From de392aea5aa29b7cb4d3f35f86839c715b19d388 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Tue, 2 Feb 2021 16:45:38 -0500 Subject: [PATCH 1/2] fix incorrect permissions check in NS CLIENTS LOGOUT --- irc/nickserv.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/irc/nickserv.go b/irc/nickserv.go index 6d8cca44..40967bc9 100644 --- a/irc/nickserv.go +++ b/irc/nickserv.go @@ -1148,7 +1148,7 @@ func nsClientsLogoutHandler(service *ircService, server *Server, client *Client, // User must have "kill" privileges to logout other user sessions. if target != client { oper := client.Oper() - if oper.HasRoleCapab("kill") { + if !oper.HasRoleCapab("kill") { service.Notice(rb, client.t("Insufficient oper privs")) return } From 6f1380f77ff63af7431ce2095b1de6a3f9485106 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Tue, 2 Feb 2021 16:54:29 -0500 Subject: [PATCH 2/2] bump version and changelog --- CHANGELOG.md | 11 +++++++++++ irc/version.go | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42311c3c..b54ed985 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,17 @@ # Changelog All notable changes to Oragono will be documented in this file. +## [2.5.1] - 2021-02-02 + +Oragono 2.5.1 is a bugfix release that fixes a significant security issue. We apologize for the oversight. + +This release includes no changes to the config file format or the database. + +Many thanks to [@xnaas](https://github.com/xnaas) for reporting the issue. + +### Security +* Fix an incorrect permissions check in NickServ (#1520, thanks [@xnaas](https://github.com/xnaas)!) + ## [2.5.0] - 2021-01-31 We're pleased to announce Oragono 2.5.0, a new stable release. diff --git a/irc/version.go b/irc/version.go index 0053dde9..aa61e6eb 100644 --- a/irc/version.go +++ b/irc/version.go @@ -7,7 +7,7 @@ import "fmt" const ( // SemVer is the semantic version of Oragono. - SemVer = "2.6.0-unreleased" + SemVer = "2.5.1" ) var (