Use 1 CPU for x86_64

See https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers.

0001-Fix-RCE-vulnerability-in-modtcl.patch

@@ -1,62 +0,0 @@
-From e273660b0e10857cc56eb0022cf0d9f0c0a7bd2f Mon Sep 17 00:00:00 2001
-From: Alexey Sokolov <alexey+znc@asokolov.org>
-Date: Mon, 1 Jul 2024 09:59:16 +0100
-Subject: [PATCH] Fix RCE vulnerability in modtcl
-
-Remote attacker could execute arbitrary code embedded into the kick
-reason while kicking someone on a channel.
-
-To mitigate this for existing installations, simply unload the modtcl
-module for every user, if it's loaded.
-Note that only users with admin rights can load modtcl at all.
-
-While at it, also escape the channel name.
-
-Discovered by Johannes Kuhn (DasBrain)
-
-Patch by https://github.com/glguy
-
-CVE-2024-39844
-
-(cherry picked from commit 8cbf8d628174ddf23da680f3f117dc54da0eb06e)
----
- modules/modtcl.cpp | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp
-index c64bc43f..58e68f51 100644
---- a/modules/modtcl.cpp
-+++ b/modules/modtcl.cpp
-@@ -248,8 +248,9 @@ class CModTcl : public CModule {
-         // chan specific
-         unsigned int nLength = vChans.size();
-         for (unsigned int n = 0; n < nLength; n++) {
-+            CString sChannel = TclEscape(CString(vChans[n]->GetName()));
-             sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost +
--                       "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp +
-+                       "} - {" + sChannel + "} {" + sNewNickTmp +
-                        "}";
-             int i = Tcl_Eval(interp, sCommand.c_str());
-             if (i != TCL_OK) {
-@@ -260,14 +261,16 @@ class CModTcl : public CModule {
- 
-     void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel,
-                 const CString& sMessage) override {
-+        CString sMes = TclEscape(sMessage);
-         CString sOpNick = TclEscape(CString(OpNick.GetNick()));
-         CString sNick = TclEscape(sKickedNick);
-         CString sOpHost =
-             TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost()));
-+        CString sChannel = TclEscape(Channel.GetName());
- 
-         CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost +
--                           "} - {" + Channel.GetName() + "} {" + sNick + "} {" +
--                           sMessage + "}";
-+                           "} - {" + sChannel + "} {" + sNick + "} {" +
-+                           sMes + "}";
-         int i = Tcl_Eval(interp, sCommand.c_str());
-         if (i != TCL_OK) {
-             PutModule(Tcl_GetStringResult(interp));
--- 
-2.48.1
-

0001-Use-system-wide-crypto-policy.patch

@@ -9,34 +9,24 @@ Reference: https://fedoraproject.org/wiki/Packaging:CryptoPolicies
  1 file changed, 3 insertions(+), 14 deletions(-)
 
 diff --git a/src/Socket.cpp b/src/Socket.cpp
-index fa510462..e40c76ea 100644
+index 577f69c..f413f96 100644
 --- a/src/Socket.cpp
 +++ b/src/Socket.cpp
-@@ -28,21 +28,10 @@
+@@ -28,15 +28,11 @@
  #endif
  
  #ifdef HAVE_LIBSSL
 -// Copypasted from
 -// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
--// at 2018-04-01
+-// at 2024-02-08 (version 5.7)
 +// Use system-wide crypto policy
 +// https://fedoraproject.org/wiki/Packaging:CryptoPolicies
  static CString ZNC_DefaultCipher() {
--    return "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-"
--           "ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-"
--           "AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-"
--           "SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-"
--           "RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:"
--           "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-"
--           "SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:"
--           "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:"
--           "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:"
--           "AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-"
--           "SHA:DES-CBC3-SHA:!DSS";
+     // This is TLS1.2 only, because TLS1.3 ciphers are probably not configurable here yet
+-    return "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
+-           "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
+-           "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"
+-           "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
 +    return "PROFILE=SYSTEM";
  }
  #endif
- 
--- 
-2.19.0.rc0
-

