Subject: CVS commit: pkgsrc/chat/atheme
From: Nia Alarie
Date: 2019-02-07 15:29:20
Message id: 20190207142920.C7DFEFB16@cvs.NetBSD.org

Log Message:
chat/atheme: Update to 7.2.9

Atheme Services 7.2.9 Release Notes
===================================

This is a security release fixing use after free that could potentially be abused
by an attacker already having the privilege to use SASL impersonation to cause a
denial of service. Users of 7.2.8 should update to version 7.2.9; older releases
are not affected.

Atheme Services 7.2.8 Release Notes
===================================

This is a security release fixing a memory leak that could potentially be abused
by attackers to cause a denial of service. Users of Atheme 7.2.7 should update to
version 7.2.8; older releases are not affected.

Atheme Services 7.2.7 Release Notes
===================================

Since late February 2016, Atheme is being brought back to development (managed and
maintained by a few of the fork maintainers). Atheme 7.2.7 is the first release
since that change. It includes various fixes, some backported from the forks.

security
--------

- [CVE-2014-9773](https://www.cvedetails.com/cve/CVE-2014-9773/): Remote \ 
attackers could modify the behavior of the Anope FLAGS compatibility code by \ 
registering the keyword nicks LIST, CLEAR, or MODIFY. Reported by ToBeFree.
- [CVE-2016-4478](https://www.cvedetails.com/cve/CVE-2016-4478/): Buffer \ 
overflow in XMLRPC code. Reported by hc.

nickserv
--------
- Make `VHOST` set cloak assigner and timestamp the same way HostServ does
- Make `INFO` call the `user_info_noexist` hook for queries that don't match an \ 
account
- Make `REGAIN` log you in if successful.
- Allow implementing custom filters for `LIST`
- nickserv/multimark: new module which allows multiple MARK entries per nickname.
- wallops when vhosting a marked account
- nickserv/vhost: update usercloak metadata on vhost removal
- nickserv/{enforce,ghost}: respect frozen accounts
- nickserv/set_accountname: disallow change if RESTRICTed
- nickserv/set_pubkey: new module (keeping backwards compatibility with old syntax)
- nickserv/set_nopassword: new module
- nickserv/{reset,set,send}pass: various fixes
- nickserv/regain: the target user's bannedness shouldn't matter
- nickserv: Verify that the nick being regained is valid.
- nickserv/enforce: prevent regaining reserved nicks
- nickserv/cert: Add CLEAR command
- nickserv/set_email: relax verification requirements so that typo'd email \ 
addresses can be fixed (closes #441)
- nickserv/list: new criterion VACATION
- nickserv/info: show "Channels" line if the source user also is the target

chanserv
--------
- Add a `$server:` exttarget accepting server masks
- Add `PUBACL` flag which allows the channel access to be public.
- Don't allow `DEOP` or `KICK` of a services bot.
- Don't try to expand extbans in various commands.
- Allow users with +O or +V flags to op/voice themselves, since they can regain \ 
op/voice
  by cycling the channel anyway.
- chanserv/clear_akicks: new module providing a `CLEAR AKICKS` command.
- Always move on to the next nick in case of an error in /cs op etc.
- Tell the user who they failed to op/voice if they don't have enough privs
- +e added to chanserv{} templates and founder_flags
- chanserv: remove set_founder
- chanserv: use myentity_allow_foundership() to control whether or not an entity \ 
can take +F (ref #427)
- chanserv/set_*: announce changes via verbose()
- chanserv/flags: make Anope FLAGS compatibility an option (addresses CVE-2014-9773)
- fix an issue where activating a channel in the moderation queue would op the \ 
wrong person
- chanserv: move libathemecore component of bouncing mode changes on secure \ 
channels to chanserv (closes #449)
- chanserv/clone: do not clone HOLD, and ANTIFLOOD AKILL flags
- MC_SECURE: do not deop services
- help: mention INFO instead of RECOVER

gameserv
--------
- gameserv/dice: make the maximum roll count configurable.

groupserv
---------
- Hook into `sasl_may_impersonate` to support group-membership checks
- groupserv/set_groupname: new module allowing renaming a groupserv group
- Added group_register and group_drop hooks (addresses #428)
- groupserv: Rewrite flags parser to use ga_flags
- groupserv: Fix incorrect behaviour for flags +*
- groupserv: Fix inconsistencies with FLAGS
- groupserv/main: allow groups to take +F (ref #427)
- Add unverified user check

helpserv
--------
- helpserv/ticket: optionally accept a close reason and send a memo to an \ 
offline user
- helpserv/ticket: mention possibility of using close reason in the help file, \ 
and log it

operserv
--------
- operserv/rwatch: allow creation of RWATCH rules which k-line if 'K' is a \ 
modifier on the
  provided regexp.
- some commands now use kline_add instead of kline_sts to allow easier \ 
management of automated klines

saslserv
--------
- Add support for SASL authorization identities
- Add a `sasl_may_impersonate` hook
- The DH-AES and DH-BLOWFISH mechanisms were removed in their entirety.
- Add support for IRCv3.2-draft SASL mechanism list caching, implemented by \ 
InspIRCd 2.2.
- saslserv/ecdsa-nist256p-challenge: add backwards compatibility for old pubkey \ 
syntax
- saslserv: call bad_password on SASL authentication failure
- saslserv: use message source to get the source server
- saslserv: try to include source host in SASL failure message
- SASL: Log mechanism used by authenticated clients

alis
----
- Add a `list ... -showsecret` flag (chan:auspex) to list secret channels

perl api
--------
- Export SaslServ's `sasl_may_impersonate` hook
- Forward compatibility for hooks

