--- /dev/null
+---
+layout: post
+title: "Charybdis 3.5.1 released"
+---
+
+We have released a maintenance release for the charybdis 3.5 branch, mainly importing improvements
+concerning ssld's robustness as well as adding support for building with GNUTLS 3.4.
+
+## Downloading charybdis
+
+The charybdis 3.5.0 release can be downloaded via:
+
+* [distfiles.charybdis.io](http://distfiles.charybdis.io/charybdis-3.5.0.tar.bz2)
+
+## What's new in Charybdis 3.5?
+
+### server protocol
+- Fix propagation of ip_cloaking hostname changes (only when setting or
+ unsetting the umode after connection).
+- Fix a remote-triggerable crash triggered by the CAPAB parsing code.
+- As per the TS6 spec, require QS and ENCAP capabilities.
+- Require EX and IE capabilities (+e and +I cmodes).
+- Check that UIDs start with the server's SID.
+
+### user
+- Allow mode queries on mlocked modes. In particular, allow /mode #channel f
+ to query the forward channel even if +f is mlocked.
+- Strip colours from channel topics in /list.
+- If umode +D or +g are oper-only, don't advertise them in 005.
+- If MONITOR is not enabled, don't advertise it in 005.
+- Add starttls as per ircv3.
+- Abort a whowas listing when it would exceed SendQ, which would previously
+ disconnect the user.
+- Reject nicks with '~' in them, rather than truncating at the '~'.
+- Remove CHARSET=ascii from ISUPPORT
+- Use the normal rules for IP visibility in /whowas.
+- Cmode +c now strips '\x0F' (^O, formatting off), fixing weird rendering in
+ some clients that internally use mIRC formatting such as highlighted
+ messages in HexChat.
+- Indicate join failure because of the chm_sslonly extension (cmode +S) using
+ the same 480 numeric as ircd-ratbox.
+- Do not allow SASL authentication when the configured SASL agent is unavailable.
+- Automatically add unidentified users to the ACCEPT list when a user is set +R,
+ as we do when the user is set +g.
+- Implement IRCv3.2 capabilities:
+ - cap-notify
+ - chghost
+ - userhost-in-names
+- Implement the $&, $| and $m extban types:
+ - $& combines 1 or more child extbans as an AND expression
+ - $| combines 1 or more child extbans as an OR expression
+ - $m provides normal hostmask matching as an extban for the above
+- Do not allow STARTTLS if a connection is already using TLS.
+- Display an operator's privilege set in WHOIS.
+- The $o extban now matches against privilege set names as well as individual
+ privileges. Privilege set names are preferred over individual privileges.
+
+### oper
+- Fix a crash with /testline.
+- Complain to opers if a server that isn't a service tries to
+ SU/RSFNC/NICKDELAY/SVSLOGIN.
+- Turn off umode +p (override) when deopering.
+- Make listener error messages (e.g. port already in use) visible by default
+ instead of only on snomask +d and in ioerrorlog.
+- Remove snotes on +r about GET/PUT/POST commands ("HTTP Proxy disconnected").
+- Add DNSBL snotes on snomask +r.
+
+### config
+- Add hide_uncommon_channels extension to hide uncommon channel memberships in WHOIS,
+ like in ircd-seven.
+- Add chm_nonotice extension, cmode +T to reject notices.
+- Add restrict-unauthenticated extension, prevents unauthenticated users from
+ doing anything as channel operator.
+- Add no_kill_services extension, prevents local opers from killing services.
+- Allow matching specific replies of DNSBLs, using the new matches option.
+- Remove blowfish crypt since it has the BSD advertising clause.
+- Fix SHA256 ($5$) crypt.
+- Make the channel::channel_target_change option actually work (it used to be
+ always on).
+- SSL/TLS listeners now have defer_accept unconditionally enabled on them.
+- The method used for certificate fingerprints (CertFP) is now configurable.
+ SHA1, SHA256 and SHA512 are available options.
+- The minimum user threshold for channels in default /list output is now
+ configurable.
+
+### misc
+- Work around timerfd/signalfd brokenness on OpenVZ.
+- Fix a compilation issue in libratbox/src/sigio.c with recent glibc.
+- Extend documentation slightly.
+- Remove a BSD advertising clause that permission was granted to remove.
+- Add support for hooking PRIVMSG/NOTICE.
+- Reenable and fix the GnuTLS support.
+- Add mbedTLS backend for SSL/TLS.
+- Remove EGD support.
+- Try other DNS servers if errors or corrupt replies are encountered.
+- Rename genssl.sh script to genssl.
+- Choose more secure SSL/TLS algorithms.
+- Fix reconnecting with SSL/TLS with some clients such as ChatZilla (see
+ https://bugzilla.mozilla.org/show_bug.cgi?id=858394#c34 for details.)
+- Improve error messages about the configuration file.
+- Fix a crash when compiled with recent clang on 32-bit systems.
+- Fix various memory leaks in rehash.
+- Fix various code quality issues.
+- Add --with-shared-sqlite to allow distribution packages to link to a shared
+ sqlite library. Using this is not recommended for on-server compilation.
+- ISUPPORT tokens which are actually provided by modules have been moved to their
+ respective modules.
+