Release Irssi 1.0.0

6 files changed, 169 insertions, 6 deletions

diff --git a/_includes/sb_whatsnew.html b/_includes/sb_whatsnew.html
index 64683bb..fa21d96 100644
--- a/_includes/sb_whatsnew.html
+++ b/_includes/sb_whatsnew.html
@@ -1,3 +1,3 @@
-<p><small>2016-09-22</small> <a href="/2016/09/22/buf.pl-update">buf.pl update available!</a> </p>
-<p><small>2016-09-21</small> <a href="/2016/09/21/irssi-0.8.20-released">Irssi 0.8.20 has been released!</a> </p>
+<p><small>2017-01-05</small> <a href="/2017/01/05/irssi-1.0.0-released">Irssi 1.0.0 released!</a> </p>
+<p><small>2017-01-05</small> <a href="/2017/01/05/irssi-0.8.21-released"><b>Security</b> Irssi 0.8.21 released!</a> </p>
 <p><small>2015-12-15</small> <a href="/2015/12/14/irssi-website-now-on-github-pages">Irssi site now on github pages!</a> </p>
diff --git a/_posts/2016-09-21-irssi-0.8.20-released.markdown b/_posts/2016-09-21-irssi-0.8.20-released.markdown
index 699988b..fe2da78 100644
--- a/_posts/2016-09-21-irssi-0.8.20-released.markdown
+++ b/_posts/2016-09-21-irssi-0.8.20-released.markdown
@@ -9,6 +9,9 @@ users should upgrade to this version**. See the
 [NEWS](//raw.githubusercontent.com/irssi/irssi/0.8.20/NEWS) for
 details.
 
+Read the [security advisory](/security/irssi_sa_2016.txt).
+
+
 This release can be downloaded from [our releases
 page](https://github.com/irssi/irssi/releases). Binary test packages
 for various Linux distributions are automatically generated by the
@@ -31,8 +34,6 @@ Note that the version shown by irssi internally is kept the same, but
 they are safe to use anyway. The installed version can be verified with
 `dpkg -l irssi` in ubuntu and debian.
 
-Read the [security advisory](/security/irssi_sa_2016.txt).
-
 Those who cannot upgrade right now, but with Perl support enabled in
 their Irssi, can load [this](/security/sa_patch.pl) script and add it to
 `~/.irssi/scripts/autorun` as a first aid to mitigating these issues.
diff --git a/_posts/2017-01-05-irssi-0.8.21-released.markdown b/_posts/2017-01-05-irssi-0.8.21-released.markdown
new file mode 100644
index 0000000..0e8e6dd
--- /dev/null
+++ b/_posts/2017-01-05-irssi-0.8.21-released.markdown
@@ -0,0 +1,22 @@
+---
+layout: post
+title: "Irssi 0.8.21 Released"
+---
+
+Irssi 0.8.21 has been released. This release fixes four remote crash
+issues in older Irssi releases. There are no new features compared to
+0.8.20. **All users should upgrade to this version**. See the
+[NEWS](//raw.githubusercontent.com/irssi/irssi/0.8.21/NEWS) for
+details.
+
+This release can be downloaded from [our releases
+page](https://github.com/irssi/irssi/releases).
+
+Please check with your distro whether they provide officially updated
+packages.
+
+Read the [security advisory](/security/irssi_sa_2017_01.txt).
+
+We currently do not have any alternate advice.
+
+The Irssi Team.
diff --git a/_posts/2017-01-05-irssi-1.0.0-released.markdown b/_posts/2017-01-05-irssi-1.0.0-released.markdown
new file mode 100644
index 0000000..8727d11
--- /dev/null
+++ b/_posts/2017-01-05-irssi-1.0.0-released.markdown
@@ -0,0 +1,38 @@
+---
+layout: post
+title: Irssi 1.0.0 Released
+version: 1.0.0
+---
+
+Irssi {{ page.version }} has been released. This release contains many
+improvements. Irssi 1.0.0 includes contributions by Lukas Mai, Xavier
+G, Kenny Root, Jari Matilainen, Todd A. Pratt, Manish Goregaokar,
+B. Thibault, Joseph Bisch, Will Storey, Lauri Tirkkonen, Lauri Nurmi,
+Tom Feist, Thomas Samson, Dennis Schagt, Mantas Mikulėnas and François
+Revol. In total, 132 files changed, 3434 lines were added and 3202
+lines deleted and TheLemonMan officially joined the staff. **Thanks
+everyone!** See the [NEWS](//raw.githubusercontent.com/irssi/irssi/{{
+page.version }}/NEWS) for details.
+
+Some hi(gh)lights:
+
+* irssiproxy can now forward all tags through a single port. By Lukas Mai
+* the kill buffer now remembers consecutive kills. New bindings were added: yank_next_cutbuffer and append_next_kill. By Todd A. Pratt
+* autolog_ignore_targets and activity_hide_targets learn a new syntax tag/* and * to ignore whole networks or everything. By Jari Matilainen
+* hilight got a -matchcase flag to hilight case sensitively. By Thibault B
+* Display TLS connection information upon connect. You can disable this by setting tls_verbose_connect to FALSE
+* Certificate pinning for TLS certificates
+* /names and $[...] now uses utf8 string operations. By Xavier G.
+* New setting completion_nicks_match_case
+* /channel /server /network now support modify subcommand. By Jari Matilainen
+* New option sasl_disconnect_on_failure to disconnect when SASL log-in failed
+
+This release can be downloaded from [our releases
+page](https://github.com/irssi/irssi/releases). Binary test packages
+for various Linux distributions are automatically generated by the
+[openSUSE Build Service](https://build.opensuse.org/) and are
+available for download in the
+[irssi-test](https://software.opensuse.org/download.html?project=home:ailin_nemui:irssi-test;package=irssi)
+repository.
+
+The Irssi Team.
diff --git a/download/index.markdown b/download/index.markdown
index 1a819ce..414f49d 100644
--- a/download/index.markdown
+++ b/download/index.markdown
@@ -3,6 +3,7 @@ layout: page
 title: Getting Irssi
 permalink: /download/
 categories: [ _nav, _6 ]
+version: 1.0.0
 ---
 