ircd protocol
-------------
- Add user flag for tracking external services clients
- inspircd: Hopefully fix ignored account names when linking to the network
- inspircd: Various improvements to InspIRCd 2.0 support
- inspircd: Remove InspIRCd 1.2 and 2.1beta support
- inspircd: Add support for rejoindelay property in InspIRCd 2.2
- inspircd: Change the opertype used from 'Services' to 'Service'
- ircnet: Implement oper-wallops, using individual notices
- ngircd: Enable +qaohv support
- ngircd: Ignore non-# channels for now
- ngircd: Implement oper-wallops, using individual notices
- unreal: Request MLOCK messages when linking to the network
- sporksircd: Nuke obsolete module
- clean up the mix of spaces & tabs
- convert ircd_t to C99 struct syntax
- unreal: fix checking of +f syntax
- ts6-generic: add DLINE/UNDLINE implementation
- ts6-generic: add support for sending mechlists
- unreal: Add support for unreal 4 in a separate module
- hybrid: remove obsolete module
- undernet: remove obsolete module
- ShadowIRCd: remove obsolete module
- inspircd: add ZLINE/UNZLINE implementation
- inspircd: use DELLINE for XLine removal
- inspircd: properly recognize CSTATUS_IMMUNE (+Y)
- inspircd: Only set hideoper mode on oper pseudoclients
- charybdis: Support chm_nonotice.so (Block channel notices) extension
- charybdis: Support cmode +M in charybdis and make it oper-only
- charybdis: Setting CMODE_IMMUNE as .oimmune_mode
- inspircd: Fix atoi logic error preventing maximum rejoindelay value

other
-----
- various: Fix quite a few resource leaks and possible null derefs
- crypto/pbkdf2: Detect malformed (truncated) hashes
- contrib/cap_sasl.pl: Import various fixes from freenode's v1.5
- contrib/cap_sasl.pl: Implement SASL EXTERNAL, ECDSA-NIST256P-CHALLENGE
- contrib/cap_sasl.pl: Fix crash if irssi has ICB or SILC plugins loaded
- contrib/cap_sasl.pl: Fix crash if disconnected while waiting for SASL reply
- transport/jsonrpc: new module implementing JSONRPC transport
- contrib/cap_sasl.pl: various other improvements
- time_format: show the timezone
- exttarget: explicitly disallow foundership for exttargets (closes #427)
- help: various updates to reflect changes
- help: clarify some behavior
- [database] Make services respect an external umask when saving
- transport/xmlrpc: Do not copy more bytes than were allocated (addresses \ 
CVE-2016-4478)
- add a user_can_login(si, mu) hook
- Add an option to strip build date for reproducible builds
- botserv/set_saycaller: (optionally) give caller-nick
- chanfix/fix: stay in log channel after fixes
- various: code style fixes, fix some memory leaks and some warnings
- i18n: mark more strings as translatable
- atheme.conf example: updated to reflect changes
- proxyscan/dnsbl: Improve the module and fix multiple crashes
- i18n: update po/POTFILES.in

crypto
------
- argon2d:  New module implementing algorithm that won the Password
            Hashing Competition (2015).
- pbkdf2v2: Newer module implementing PBKDF2-HMAC digest scheme
            with backward compatibility and limited forward compatibility

libathemecore
-------------

- add dline/undline core interface
- user_is_channel_banned(): respect +e if applicable
- user_is_channel_banned(): check for voice/op/etc.
- do not allow entities under restriction to take +F at all (closes #439)
- fix issue where pretty_mask would return host!*@*
- chanacs_user_flags(): do not grant effective flags other than +b to unverified \ 
users (closes #416).
- flags: update_chanacs_flags(): do not assume that a protocol module is loaded.
- try_kick(): add support for inspircd-style per-user kick immunity the right way
- entity: add new entity validator for taking +F (ref #427)
- logger: use ISO 8601 in log files

hostserv
--------

- hostserv: Remove group-specific offered vhosts when group dropped
- Add DROP command
- hostserv/request: Ignore request if requested vhost already set

Atheme Services 7.1 Release Notes
=================================
In addition to assorted bugfixes in various subsystems from 7.0, the
following changes have been introduced in 7.1.

ircd protocol
-------------
- ngircd: New protocol module.
- nefarious: Add Nefarious 2 SASL support.
- nefarious: Send account timestamp in svslogin.
- elemental-ircd: New protocol module.
- dreamforge: Remove protocol module.
- inspircd: Add support for server-side MLOCK and TOPICLOCK enforcement
- inspircd: Add support for matching extbans modifying matching logic
- inspircd: Add +H to channel modes
- inspircd: Add +X and +w to list-like mode list
- ircd-seven: Support charybdis extension cmodes on ircd-seven as well.
- ts6-generic: Add support for serverinfo::hidden
- unreal: Add support for extbans.
- unreal: Add cmode +P for permanent channel.

buildsys
--------
- MacOS 10.5 required for OS X builds.
- V=1 option to make for verbose output.
- Allow parallel building, i.e. with -j option.
- Dependencies tracked on a per-sourceunit basis
- Allow --disable-rpath to modify buildsys param LDFLAGS_RPATH
- Install default email templates
- Add --with(out)-libmowgli to force use of internal mowgli

chanserv
--------
- antiflood: New module to react to channel flooding
- quiet: Channel statuses are removed from the target user to ensure
  that the quiet takes effect.
- quiet: Allow unquieting improper masks on the quiet list.
- quiet: Notify target user when anything changes about them.
- quiet: Honor protected mode like with kick/kickban.
- quiet: Support IRCDs with quiet extbans like UnrealIRCd and InspIRCd.
- flags: New exempt flag +e, split from +r. Databases should be upgraded
  automatically.
- flags: Require FORCE argument and chan:auspex to oper override.
- flags: Allow users with +f and +o (+v) to set +-O (+-V) on self.
- access: Do not allow changing +F via ROLE command.
- Support multiple users as arguments for owner, op, halfop, voice,
  and quiet.

nickserv
--------
- sendpass: Accept grouped nicks.
- register: Allow any number of emailexempts.
- Do net send 'spam' notice if chanserv does not exist.
- Add confirmation for badmail:del
- listemail: Match on canonical addresses too
- info: Show setpass to services admins with user:auspex
- info_lastquit: New module to show last quit message in INFO
- resetpass: Allow specifying any grouped nickname.
- drop: Request confirmation when dropping an account.
- access: Allow TLDs
- Log sendpass sender and time
- Show entity ID in 'ACC' and 'INFO' commands.