sources

@@ -1,2 +1,2 @@
-SHA512 (znc-1.8.2.tar.gz) = e821647b50698c3a82fad039e69943e030bf644d8f8e82afa87c6c11da44761bceecddd510a7a956a1b487b1cca6ee46e8ac8818ea03127f0f1ff8f5d1a1a7f9
-SHA512 (znc-1.8.2.tar.gz.sig) = c4fb2817a54155cef19702e3f48ba845350209019445d7b056d303c708ddf8931eea308a0ec84d58f02be0cb932b663c3d2a732c48112205dbe953f8b08423cb
+SHA512 (znc-1.10.1.tar.gz) = f125eef5a9f8bfcd278951971638fe8a937261001bfd8f6438fc51fda666b97c00780c5c6f1a921b3db79cb7656bc9675eb3881b18b22b7738e0976ebcca7cb3
+SHA512 (znc-1.10.1.tar.gz.sig) = a85b65dacce72d51cda4260ff881496c82b77dabf273fda1c3f536360950755700b352a6d22bac01c808abae13c4b686a2e5f36b0351e0b77ec032057caee311

znc.spec

@@ -12,11 +12,12 @@
 %endif # 0%{?fedora} || 0%{?rhel} >= 7
 
 Name:           znc
-Version:        1.8.2
-Release:        16%{?dist}
+Version:        1.10.1
+Release:        1%{?dist}
 Summary:        An advanced IRC bouncer
 
-License:        ASL 2.0
+# Automatically converted from old format: ASL 2.0 - review is highly recommended.
+License:        Apache-2.0
 URL:            https://znc.in
 Source0:        %{url}/releases/archive/%{name}-%{version}.tar.gz
 Source1:        %{url}/releases/archive/%{name}-%{version}.tar.gz.sig
@@ -26,30 +27,31 @@ Source2:        gpgkey-5AE420CC0209989E.asc
 # https://fedoraproject.org/wiki/Packaging:CryptoPolicies
 Patch0:         0001-Use-system-wide-crypto-policy.patch
 
-# https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e
-# Fixes CVE-2024-39844
-Patch1:         0001-Fix-RCE-vulnerability-in-modtcl.patch
-
-BuildRequires: make
-BuildRequires:  automake
 BuildRequires:  c-ares-devel
+BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  gcc-c++
 BuildRequires:  gettext-devel
 BuildRequires:  gnupg2
 BuildRequires:  libicu-devel
+BuildRequires:  make
+
 %if 0%{?fedora} || 0%{?rhel} >= 8
 BuildRequires:  openssl-devel >= 0.9.8
 %else
 BuildRequires:  openssl11-devel
 %endif
+
+%if 0%{?fedora} >= 41
+BuildRequires:  openssl-devel-engine
+%endif
+
 BuildRequires:  perl(ExtUtils::Embed)
 
 %if 0%{?rhel} && 0%{?rhel} <= 9
 Obsoletes:      znc-extra <= %{version}-%{release}
 %endif # 0%{?rhel} && 0%{?rhel} <= 9
 
-Requires(pre):  shadow-utils
 BuildRequires:  systemd
 %{?systemd_requires}
 
@@ -126,39 +128,48 @@ rm -rf "$gpghome" $key.gpg # Cleanup tmp gpg home dir and dearmored key
 # The manual page references /usr/local/; fix that
 sed -ie 's!/usr/local/!/usr/!' man/znc.1
 
+# Create a sysusers.d config file
+cat >znc.sysusers.conf <<EOF
+u znc - 'Account for ZNC to run as' /var/lib/znc -
+EOF
+
 %build
 %if 0%{?rhel} == 7
 sed -e 's/"openssl"/"openssl11"/g' -i configure
 %endif
 
-%configure \
-     --with-module-prefix=%{_libdir}/znc \
-     --with-systemdsystemunitdir=%{_unitdir} \
-%if 0%{?with_modperl}
-     --enable-perl \
-%else
-     --disable-perl \
-%endif # 0%{?with_modperl}
-%if 0%{?with_modpython}
-     --enable-python \
-%else # 0%{?with_modpython}
-     --disable-python \
-%endif # 0%{?with_modpython}
-     --enable-ipv6 --enable-cyrus --enable-tcl --with-tcl=%{_libdir}
-%make_build V=1
+# NOTE(neil): 2024-09-02 aarch64 responds badly to building on large machines
+%ifarch aarch64
+%global _smp_build_ncpus 1
+%endif
 
+%ifarch x86_64
+%global _smp_build_ncpus 1
+%endif
+
+%cmake \
+%if 0%{?with_modperl}
+    -DWANT_PERL=1 \
+%endif
+%if 0%{?with_modpython}
+    -DWANT_PYTHON=1 \
+%endif
+    -DWANT_SYSTEMD=1 \
+    -DSYSTEMD_DIR=%{_unitdir} \
+    -DWANT_IPV6=1 \
+    -DWANT_CYRUS=1 \
+    -DWANT_TCL=1
+
+%cmake_build
 