 There are several ways you can get Irssi<span class="hidden-md hidden-lg">:</span>
@@ -156,7 +157,7 @@ The [openSUSE Build Service](http://build.opensuse.org/){:rel='external'} is bui
 
 ## Release Sources
 
-Latest release version: **0.8.20** – [Downloads][14]{:rel='external'}
+Latest release version: **{{ page.version }}** – [Downloads][14]{:rel='external'}
 
 See the included [INSTALL][15]{:rel='external'} file for building instructions
 
@@ -166,7 +167,7 @@ To verify the signatures:
 
 You shouldn't really trust this key without verifying its fingerprint. See it with `gpg --fingerprint staff@irssi.org` and ask someone if it matches (eg. on `#irssi`).
 
-    gpg --verify irssi-0.8.20.tar.xz.asc
+    gpg --verify irssi-{{ page.version }}.tar.xz.asc
 
 (This key is different from the one used to sign binaries of versions before 0.8.10. More gpg help can be found from GPG manual)
 
diff --git a/security/irssi_sa_2017_01.txt b/security/irssi_sa_2017_01.txt
new file mode 100644
index 0000000..d8e6850
--- /dev/null
+++ b/security/irssi_sa_2017_01.txt
@@ -0,0 +1,101 @@
+Multiple vulnerabilities in Irssi [1]
+=====================================
+
+
+Description
+-----------
+
+Four vulnerabilities have been located in Irssi.
+
+(a) A NULL pointer dereference in the nickcmp function found by Joseph
+    Bisch. (CWE-690)
+
+(b) Use after free when receiving invalid nick message (Issue #466, CWE-146)
+
+(c) Out of bounds read in certain incomplete control codes found by
+    Joseph Bisch. (CWE-126)
+
+(d) Out of bounds read in certain incomplete character sequences found
+    by Hanno Böck and independently by J. Bisch. (CWE-126)
+
+
+Impact
+------
+
+These issues may result in denial of service (remote crash).
+
+
+Affected versions
+-----------------
+
+(a) All Irssi versions that we observed
+(b) All Irssi versions that we observed
+(c) Irssi 0.8.17 and later
+(d) Irssi 0.8.18 and later
+
+
+Fixed in
+--------
+
+Irssi 0.8.21, Irssi 1.0.0
+
+
+Recommended action
+------------------
+
+Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release
+without any new features.
+
+After installing the updated packages, one can issue the /upgrade
+command to load the new binary. TLS connections will require
+/reconnect.
+
+
+A Note to Distributors
+----------------------
+
+First of all, thanks to every maintainer for their awesome job in
+packaging Irssi and backporting security fixes.
+
+When we had to release a security advisory last year with Irssi
+0.8.20, we noticed there was a huge confusion amongst Ubuntu users
+about whether their Irssi version was safe to use.
+
+Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug
+fix only, we think distributions should just ship the release.
+
+But if the security fixes only are backported on top of an old
+version, we would like to urge distributions to consider indicating
+this in a way that is visible inside Irssi. One way to do this would
+be to manually overwrite the PACKAGE_VERSION and marking your package
+as patched. This can be done for example like this:
+
+  ./configure PACKAGE_VERSION=0.8.17-sa201701
+
+
+You can then check the version from inside Irssi with /eval echo $J
+
+As an added benefit over relying on dpkg, this will also correctly
+report whether you had /upgrade done or not. We are looking for a ways
+to make this easier to handle for both packagers and us, so if you
+have a good idea on this matter please speak forth.
+
+Mitigating facts
+----------------
+
+(a) requires control over the ircd
+
+(b), (d) require control over the ircd or otherwise can be triggered /
+    avoided by the user themselves
+
+
+Patch
+-----
+
+https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
+
+
+References
+----------
+
+[1] https://irssi.org/security/irssi_sa_2017_01.txt