groupserv
---------
- Restrict +f from +F-ing themselves
- Prevent +f-F from removing founders
- Prevent removing last founder of a group
- Make sure +F always have +f
- Notify users when they are invited to a group.

sasl
----
- Add ecdsa-nist256p-challenge mechanism
- Add dh-aes scheme, intended to replace dh-blowfish.
- Disable reload capability on all modules.

perl api
--------
- Add function to return entity ID
- Allow sending wallops
- Allow setting vhosts
- Allow transferring and dropping channels
- Change myuser_find to myuser_find_ext to allow lookups by UID.
- Add config.xs to retrieve config values from the Perl API
- Add functions to channel.xs to register a channel and to retrieve a
  limit, key, and ts.
- Allow channelregistration.xs to get/set flags and get used time
- Add registration and last seen time in account.xs

email
-----
- Put the network name in the subject field of outgoing emails.
- Add a module canonicalizing gmail addresses.
- Use canonical email addresses when checking for registration limits.

libathemecore
-------------
- Allow different send and receive passwords for uplinks
- Respect founder_flags config setting during channel succession
- Denote default crypt provider in version output.
- Include reason with kline expiration messages.
- Allow customization of the address for email from services.
- Add option to kline user@host instead of *@host
- Add qrcode API

botserv
-------
- Blacklist '/' from various fields.
- Monkeypatch notice() to rewrite source from chanserv to botserv.

crypto
------
- Rename 'fallback' crypt provider to 'plaintext'
- Allow crypto modules to be loaded and the database to be updated to
  the preferred crypto scheme on the fly.
- pbkdf2: New module implementing PBKDF2-HMAC digest scheme.

misc
----
- xmlrpc: Add metadata accessor
- security/cmdperm: New module which dynamically infers virtual
  permissions, such as command:chanserv:register
- alis: Strip mIRC color/control codes from topics.
- operserv/clones: Add option to give a few warning kills before applying
  a k-line
- Codebase is stringref clean (GitHub issue #60)
- memoserv/delete: Only accept numeric indexes.
- chanfix: Allow admins with chan:admin to register regardless of
  chanfix score.
- memoserv: Make inbox size customizable.
- Add dragon, a new, modular, ircd link performance benchmarking toolkit.
- Flood k-lines use IP address where available instead of hostname.
- Add !snotices and !wallops logging targets.
- Record vHost assigner and timestamp, and display in NS INFO output.
- Contrib modules have their own git repo.
- Add a git .mailmap
- gameserv/dice: Ensure loop paramaters are integers limited to 1000

atheme.conf
-----------
Be sure to check atheme.conf.example for more information on what each
of these settings does.
- Add 'registeremail' setting to serverinfo{}, specifying address that
  services emails should originate from.
- Add 'hidden' setting to serverinfo{}, specifying that the services server
  should be hidden in /links output (limited to some ircds).
- Split 'password' setting in uplink{} into 'send_password' and
  'receive_password' (optional).
- Move 'maxnicks' setting from serverinfo{} to nickserv{}
- Move 'maxchans' setting from serverinfo{} to chanserv{}
- Add 'antiflood_enforce_method' to chanserv{} for chanserv/antiflood
- Add 'maxmemos' setting to memoserv{}
- Add !snotices and !wallops logfiles
- Add 'permissive_mode' setting to general{}, specifying manner of
  command denials.
- Add 'kline_with_ident' and 'kline_verified_ident' to general{}
- Add 'binddn' and 'bindauth' conf items to ldap{}
- Document "user" operclass.

Atheme Services 7.0 Release Notes
=================================
All bugfixes from the 6.0 branch of Atheme are also in 7.0.

dbverify
--------
- New utility.  Performs extensive and complicated consistency checks
  on your OpenSEX object store.  It can find things like:
  - corrupt AKICK entries (AKICKs with other flags/metadata that shouldn't be there);
  - duplicate channel ACL entries;
  - entity ID collisions
  It can find other stuff too, and will be expanded upon in the future.
  Think of it like a `fsck(1)` for your object store.

ircd protocol
-------------
- bahamut: add experimental support for bahamut-2.0 NICKIPSTR
  capability.
- charybdis: Add support for locking of modes provided by
  extensions modules.
- unreal: Add support for changets.
- inspircd: Add support for locking the +H channel mode.
- ithildin, bircd, plexus and ptlink protocol modules removed.
- inspircd: Users are now warned when they attempt to link on a client
  port instead of a server port.
- unreal: Add SASL support.
- unreal: Implement full support for mlocking +f.

chanfix
-------
- New service. Similar to EFNet's chanfix service.

chanserv
--------
- sync: New module based on cs_sync from contrib. Adds autosync on
  ACL change (and the ability to turn it off).
- channel entrymsgs are now displayed in INFO.
- akick: Support added for timed AKICKs.
- ban, quiet and akick: Atheme now fills in the parts of a hostmask
  that are missing with these commands.
- access: Various cleanups.
- cs_access_alias: New contrib module. Allows level-style pseudo
  access lists.
- clone: New module allowing you to clone a channel's access list,
  flags and metadata to a new channel.
- cs_badwords: New contrib module. Allows channel staff to specify a
  badwords list for a channel and what action to take when a user
  says one of the words in the channel.
- moderate: New module allowing operators with PRIV_CHAN_ADMIN to moderate
  channel registrations.  This is especially useful in combination with
  chanfix.  It is also useful in maintaining a standard of content correctness
  for specialized chat systems.

exttarget
---------
- exttarget/main: a new framework has been added which extends the
  entity subsystem further, allowing for entities to be dynamically
  constructed with the purpose of matching against any kind of user
  or account attribute in channel access lists.  these targets can
  take optional parameters.
- exttarget/oper: $oper extended target added.  this target allows you
  to match against all opers on the network in channel access lists.
- exttarget/registered: $registered extended target added.  this target
  matches anyone who is logged into services.
- exttarget/channel: $channel extended target added.  this target allows
  you to match anyone who is on a channel.

