, fixing a security issue that is critical for some private server configurations. We regret the oversight.

    ๐Ÿ”ง The issue affects two classes of server configuration:

    โฌ†๏ธ 1. Private servers that use server.password (i.e., the PASS command) for protection. If accounts.registration.allow-before-connect is enabled, the REGISTER command can be used to bypass authentication. Affected operators should set this field to false, or upgrade to 2.6.1, which disallows the insecure configuration. (If the field does not appear in the configuration file, the configuration is secure since the value defaults to false when unset.) ๐Ÿ”ง 2. Private servers that use accounts.require-sasl for protection. If these servers do not additionally set accounts.registration.enabled to false, the REGISTER command can potentially be used to bypass authentication. Affected operators should set accounts.registration.enabled to false; this recommendation appeared in the operator manual but was not emphasized sufficiently. (Configurations that require SASL but allow open registration are potentially valid, e.g., in the case of public servers that require everyone to use a registered account; accordingly, Oragono 2.6.1 continues to permit such configurations.)

    ๐Ÿš€ This release includes no changes to the config file format or the database.

    Many thanks to @ajaspers for reporting the issue.

    ๐Ÿ”’ Security

    • ๐Ÿ›  Fixed and documented potential authentication bypasses via the REGISTER command (#1634, thanks @ajaspers!)