Hi all,
as you should have heard by now, a major security vulnerability was discovered
in OpenSSL [1]. This does affect Quassel as well, as by default the connection
between a Quassel client and core is encrypted using SSL (or, rather, TLS); in
particular, it affects you if you run a core that supports SSL and is exposed
to the public internet (clients, both monolithic and stand-alone, are not
affected because they don't offer an SSL-encrypted service).
* If you host a Quassel core, make sure to upgrade your OpenSSL to at least
version 1.0.1g (or whatever your distro deems to be a fixed one), create a new
private key and certificate and replace the quasselCert.pem file in your
config directory as described in our wiki [2]; then restart your core. Since
the vulnerability is in the OpenSSL library and not in Quassel itself, there
is no need to update Quassel unless one of the following bullet points
applies:
* If you run one of the static cores offered on our site, make sure to
download the newest version; we uploaded a 0.10.0 core built against a fixed
OpenSSL version on April 8th 2014, 19:14 UTC. Any older version is vulnerable,
as an insecure OpenSSL version was bundled. After replacing the core, follow
the previous step to regenerate your key and certificate.
* If you use our install package for Windows™, and run the core from this
package, make sure to download the newest version. We uploaded a fixed package
on April 9th 2014, 20:47 UTC. Any older version is vulnerable. First bullet
point applies as well.
* Our MacOSX packages don't bundle OpenSSL; they use the system-supplied
version instead. No need to install a newer Quassel core, but first bullet
point applies.
That's it. Have fun securing your systems; I know I had... NOT.
[1] <http://heartbleed.com/>
[2] <http://bugs.quassel-irc.org/projects/quassel-irc/wiki/Client-Core_SSL_suppo…>
Cheers,
~ Sput
--
Manuel "Sputnick" Nickschas ("Sput" on Freenode) | (o<
Member of the Quassel IRC Project - http://quassel-irc.org | //\
Come visit us in #quassel! | V_/_
Hi all,
we proudly announce the latest release of Quassel IRC, version 0.10.0!
As promised, development has become more active in the past few months (both
because we gained several new contributors (thanks a bunch!), and I myself
have finally some more time for development), so besides a host of bugfixes
that already went into 0.9.x, this development cycle also saw various new
features as listed in the ChangeLog. Besides, for example, various
improvements related to SSL connections, optional multi-line input field,
support for the Snore notification framework, the ability to show backlog
messages in the ChatMonitor (beware though; it will slow down your sync!), the
possibility to hide inactive networks in your Chat List, more and improved
translations, and a new version of the inxi (/sysinfo) script, this release
features a new core/client protocol: the DataStream protocol.
This new protocol is one (intermediate) result of the refactoring work that
has been going on behind the scenes for several releases now, aiming for
separating out protocol-specific code from the rest of the codebase in order
to be able to do things like, well, replacing the protocol (and making it
easier for third-party client authors to work with it). The DataStream
protocol is not much different from the original ("legacy") protocol, but it
removes some of the unnecessary overhead. Due to a change to data compression,
QuasselDroid can finally use compression when connecting to a 0.10.x
quasselcore! You can read more about the protocol changes in the Wiki (work in
progress). Note that we kept backwards compatibility, so using a new client
with an older core, or vice versa, is fine (but won't get you the new
protocol, of course).
That's about it. Go now and grab the newest version from our downloads page,
or directly from your friendly distro's repositories once it's there!
One last note for people following development closely and interested in the
goings-on in Git: The master branch has seen a revamp of the build system and
features full support for Qt5 now (minus some glitches). Soon, we will start
using C++11, as announced previously; so make sure to update your toolchain if
it's ancient!
Cheers,
~ Sput
--
Manuel "Sputnick" Nickschas ("Sput" on Freenode) | (o<
Member of the Quassel IRC Project - http://quassel-irc.org | //\
Come visit us in #quassel! | V_/_