groupserv
---------
- all groupserv commands are now modules. Your atheme.conf will need
  to be updated for this change if you use groupserv.
- add join_flags config option and SET JOINFLAGS command. These allow
  changing the group flags a new user will get upon JOINing the group.
- add the +b (ban) flag. This prevents accounts matching it from JOINing
  the group.
- fflags: New command. Allows services operators to force a flags change
  on a group they they do not have access to.
- list: Allow refining the list with a pattern.
- listchans: New command. Allows group members with the +c flag to see all
  channels that group has access in.
- honor user:regnolimit permission in relation to the maximum number of groups
  a user may register. (SRV-125)

gameserv
--------
- many refactorings
- calc: new command. Allows doing basic math with GameServ.
- gs_roulette: New contrib module. A game of Russian Roulette.
- lottery: New module that randomly chooses one user out of the channel
  members.
- happyfarm: New (skeleton) module that's a game like FarmVille! But on IRC!

hostserv
--------
- added a new host_request hook to catch and do other things with host requests.
- reject: Add a optional reason parameter that will be memoed to the user with the
  rejection notice.

memoserv
--------
- ms_fsend: new contrib module. Allows sopers to override a target user being
  set NOMEMO or having the source user on ignore.

nickserv
--------
- restrict: New module that allows services opers to stop users from using
  commands that can be abused (hostserv/request, hostserv/take,
  groupserv/register, etc)
- emailexempts: New config option. Lets you specify email addresses that have
  no limit to the number of accounts they can have registered.
- when logging into a new account, users are informed that they will be logged
  out of their old account.
- when doing RELEASE or REGAIN against a user logged into an account, log
  them out of the account.
- old Atheme-1.x-style external logout implemented. Allows logging another user
  logged into your account out remotely.
- listgroups: New module that shows you which groups you have access in.
- nevergroup: New module that prevents anyone giving you access to a group.
- badmail: New module which allows setting email addresses (or glob patterns)
  which are not allowed to register accounts on-the-fly.
- nickserv now allows passwords longer than 32 characters if the database is
  being hashed.
- subscribe: Removed as it had many flaws and no one used it.
- ns_cleannick: new contrib module. Forces a nick change on a user if their nick is
  'lame' using case normalisation.

operserv
--------
- emailexempts and autokline exempts are now shown in INFO.
- modreload now rehashes the config if the module requires it and reloads modules
  that depend on the specified module.
- clones: Many cleanups.
- clones: Added an option to variable increase the clone limit if a users' clones
  are identified.
- soper: Allow adding a new SOPER with a password (optional, of course).
- set: Adds the ability to temporarily modify some config options on-the-fly.
- info: Add a new hooks so modules that add config options can also add lines to
  the operserv/info output.
- os_modeall: New contrib module. Allows setting a given mode on all channels.
- os_joinmon: New contrib module. Facilitates monitoring certain users and when
  a monitored user joins a channel, that information will be sent to the services
  log channel.
- os_resolve: New contrib module for testing the asynchronous DNS resolver.
- the RWATCH database is now serialized as opensex entities.
- specs: add support for groupserv-related permissions and clarify meanings of
  the various 'auspex' privileges. (SRV-125)

proxyscan
---------
- New service. Currently implements only a DNSBL scanning module.

rpgserv
-------
- New service. For finding and joining RP games on an IRC network.

scripting
---------
- Support for scripting Atheme in Perl added. Perl scripts are loaded with
  OperServ MODLOAD just like modules. Still in alpha. Add the --with-perl configure
  switch to enable it. POD-style documentation for the perl API is in doc/perl/.

statserv
--------
- New service. For querying for statistics about the network.

xmlrpc
------
- moved to transport/xmlrpc . Your atheme.conf will need to be updated for this
  change if you use xmlrpc.
- bad_password() is now called on invalid XMLRPC logins.

code
----
- libmowgli-2 is now required instead of libmowgli.
- a bit of the signal code and linker code was converted to use the mowgli
  implementations.
- charybdis' asynchronous DNS resolver added.
- mowgli.global_storage can now be used to make a module's data persistent on
  module reload. It is currently only used in GroupServ.
- many assertions added in various places throughout the code.
- added a new AC_AUTHENTICATED pseudo-priv to replace many identical checks if
  a user is logged in throughout the code.
- irc parse/uplink state has been made modular.
- atheme core has been changed to build as a library.
- all the old SNOOP channel code has been removed. SNOOP has been deprecated since
  5.1 and gone since 5.2.
- MODULE_USE_SYMBOL() was removed in favour of MODULE_TRY_REQUEST_SYMBOL().
- most service-specific (config file) code split out from the core.
- configuration-defined usernames are now truncated at USERLEN (10 characters).
- UID generation split out from the core.
- module_load can now be hooked into. This is particularly useful for scripting
  modules.
- entities now have unique IDs.  unique IDs may be referenced in all XMLRPC and
  IRC commands.
- strlcpy()/strlcat() have been replaced with mowgli implementations.
- atheme.string has been replaced with mowgli.string.
- add new hook_channel_acl_req_t structure for channel_acl_change hook, which is
  intended to describe ACL changes more effectively.
- call shutdown(2) on sockets being closed to help some TCP stacks be more aggressive
  when closing sockets.
- use mowgli_eventloop_pollable instead of old eventloop code.
- Windows is now supported.

other
-----
- ensure buffers passed to strftime() are large enough to fit the entire string.
  strftime() is not really required to behave in any specific way in the event of
  buffer overflow.
- ircd_announceserv: New contrib service. This allows users to request network
  announcements (which sopers must approve before they're sent).
- an access {} config block was added allowing rewriting of command privs.
  If specified, the user must match the original priv and the rewritten priv.
- allow Atheme datadir to be specified on the command-line when starting.
- many improvements to the LDAP authentication module.
- general::immune_level config option added. This allows customising the operlevel
  that gets kick immunity privileges.
- DNS Blacklist scanning module added. This module will scan connecting users
  against a list of DNS blacklists and take action if the users' IP is in one
  of the blacklists. This module is mainly managed through operserv.
- allow SASL authentication for any nick linked to the account, not just the
  accountname.

