Major Security Hole (CVE-2004-2431)
Somehow, when I fixed I:
line passwords in 0.3.1, I also broke link passwords. This means that if you have an L:
line (even one for services), anyone who knows what hostname that the L:
line is (you can get it from a /links reply) can link a server up to your server, because password verification DOES NOT HAPPEN. This could allow anyone to kill clients, or to introduce things into the server environment that could crash the server. I'm not really aware of all the implications, since linking isn't working right as it is.
This bug is a major security bug and has been assigned CVE-2004-2431, but don't be too worried about it. I haven't made linking work properly yet, and unless you're testing services (which has its own set of problems), you shouldn't be using links to begin with.
This has been fixed in RELEASE_0_3_1P1
. An installer is up on SourceForge, and I'll hide the buggy files. There are no changes in 0.3.1-P1 other than this bug. This patch will be applied to CVS HEAD
when I wake up.