From: Alexander Barton <alex@barton.de>
Date: Fri, 23 Aug 2013 19:54:40 +0000 (+0200)
Subject: ngIRCd Release 20.3
X-Git-Tag: rel-20.3^0
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=refs%2Fheads%2Fbranch-20.x;p=ngircd

ngIRCd Release 20.3
---

diff --git a/ChangeLog b/ChangeLog
index 08d337fa..5920316d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,10 +9,18 @@
                                -- ChangeLog --
 
 
+ngIRCd 20.3 (2013-08-23)
+
+  - Security: Fix a denial of service bug (server crash) which could happen
+    when the configuration option "NoticeAuth" is enabled (which is NOT the
+    default) and ngIRCd failed to send the "notice auth" messages to new
+    clients connecting to the server (CVE-2013-5580).
+
 ngIRCd 20.2 (2013-02-15)
 
   - Security: Fix a denial of service bug in the function handling KICK
-    commands that could be used by arbitrary users to to crash the daemon.
+    commands that could be used by arbitrary users to to crash the daemon
+    (CVE-2013-1747).
   - WHO command: Use the currently "displayed hostname" (which can be cloaked!)
     for hostname matching, not the real one. In other words: don't display all
     the cloaked users on a specific real hostname!
diff --git a/NEWS b/NEWS
index 38f6029c..d092510b 100644
--- a/NEWS
+++ b/NEWS
@@ -9,11 +9,20 @@
                                   -- NEWS --
 
 
+ngIRCd 20.3 (2013-08-23)
+
+  - This release is a bugfix release only, without new features.
+  - Security: Fix a denial of service bug (server crash) which could happen
+    when the configuration option "NoticeAuth" is enabled (which is NOT the
+    default) and ngIRCd failed to send the "notice auth" messages to new
+    clients connecting to the server (CVE-2013-5580).
+
 ngIRCd 20.2 (2013-02-15)
 
   - This release is a bugfix release only, without new features.
   - Security: Fix a denial of service bug in the function handling KICK
-    commands that could be used by arbitrary users to to crash the daemon.
+    commands that could be used by arbitrary users to to crash the daemon
+    (CVE-2013-1747).
 
 ngIRCd 20.1 (2013-01-02)
 
diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog
index 2e39af03..396d1d0c 100644
--- a/contrib/Debian/changelog
+++ b/contrib/Debian/changelog
@@ -1,3 +1,9 @@
+ngircd (20.3-0ab1) unstable; urgency=high
+
+  * New "upstream" release, fixing a security related bug: ngIRCd 20.3.
+
+ -- Alexander Barton <alex@barton.de>  Fri, 23 Aug 2013 21:53:21 +0200
+
 ngircd (20.2-0ab1) unstable; urgency=high
 
   * New "upstream" release, fixing a security related bug: ngIRCd 20.2.
diff --git a/contrib/ngircd.spec b/contrib/ngircd.spec
index e2448a42..0469313a 100644
--- a/contrib/ngircd.spec
+++ b/contrib/ngircd.spec
@@ -1,5 +1,5 @@
 %define name    ngircd
-%define version 20.2
+%define version 20.3
 %define release 1
 %define prefix  %{_prefix}