Atheme Services 6.0 Release Notes
=================================
All bugfixes from the 5.2 branch of Atheme are also in 6.0.

ircd protocol
-------------
- inspircd: Support for owner, halfops and admin are now dynamically
  enabled by what modes exist instead of being enabled by what modules
  you have loaded in inspircd.
- support for InspIRCd 1.1, OfficeIRC and UltimateIRCd 3 has been removed.

opensex
-------
- opensex is now the required database format. All flatfile will do is
  convert your flatfile database to opensex and exit.
- converted many modules that use external databases to using opensex.

chanserv
--------
- new module: chanserv/access.  this adds role-based channel acl via the
  ACCESS and ROLE commands.
- new module: chanserv/successor_acl.  this adds a +S channel acl flag which
  will weight a user as a successor.
- modules may now override the succession process using the new
  channel_pick_successor hook.
- chanserv/list: Enhance by adding many possible criteria to match channels
  against.
- new set_prefix module. This module allows channels to define a channel-specific
  fantasy prefix. The channel-specific prefix is displayed in the INFO for the
  channel. This is particularly useful if the channel uses an external bot that
  conflicts with the services default fantasy prefix.
- new clear_flags module. This allows founders to remove all entries from the
  channel access list except other founders.

groupserv
---------
- new service that allows users to form groups of accounts and apply the
  same ACL entries to them, send memos to them and other features.

helpserv
--------
- new service that allows users to request oper help in different ways.
  Currently either via a ticket system or by "pinging" the opers with a
  request for help.

hostserv
--------
- allow activating or rejecting all waiting vhosts by using '*' instead of
  a nick.
infoserv
--------
- oper-only message support. You can now give messages an importance where
  they will only be sent to opers upon oper-up.
- in infoserv message subjects, underscores will now be replaced with spaces
  so you can have multi-word subjects.
- allow customizing the number of infoserv messages shown to users on connect.

nickserv
--------
- new contrib module, ns_waitreg that allows you to specify how long a user must
  be connected before they can register a nick.
- new regnolimit module. Allows opers to set users as able to be exempt from channel
  registration limits. (how many channels may be registered to one account)
- nickserv/list: Enhance by adding many possible criteria to match users against.

operserv
--------
- new readonly module. This allows changing the readonly state at runtime.

xmlrpc
------
- the legacy xmlrpc/account, xmlrpc/channel and xmlrpc/memo modules have been
  removed. These have been deprecated for over 4 years and you should be
  using xmlrpc/main and atheme.command for all your xmlrpc uses.
- the xmlrpc core has been rewritten a little bit to use mowgli's patricia tree
  code.  this should bring a performance improvement over the hashtable code it
  was using.
- xmlrpc has been completely moved out of core
- a new command, atheme.privset has been added to get the soper privs of a user.

code
----
- default values in config options are now supported. This is particularly
  useful in modules and cleans up the config code a bit.
- many bugfixes and compile warning fixes.
- the flags code has been cleaned up to assume that there is only one flags
  table.
- the flags code is now extendable by modules.
- mychan_pick_candidate() is now in the public API.
- the core now lives in an ipv6 world.  it's 2010 - if your operating system
  doesn't support ipv6 - you suck.
- ctcp handling has been rewritten.
- new easter egg.
- the shrike hash function (shash()) has been removed as there was no longer
  anything using it.
- the "symbolmatrix" code was removed because we went with a different \ 
solution
  instead long ago.
- myuser_t is now a child of myentity_t which describes an entity that can have
  channel membership.
- list_t/node_t have been removed in preference of mowgli.list.
- balloc has been removed in preference of mowgli.heap.

other
-----
- added an anope 1.9.2 flatfile DB to OpenSEX DB conversion script.
- mail sending has been changed, likely causing serverinfo::mta scripts to
  break. The command is now passed "-t" rather than the email address and
  the shell is no longer used.
- the SDK hg revision of modules in now shown in MODINSPECT.

Atheme Services 5.2 Release Notes
=================================
Note: We are looking for additional developers to help with maintenance of
Services.  After almost 7 years of development, many of the programmers have
moved on.

ircd protocol
-------------
- inspircd: track channelmodes +D (delayjoin) and +d (delaymsg).

chanserv
--------
- split out SET into seperate modules for each SET command. chanserv/set
  is now a "meta-module" that depends on all the set_* modules.

hostserv
--------
- added OFFER module that allows opers to offer vhosts to users.
- made the request system (specifically the ACTIVATE command) not send
  a memo to the user.

infoserv
--------
- new service. infoserv allows opers to send notices to users when they
  connect or at the time of running the command (like Global).

nickserv
--------
- split out SET into seperate modules for each SET command. nickserv/set
  is now a "meta-module" that depends on all the set_* modules.
- added cracklib module that checks users' passwords on REGISTER and lets
  them know if the password is secure or not. You can have it just warn
  the user or disallow them from registering with a configuration option.
- added ns_generatehash contrib module to generate a password hash for
  a soper if you have crypto enabled.
- removed ns_ratelimitreg contrib modules as its functionality is now in
  core.

operserv
--------
- added expiry time to clone exempt

code
----
- replace the atheme-services build system with the ACBS used by many other
  Atheme projects.
- rework the colour and special character stripping for xmlrpc.
- remove snoop(). any modules still using snoop() will fail to compile on
  atheme 5.2. please replace it in your code with logcommand() or slog().

other
-----
- ircservtoatheme: generally make a bit more robust.
- added ratelimiting support to hostserv/request, chanserv/register and
  nickserv/register.
- add a new database format called opensex.  This is available in 5.2 as a
  "technology preview" and will be mandatory in 6.0.

Atheme Services 5.1.1 Release Notes
===================================

ircd protocol
-------------
- TS6: Rework MLOCK a bit to make it more robust and support more modes.

operserv
--------
- add os_helpme contrib module. Thist module marks a user as a network helper.
  This will only work on ircd's with the helpop (usually +h) user mode.

other
-----
- add extends directive to operclasses so one operclass can inherit privledges
  from another. See the example config for details. Note, you can have two
  operclasses with the same privledges, so extending is not forced.

