ANNOUNCEMENT: mICQ 0.4.10.4 released, fixes remote DoS

RüdigerKuhlmann micq-list-CKH1bDCG6x4V at ruediger-kuhlmann.de
Tue Sep 23 09:48:50 PDT 2003 

#####################################################################
#                                                                   #
#              ANNOUNCEMENT:    mICQ 0.4.10.4                       #
#                                                                   #
#####################################################################

Sorry it took so long for mICQ 0.4.10.4, however you're urged to
upgrade to this version as it fixes a remote DoS (I doubt it could be
exploited further, but I wouldn't swear on it). Other bugs fixed are
related to file transfer: the undocumented, broken command "peer
deny" is now fixed, and direct connections are not closed and failed
anymore if the request is unanswered. Also, "accept" is now a builtin
short cut for "peer accept" and doesn't require an argument anymore
(though then you might accidently accept the wrong file transfer), as
well as "login" for "conn login". The login sequence has been
reworked as well, this should fix problems in visibility on the first
login. A work-around for a bug in Miranda < 0.3.1 and a bug in mICQ
was fixed related to misinterpreting offline messages. As another
security fix, all string displayed from the outside should now be
properly escaped (not just normal text messages, but also contact
meta data). There were a bunch of other minor fixes as well.

For translations, besides a few updates, there's now a usable zh_TW
translation. Unfortunately, there are still many translations that
are quite ancient, or not updated since a while. Also, half the man
pages have not been updated for 0.4.10 (French not even for 0.4.9.4).
If you like to volunteer, ping me on ICQ or drop me a mail.

Anyway, those that bothered to read till here are in for a treat:
mICQ 0.4.10.4 has two new big features, contributed by Roman Hoog
Antink, namely support for Tcl as a scripting language (requires, of
course, libtcl8.3 or libtcl8.4), and support for SSL-encrypted direct
connections (compatible with licq, requires libgnutls >= 0.8.8). Due
to the fact that these features are new in a stable release, they're
marked experimental in ./configure --help and need to be explicitly
enabled at compile time. This doesn't mean I don't believe they do
work, because they do. Unfortunately, there nevertheless turned out
to be a few erratas:
Tcl: the Tcl help command accidently insists on exactly one argument
     instead of at most 2
Tcl: the call back is messed up due to a reused static buffer
Tcl: the UIN is not given in the message call back as advertised
SSL: the man page lists "ssl" not as an event,
     but as a command (wrong indentation)
SSL: unanswered SSL request cause the direct connection to be closed
     (does not happen for automatic request as those clients do
     answer them, so not really a problem)
general: an argument-less alias is not recognized as an alias
     (add a space after the alias)
For those buglets, a patch is appended.

The .deb binary does include Tcl; it doesn't include SSL as libgnutls
on Debian stale is too outdated. I made a .deb for testing named
micq-ssl compiled against a backported libgnutls (all required
packages in the micq.org repository). The .rpm is compiled against
those as well. Both include the patch above.

The following is unfortunately still true:
> Kudos are in order for Mandrake and the PLD Linux Distribution as
> they're the only Linux distributions with recent mICQ packages on
> rpmfind.net that get the copyright of mICQ right. Guess why mICQ
> now displays it pretty prominently. Red Hat and ASPLinux still
> consider mICQ to be freely available or BSD licence. Those
> distributions also might consider shipping the translated man pages
> of mICQ... No Kudos go to the Debian project who still ships a
> version of mICQ with a seriously annoying yet trivially to fix bug
> and a copyright notice disclaiming my part of the authorship of
> mICQ. Shame on you!

.deb users, remember that

deb http://www.micq.org/deb/ stable main
deb http://www.micq.org/deb/ unstable main

in your /etc/apt/sources.list will make things easier for you.

Cygwin users, simply point your Cygwin setup.exe to
http://www.micq.org/cygwin/
as a "download site", and mICQ should pop up in your package list.

Anyway, here are the checksums:

md5sum 88c945dd4505ef7cad783b0206c28f96  binary/micq_0.4.10.4-1.1_i386.deb
md5sum 8d1dc276560ac69f9701083dad9ded06  binary/micq-ssl_0.4.10.4-1.1_i386.deb
md5sum cd22b430c66175486d91c3a0fc2374fd  binary/micq-0.4.10.4-1.1.i386.rpm
md5sum 1897e01ed6ce833881d99cecdf7dffcc  binary/micq-0.4.10.4-cygwin.tar.bz2
md5sum 88bad2a128111cd8b7a4e673fe3efe55  binary/micq-0.4.10.4-AmigaOS.tgz
md5sum abbcf17d1feaf61a8e453d180d559e3c  binary/micq-0.4.10.4.tgz
md5sum abbcf17d1feaf61a8e453d180d559e3c  source/micq-0.4.10.4.tgz
md5sum e01abb07198544e053e5c48a066e8468  source/fix-0.4.10.4.patch

sha1sum 8383637350809f2663d8c0546604e1410a72b04e  binary/micq_0.4.10.4-1.1_i386.deb
sha1sum 3fe269861f7c3dc550b4585bf5bd91f825a876d6  binary/micq-ssl_0.4.10.4-1.1_i386.deb
sha1sum e62efd7965880c631b440cad99a04e02793a46d4  binary/micq-0.4.10.4-1.1.i386.rpm
sha1sum 0861b6da94e6b7a12f5f240ff005c91e25e05a41  binary/micq-0.4.10.4-cygwin.tar.bz2
sha1sum 536d6a5ddf18e6dbd8b4961ac645f21983b047c5  binary/micq-0.4.10.4-AmigaOS.tgz
sha1sum 6a1221bb2a53d765cc81f3c327dc1bc29b3559fa  source/micq-0.4.10.4.tgz
sha1sum b0bc33b3ab864829a3faaea656a98d3b3d95c910  source/fix-0.4.10.4.patch

Yours, Rüdiger.

-- 
         100 DM =  51  € 13 ¢.
         100  € = 195 DM 58 pf.
  mailto:ruediger at ruediger-kuhlmann.de
    http://www.ruediger-kuhlmann.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20030923/2cda15ce/attachment.bin

More information about the freebsd-ports mailing list