[IRCServices] Services 4.5.39 released

Andrew Church achurch at achurch.org
Wed Feb 27 14:29:00 PST 2002


     Services 4.5.39 has been released, and can be downloaded from:

ftp://ftp.esper.net/ircservices/ircservices-4.5.39.tar.gz
ftp://ftp.esper.net/ircservices/ircservices-4.5.39.diff.gz

ftp.ircservices.za.net and the mirrors should have it shortly.

     This release fixes a minor security issue with MemoServ, which could
allow a user to receive new-memo messages for another user without needing
to identify or be on a nickname access list; in particular, if the other
user has two or more nicks linked together, then a malicious user could use
one of the nicks and receive notices from MemoServ when memos were sent to
the other user (the real nickname owner), because MemoServ failed to check
that the user was recognized (on the access list) or identified before
sending the notice.  While such malicious users could not actually read the
memos, they could find out who was sending them, which could be considered
an invasion of privacy; therefore, I recommend upgrading at your earliest
convenience.

     And yes, work on Services 5.0 is progressing.  I should have a beta
out any day now, if people would just stop finding new bugs... ;)

Changes in version 4.5.39
-------------------------
2002/02/27	Fixed minor security hole allowing users to find out when
		    nicknames not their own receive memos.
2002/02/15	Fixed ChanServ LIST syntax error message for Services
		    admins.  Reported by Mark Hetherington <mark at ctcp.net>

  --Andrew Church
    achurch at achurch.org
    http://achurch.org/