Atheme Services 5.1 Release Notes
=================================
### [MERGED] indicates items merged to the 5.0 branch

ircd protocol
-------------
- inspircd: common code has been merged into inspircd-aux, this will continue
  in the next version with inspircd 1.1 support.
- inspircd: several unsupported module configurations are now programatically
  marked as such.
- inspircd: permanent channels are now tracked in 1.2 and later. (SRV-29)
- inspircd: add support for receiving SVSNICK (nick collisions)
- inspircd: add support for m_ojoin
- TS6: add support for MLOCK
- shadowircd: updated module to shadowircd6
- hyperion: removed
- Added support for ithildin1. This is still a bit experimental.
- ircnet: support added for server hostmasking.

botserv
-------
- add missing helpfiles
- botserv bots now quit instead of splitting when terminating/restarting
  services (SRV-12)

chanserv
--------
- FLAGS: allow +F* as well as +*F

hostserv
--------
- add missing helpfiles

nickserv
--------
- add support for CERTFP (CERT command)

operserv
--------
- reject jupes with names containing wildcards.
- add os_trace contrib module. This module looks up users by various criteria
  and lets you perform actions on them.
- add os_akillnicklist contrib module. Automatically AKILLs a list of clients,
  given their operating parameters.
- change CLEARCHAN GLINE action to AKILL to be more consistent with the rest
  of Atheme. GLINE still exists as an alias to AKILL.

saslserv
--------
- add AUTHCOOKIE SASL method which allows for integration with Iris

code
----
- add taint subsystem which allows developers to programatically define
  unsupportable conditions.
- constify *line_sts() protocol module functions.
- track deaf umode and set it on services clients if fantasy is disabled.
- allow #else in helpfiles
- startup flag -r (read-only) added.
- enable large file support.
- Add 'force_language' to sourceinfo_t, which forces the locale
  to be reset to the language specified by the sourceinfo structure.
  Useful for forcing XMLRPC responses to be in English.
- force dependency calculation before most targets to fix -j problems; there
  is a new target build-nodeps to skip this for subsequent builds (like the
  old behaviour of build).

other
-----
- logging system entirely reworked.  snoop() is deprecated and will be
  removed in the next version.
- add general::exempts config block, for masks that will never be
  automatically klined.
- add configurable command aliases to the services blocks
- helpfiles added for all contrib modules.
- make the wumpus contrib module compile and work again.
- anope_convert: support newer 1.8.x Anope versions and made anope_convert
  a bit more robust in handling encrypted passwords.

Atheme Services 5.0.1 Release Notes
===================================

botserv
-------
- When kicking users from an otherwise empty channel, set INHABIT, so that
  the bot leaves the channel after a short delay.

code
----
- Remove legacy .disp field from core services structures.

Atheme Services 5.0 Release Notes
=================================
### [MERGED] indicates items merged to the 4.0 branch

ircd protocol
-------------
- inspircd12: fix UID parsing and rejoining services after kicks. **[MERGED]**
- TS6: allow nicer topic setting using charybdis 3.2's ETB.
- hyperion: fix a bug that could cause the hostnames of services clients
  to be overwritten. **[MERGED]**
- plexus: port to ts6-generic, add UF_IMMUNE for +N, add support for
  permanent channels.
- hybrid: fix a crash.
- unreal: use SVSKILL for kills from NickServ. This reduces excessive server
  notices.

nickserv
--------
- Matching a nickname access list entry no longer resets last used time.
- Allow authentication via an LDAP server.
- Add some missing help files.
- Start the enforce timer on /ns set enforce on.
- Add a per-account language setting. This currently does not work very well.
- Prepend "(restored) " to marks restored from previously deleted accounts.
- Change VHOST syntax, adding an ON/OFF keyword and requiring a FORCE keyword
  to set a vhost on a marked account. The old syntax still works for vhosts
  containing a dot, colon or slash.
- Add ns_listlogins contrib module. This allows logged in users to see real
  hosts of their other logins.

chanserv
--------
- Set owner/protect on the founder of a new channel, if appropriate.
- Do not set protect status if the user already has owner.
- Rework successor selection for channels to respect flags more. **[MERGED]**
- Allow users with +V to voice themselves.

botserv
-------
- New service. This allows users to have a "bot" join their channel instead
  of ChanServ.

hostserv
--------
- New service. This adds per-nick vhosts and a request system to what
  /ns vhost provides. As long as per-nick vhosts are not used it interoperates
  with /ns vhost.

alis
----
- Add -maxmatches option which xmlrpc and chan:auspex may set to higher than
  the default.

oper
----
- Fix a possible crash with /os greplog. **[MERGED]**
- Add SGLINE system for bans by realname (TS6 xline).
- Services ignores no longer apply to users with general:admin privilege.
- Add /os listklinechan to the os_klinechan contrib module.
- Add os_kill contrib module. This allows opers to kill users while hiding
  their identity. (This was added earlier, but not linked to the build.)
- Add SQLINE system to disallow nick and channel names (TS6 resv).
- Fix possible crash with /os noop.
- RWATCH now also watches nick changes.

xmlrpc
------
- Remove 4K limitation on length of xmlrpc command output. **[MERGED]**

code
----
- Remove select() support and code to allow multiple "socket engines".
  poll() is sufficient.
- Rework the network connection code to be cleaner and more flexible.
- Close all connection_t fds in child processes.
- Allow using sourceinfo_t.v with IRC sources.
- Some tweaks to the build system.
- Add type checking to the hook system. See src/hooktypes.in. It may be
  necessary to specify --enable-warnings to configure to enable the checks.

other
-----
- Try to detect MacOS X crypt(3) breakage in crypto/posix and generate a DES
  based hash.
- Allow the user_add hook to remove the user from the network safely.
- Add user_nickchange hook for nick changes, which is also allowed to remove
  the user from the network.

