From https://github.com/oragono/oragono/releases/tag/v2.6.1: "Oragono 2.6.1 is a bugfix release, fixing a security issue that is critical for some private server configurations. We regret the oversight. The issue affects two classes of server configuration: Private servers that use server.password (i.e., the PASS command) for protection. If accounts.registration.allow-before-connect is enabled, the REGISTER command can be used to bypass authentication. Affected operators should set this field to false, or upgrade to 2.6.1, which disallows the insecure configuration. (If the field does not appear in the configuration file, the configuration is secure since the value defaults to false when unset.) Private servers that use accounts.require-sasl for protection. If these servers do not additionally set accounts.registration.enabled to false, the REGISTER command can potentially be used to bypass authentication. Affected operators should set accounts.registration.enabled to false; this recommendation appeared in the operator manual but was not emphasized sufficiently. (Configurations that require SASL but allow open registration are potentially valid, e.g., in the case of public servers that require everyone to use a registered account; accordingly, Oragono 2.6.1 continues to permit such configurations.) This release includes no changes to the config file format or the database."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81f5d0c931bbbaa54976dc1b7af77034774faeb6 commit 81f5d0c931bbbaa54976dc1b7af77034774faeb6 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-26 14:25:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-26 15:37:17 +0000 net-irc/oragono: drop 2.5.1, 2.6.0 (security cleanup) Bug: https://bugs.gentoo.org/785838 Signed-off-by: Sam James <sam@gentoo.org> net-irc/oragono/Manifest | 2 -- net-irc/oragono/oragono-2.5.1.ebuild | 68 ------------------------------------ net-irc/oragono/oragono-2.6.0.ebuild | 68 ------------------------------------ 3 files changed, 138 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62d86a40c64b328d2f153250440bb2e1827fce63 commit 62d86a40c64b328d2f153250440bb2e1827fce63 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-26 14:24:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-26 15:37:16 +0000 net-irc/oragono: add 2.6.1 Bug: https://bugs.gentoo.org/785838 Signed-off-by: Sam James <sam@gentoo.org> net-irc/oragono/Manifest | 1 + net-irc/oragono/oragono-2.6.1.ebuild | 68 ++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+)