InspIRCd v2.0.23 is now available, download it from the releases page.

This release fixes a serious security vulnerability in m_sasl in combination with any services that support SASL EXTERNAL. To be vulnerable you must have m_sasl loaded, and have services which support SASL EXTERNAL authentication.

If you are affected and can not immediately upgrade, it is recommended to unload m_sasl, or otherwise disable all SASL EXTERNAL authentication in services.

This vulnerability allows any attacker to spoof certificate fingerprints via crafted SASL messages to the IRCd. This allows any user to login as any other user that they know the certificate fingerprint of, and that user has services configured to accept SASL EXTERNAL login requests for.

This bug appears more widespread than just InspIRCd, and seems to affect most or all other implementations of SASL EXTERNAL, including Charybdis and UnrealIRCd.

View the complete changelog here.