Atheme Services 4.0 Release Notes
=================================
[MERGED] indicates items merged to the 3.1 branch

ircd protocol
-------------
- Add support for ShadowIRCd 5 **[MERGED]**. This replaces the support for
  older versions of ShadowIRCd.
- hyperion: improve detection of overwritten I:line spoofs.
- hyperion: Add support for UF_IMMUNE.
- general: Do not enforce AKICKs against users marked UF_IMMUNE; it is
  impossible to ban them effectively.
- inspircd12: various fixes and updates.
- ratbox: make akills work with ircd-ratbox 3.x.
- ratbox: add support for ratbox services shortcuts (ENCAP RSMSG,
  m_rsshortcut.so)
- nefarious: allow /ns vhost (FAKEHOST).
- nefarious: let services joining channels op themselves, avoiding HACK(4)
  notices
- ircd-seven: new protocol module
- Limit the send queue to the ircd to a configurable value, default 1MB.
  Large networks may need to increase this.
- Limit IRC command output to 2000 lines. XMLRPC is unaffected.
- Add tracking for the "server admin" umode in some ircds.
- ptlink: add support for forced nick changes (SVSNICK), fix nickTS.
- Remove some obsolete protocol modules: aurora, sorcery, shadowircd.
  If you do still use one of these, please contact us.
- Add support for P10 account creation times.
- Add support for P10 user IPv6 addresses.

nickserv
--------
- Snoop on freeze on/off.
- Add nickserv/vacation module, allowing to temporarily extend expiry times.
- Make register help text depend on whether email verification is used.
- Refer users to their email if they try to identify again while unverified.
  **[MERGED]**
- In FUNGROUP, allow dropping account names, by specifying a new account name.
- Add optional nickserv/listownmail to allow users to see accounts with
  their email.
- When refusing a login due to maxlogins, tell the user what the logged in
  nicks are.
- Show FREEZE status (but not setter, time or reason) to normal users.
- Show taxonomy (property, metadata) in INFO.
- Show recognized (access list) a bit better in INFO.
- Ignore access lists for frozen accounts. **[MERGED]**
- Add ns_fenforce contrib module. This allows admins to toggle enforce on any
  nickname.
- When a user is recognized but not identified, still tell them to identify,
  but with a shorter message.
- Make nickserv/enforce timings more accurate.

chanserv
--------
- Allow multiple spaces before fantasy commands when ChanServ is addressed
  by nickname.
- QUIET/UNQUIET now notify the target user or channel.
- Show the current successor in /cs info (for +A users and opers).
- FFLAGS now overrides the NEVEROP setting on the target account.
- Set owner/protect if appropriate after xOP ADD.
- Show taxonomy (property, metadata) in INFO.
- Add chanserv/set_limitflags, allows limiting +f's power.

alis
----
- Fix handling of key and limit options.
- Allow alis list on a single +s channel the user is on.

memoserv
--------
- Add DELETE OLD to delete all read memos.

gameserv
--------
- Do not add chanserv commands if fantasy is disabled.
- Allow ROLL, WOD and DF with a channel name to send the results to that
  channel without requiring fantasy commands. This must be specifically
  enabled on a per-channel basis using the new ChanServ command SET GAMESERV
  (module chanserv/set_gameserv).

oper
----
- Allow searching for AKILLs matching a given mask or id in AKILL LIST.
- Allow running an operserv-only services instance, which picks up login
  names from the main instance (currently only for hyperion, TS6 and P10
  ircds).
- Add optional PCRE support. Configure --with-pcre to enable it and add
  the p flag to use it (e.g. /os rmatch /\d\d\d/p). The regex wrapper has
  been changed slightly to make this possible.
- Report other nicks of deleted accounts to snoop and log file.
- Add operserv/greplog module (from freenode modules) to allow searching
  through recent logs from IRC.
- Automatically rehash after loading modules that need a rehash.

xmlrpc
------
- Fix atheme.memo.ignore.list and atheme.memo.ignore.clear to require only
  two arguments (third wasn't ever in use). **[MERGED]**

code
----
- Change kline_delete() to take a kline_t pointer instead of a user and host.
- Allow modules to influence the expiry process.
- Fix a minor memory leak on /os REHASH.
- Fix null pointer dereference with some invalid config files.
- Move the metadata entries to object_t.
- Change some protocol module functions to take object pointers instead of
  names and add some const keywords.
- Modules can now request other modules be loaded. This has been used to
  move some generic TS6 and P10 stuff into common modules.
- Rename CMODE_OP and the like to CSTATUS_*, emphasizing that they are
  separate from simple modes.
- Use C99 booleans (<stdbool.h>, bool, true, false).

other
-----
- Allow arbitrary line lengths in flatfile database loader.
- Synchronized with libmowgli 0.7 framework.
- Remove automatic module loading for modules/ directory; this behaviour
  has been deprecated since version 0.3.
- Fix ircservices conversion for ircservices 5.1.
- Improve flood detection.
- Fix a bug with /os identify introducing enforcers.
- Fix a bug that could cause normal users to be seen as enforcers.
- Allow any service's nick/user/host/realname to be set in the configuration
  file, and update them on a rehash. The service creation code works quite a
  bit differently to make this possible.
- Fix running on MacOS X 10.5.
- Fix compilation sometimes using system include files in place of our own.
- Change the default for gettext (NLS) to disabled in the setup script.
- Add a check against loading incompatible modules. Formerly, trying to load
  incompatible modules often caused a crash.
- Rework the configuration file parser to detect more errors and make it
  easier to add configuration options.
- Add +a to the example configuration's SOP to fit expectations better.
- Update anope_convert for anope 1.8 enc_md5/enc_sha1 passwords.
- Wake up the process less often if it is idling.
- Install an example services MOTD automatically.

