Merge pull request #1521 from slingamn/pointfix

security fix necessitating 2.5.1

CHANGELOG.md

@@ -1,6 +1,17 @@
 # Changelog
 All notable changes to Oragono will be documented in this file.
 
+## [2.5.1] - 2021-02-02
+
+Oragono 2.5.1 is a bugfix release that fixes a significant security issue. We apologize for the oversight.
+
+This release includes no changes to the config file format or the database.
+
+Many thanks to [@xnaas](https://github.com/xnaas) for reporting the issue.
+
+### Security
+* Fix an incorrect permissions check in NickServ (#1520, thanks [@xnaas](https://github.com/xnaas)!)
+
 ## [2.5.0] - 2021-01-31
 
 We're pleased to announce Oragono 2.5.0, a new stable release.

irc/nickserv.go

@@ -1148,7 +1148,7 @@ func nsClientsLogoutHandler(service *ircService, server *Server, client *Client,
 		// User must have "kill" privileges to logout other user sessions.
 		if target != client {
 			oper := client.Oper()
-			if oper.HasRoleCapab("kill") {
+			if !oper.HasRoleCapab("kill") {
 				service.Notice(rb, client.t("Insufficient oper privs"))
 				return
 			}

irc/version.go

@@ -7,7 +7,7 @@ import "fmt"
 
 const (
 	// SemVer is the semantic version of Oragono.
-	SemVer = "2.6.0-unreleased"
+	SemVer = "2.5.1"
 )
 
 var (