Add the change log and security advisory for v4.0.1.

inspircd · Jul 2, 2024 · 3364501 · 3364501
1 parent b800439
commit 3364501
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 0 deletions.
diff --git a/docs/4/change-log.md b/docs/4/change-log.md
@@ -6,6 +6,22 @@ title: v4 Change Log
 
 This page lists changes which have happened between releases.
 
+### InspIRCd 4.0.1
+
+**This version of InspIRCd was released on 2024-07-03.**
+
+- [Fixed a **crash** in the spanningtree module](/security/2024-01).
+
+- Fixed the passforward module unnecessarily looking up connect class passwords from the config.
+
+- Fixed various minor documentation issues.
+
+- Updated the example tables for the sqloper module to include all core fields.
+
+- Updated the log_sql tables to use non-null columns.
+
+- Updated the vendored libraries.
+
 ### InspIRCd 4.0.0
 
 **This version of InspIRCd was released on 2024-06-29.**

diff --git a/docs/security/2024-01.md b/docs/security/2024-01.md
@@ -0,0 +1,39 @@
+---
+title: Security Advisory 2024-01
+---
+
+## InspIRCd Security Advisory 2024-01
+
+### Summary
+
+The spanningtree module before v4.0.1 contains a null pointer dereference. When the chanhistory module is also loaded this vulnerability can be used to remotely crash a InspIRCd server by any user able to connect to a server and set channel modes.
+
+Thanks to [@RobCubed](https://github.com/RobCubed) for reporting this issue.
+
+### Affected Versions
+
+This vulnerability is present in the following releases:
+
+* v4.0.0a26
+* v4.0.0rc1
+* v4.0.0rc2
+* v4.0.0rc3
+* v4.0.0
+
+### Recommended Action
+
+This vulnerability is fixed in version 4.0.1. It is strongly recommended that all affected users upgrade.
+
+If upgrading is not possible then the spanningtree module should be unloaded. If this is also not possible then the chanhistory module should be unloaded.
+
+### History
+
+* 2024-03-08 &mdash; The vulnerability was introduced.
+* 2024-07-02 &mdash; A crash vulnerability was reported to the InspIRCd team.
+* 2024-07-02 &mdash; The cause of the crash was identified by the InspIRCd team and a fix was prepared.
+* 2024-07-03 &mdash; InspIRCd v4.0.1 was released with a fix for the crash vulnerability.
+
+### References
+
+* [InspIRCd commit ef572e3](https://github.com/inspircd/inspircd/commit/ef572e3c1feee05f7aafb266c29e566f56ea268a).
+* [InspIRCd commit b1f5817](https://github.com/inspircd/inspircd/commit/b1f581787dd29a515a4bc09c2d9a2df5b1c7938e).
diff --git a/docs/security/index.md b/docs/security/index.md
@@ -4,6 +4,10 @@ title: Security Advisories
 
 This page lists all security advisories which have been released for InspIRCd since the start of 2019.
 
+## 2024
+
+* [2024-01](/security/2024-01) &mdash; Null pointer dereference in the spanningtree module.
+
 ## 2021
 
 * [2021-01](/security/2021-01) &mdash; Memory disclosure vulnerability in the core.
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,10 @@ title: Security Advisories @@
     This page lists all security advisories which have been released for InspIRCd since the start of 2019.
+    ## 2024
+    * [2024-01](/security/2024-01) &mdash; Null pointer dereference in the spanningtree module.
     ## 2021
     * [2021-01](/security/2021-01) &mdash; Memory disclosure vulnerability in the core.
@@ Expand Down @@