Atheme Services 3.1 Release Notes
=================================
### [MERGED] indicates items merged to the 3.0 branch

ircd protocol
-------------
- Fix a crash that could happen with ircd bugs or nick collisions with
  services. **[MERGED]**
- Fix host changes in hyperion. **[MERGED]**
- Do not check the server's password in the hyperion protocol module.
- Do not allow spoofs ending in a slash in the hyperion protocol module.
- Allow nickname enforcers which are clients.
- Fix ping replies in P10.
- Add support for InspIRCd 1.2.
- Some ircds dislike colons in kline reasons, so don't use them for flood
  klines.
- When restoring an akill, send it to all servers on all protocols.
  Formerly, on some protocols it was only sent to the server the banned
  user was on.
- Add ircd-aurora protocol module. ircd-aurora is a patched version of
  charybdis with +qah channel statuses.
- For ircds that do not indicate host change to clients, send a 396 numeric
  instead of a notice from the service. This is easier to parse for clients.

nickserv
--------
- Comment out nickserv/subscribe from the example configuration, because
  it is experimental at this time. **[MERGED]**
- Fix a possible crash in nickserv release (nickserv/enforce module). **[MERGED]**
- Fix RETURN only accepting relatively short email addresses.
- Allow disabling the possibly slow maxusers (accounts/email) check by
  putting 0.
- Show /ns vhost in /ns info. Appears to user self and user:auspex opers.
- Adjust times so nicks cannot appear created before their account or used
  after their account was last seen.
- Add user_verify_register hook, called when a registration is verified.
  This is after a successful VERIFY if email verification is enabled, after
  a successful REGISTER if not.
- Make gen_vhostonreg contrib module only grant vhost once it's verified,
  and also set vhosts on users without vhost as they identify.
- Add clearer log messages for duplicate accounts/nicks/channels in atheme.db.
- Make INFO default to the user's nick (owned nicks) or current account (no
  owned nicks).
- Also introduce an enforcer when FNCing a user via the RELEASE command.
- Allow ignoring enforce on nicks unused for too long (nickserv::enforce_expire
  config option). This does not affect held accounts.
- Add nick_can_register hook and use it to block GROUP on guest nicks also.
  This hook is called on both REGISTER and GROUP (if nickname ownership is
  enabled).
- In SENDPASS, require the new keyword FORCE to override marks and the new
  keyword CLEAR to clear keys that were previously sent but not yet used.
  If these keywords are needed, the oper will be warned.
- Do not allow SENDPASS on unverified accounts.
- Make the enforce delay settable in the config file.
- Make holdnick enforcer time variable, 30s the first time then 1h.
- Add ns_ajoin contrib module to allow services-side autojoin.
- Show a pending email address change in INFO, to user self and user:auspex
  opers.
- Add ns_forbid contrib module. This registers, enforces, holds and freezes
  a nickname.
- Split DROP into DROP (users) and FDROP (admins).
- Send all failed password attempts for SOPER accounts to the snoop channel.
- Make the text in INFO for unverified accounts more conspicuous.

chanserv
--------
- Fix removing non-applicable flags (e.g. +hH) from host channel access.
  **[MERGED]**
- Fix ChanServ not deopping in some cases with guard on and changets off.
  **[MERGED]**
- Fix some ugly output in chanserv/unban_self. **[MERGED]**
- Respect NOOP flag in cs_sync contrib module.
- Allow calling RECOVER via xmlrpc.
- Add channel_can_register hook to allow modules to block channel registrations.
- Add SET QUIETCHG (nickserv setting) which suppresses notices from OP,
  VOICE, and the like by other users.
- Add cs_updown contrib module. This provides UP and DOWN commands that add
  and remove all modes a user is entitled to.
- Change SET STAFFONLY to SET RESTRICTED. This kicks all users except those
  with chan:joinstaffonly priv or any access (except +b) on the channel.
  Also make it handle +i channels more effectively.
- Allow admins to change oper only modes in mlocks even without +s flag.
- Snoop changes to oper only modes in mlocks.
- Split DROP into DROP (users) and FDROP (admins).
- Add a confirmation step against accidental drops to DROP. This only
  applies to commands via IRC.

alis
----
- Move ALIS from contrib to modules. The new atheme.conf line is
  loadmodule "modules/alis/main";

memoserv
--------

gameserv
--------

oper
----
- Fix a possible crash in /stats B. **[MERGED]**
- Fix slight damage to news items when reloading in contrib/os_logonnews.
  **[MERGED]**
- Allow GLOBAL to be used from non-IRC.
- Add CLONES DURATION to allow changing the duration of the network bans
  set by the clones module.
- Add os_klinechan contrib module. This allows setting channels to kline
  any users joining them.

xmlrpc
------
- Some improvements to buffer and character set handling.

code
----
- Disable object_t refcount.
- Fix various format string types, add many const keywords, hide a few
  structs that should be private.

other
-----
- Improve performance with large databases by changing the mowgli_heap
  memory allocator. **[partially MERGED]**
- Improve performance by changing the dictionary to a patricia algorithm.
- Decrease memory usage for large networks.
- Add LOCALEDIR to Makefile.in files, necessary for gettext. **[MERGED]**
- Some improvements to the hybserv/theia conversion tool.
- Some improvements to the ircservices conversion tool.
- Change maximum nick length from 30 to 31.
- Remove redundant expire_check and db_save in several places. This makes
  restart, shutdown and rehash faster without threatening data integrity.
- Add Russian help files from Kein/darkwire. Using these currently requires
  manual copy/rename operations.
- Add Russian translation from Kein/darkwire and fix the build system so it
  is automatically installed if gettext is enabled.
- Allow for crypt() in libc as well as libcrypt (MacOS X).
- Fix nested includes in the configuration file.
- Add child process tracking.
- Make some help files depend on what modules are loaded.
- Fix a bug that caused certain timed events to be executed too late.

Files:
RevisionActionfile
1.16modifypkgsrc/chat/atheme/Makefile
1.5modifypkgsrc/chat/atheme/PLIST
1.4modifypkgsrc/chat/atheme/distinfo
1.1.1.1removepkgsrc/chat/atheme/patches/patch-aa
1.1.1.1removepkgsrc/chat/atheme/patches/patch-ab
1.1removepkgsrc/chat/atheme/patches/patch-include_common.h
1.1removepkgsrc/chat/atheme/patches/patch-include_stdinc.h