 %install
-%make_install
+%cmake_install
 install -d "%{buildroot}%{_sharedstatedir}/znc"
 %py_byte_compile %{__python3} %{buildroot}%{_libdir}/znc/
 
+install -m0644 -D znc.sysusers.conf %{buildroot}%{_sysusersdir}/znc.conf
+
 
-%pre
-getent group znc >/dev/null || groupadd -r znc
-getent passwd znc >/dev/null || \
-    useradd -r -g znc -d /var/lib/znc -s /sbin/nologin \
-    -c "Account for ZNC to run as" znc
 
 
 %post
@@ -195,6 +206,7 @@ getent passwd znc >/dev/null || \
 %exclude %{_datadir}/znc/modtcl/
 %{_unitdir}/znc.service
 %attr(-,znc,znc) %{_sharedstatedir}/znc/
+%{_sysusersdir}/znc.conf
 
 %files devel
 %{_bindir}/znc-buildmod
@@ -223,8 +235,88 @@ getent passwd znc >/dev/null || \
 
 
 %changelog
-* Fri May 09 2025 Robby Callicotte <rcallicotte@fedoraproject.org> - 1.8.2-16
-- Fix for CVE-2024-39844
+* Mon Oct 13 2025 Ben Maconi <turboben@fedoraproject.org> - 1.10.1-1
+- Updated to 1.10.1
+
+* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.9.1-13
+- Rebuilt for Python 3.14.0rc3 bytecode
+
+* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.9.1-12
+- Rebuilt for Python 3.14.0rc2 bytecode
+
+* Wed Aug 06 2025 František Zatloukal <fzatlouk@redhat.com> - 1.9.1-11
+- Rebuilt for icu 77.1
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Mon Jul 07 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1.9.1-9
+- Perl 5.42 rebuild
+
+* Mon Jun 02 2025 Python Maint <python-maint@redhat.com> - 1.9.1-8
+- Rebuilt for Python 3.14
+
+* Tue Feb 11 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.9.1-7
+- Add sysusers.d config file to allow rpm to create users/groups automatically
+
+* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Sun Dec 08 2024 Pete Walter <pwalter@fedoraproject.org> - 1.9.1-5
+- Rebuild for ICU 76
+
+* Sun Aug 25 2024 Neil Hanlon <neil@shrug.pw> - 1.9.1-4
+- switch to pure cmake (1.9.0 turned configure into a wrapper which dropped options)
+- resolve ftbfs, fti, new version (#226393 #2301380 #2292226)
+- resolve CVE-2024-39844 (#2295622)
+
+* Wed Jul 24 2024 Miroslav Suchý <msuchy@redhat.com> - 1.9.1-3
+- convert license to SPDX
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Wed Jul 17 2024 Nick Bebout <nb@fedoraproject.org> - 1.9.1-1
+- Update to 1.9.1
+
+* Tue Jun 18 2024 Python Maint <python-maint@redhat.com> - 1.8.2-28
+- Rebuilt for Python 3.13
+
+* Wed Jun 12 2024 Jitka Plesnikova <jplesnik@redhat.com> - 1.8.2-27
+- Perl 5.40 rebuild
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 1.8.2-26
+- Rebuilt for Python 3.13
+
+* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 1.8.2-25
+- Rebuild for ICU 74
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.2-24
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.2-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jul 13 2023 František Zatloukal <fzatlouk@redhat.com> - 1.8.2-22
+- Rebuilt for ICU 73.2
+
+* Thu Jul 13 2023 Jitka Plesnikova <jplesnik@redhat.com> - 1.8.2-21
+- Perl 5.38 re-rebuild updated packages
+
+* Tue Jul 11 2023 František Zatloukal <fzatlouk@redhat.com> - 1.8.2-20
+- Rebuilt for ICU 73.2
+
+* Tue Jul 11 2023 Jitka Plesnikova <jplesnik@redhat.com> - 1.8.2-19
+- Perl 5.38 rebuild
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.8.2-18
+- Rebuilt for Python 3.12
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.2-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Dec 31 2022 Pete Walter <pwalter@fedoraproject.org> - 1.8.2-16
+- Rebuild for ICU 72
 
 * Mon Aug 01 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.8.2-15
 - Rebuilt for ICU 71.1