UnrealIRCd 5.0.4 Release Notes
===============================
This new 5.0.4 version fixes quite a number of bugs. It contains only two small feature improvements.
Fixes:
* When placing a SHUN on an online user it was not always effective.
* Channeldb was not properly restoring all channel modes, such as +P.
* When upgrading UnrealIRCd it could sometimes crash the currently
running IRC server (rare), or trigger a crash report on
```./unrealircd restart``` (quite common).
* UnrealIRCd was giving up too easily on ident lookups.
* Crash when unloading a module with moddata.
* Crash if an authenticated server sends wrong information (rare).
* Removing a TEMPSHUN did not work if the user was on another server.
* SAJOIN to 0 (part all channels) resulted in a desync when used on remote users.
* Forced nick change from services was not showing up if the user
was not in any channels.
Enhancements:
* New option [set::hide-idle-time::policy](https://www.unrealircd.org/docs/Set_block#set%3A%3Ahide-idle-time)
by which you can change usermode +I (hide idle time in WHOIS) from
oper-only to settable by users. More options will follow in a future
release.
* In WHOIS you can now see if a user is currently (temp)shunned.
This only works for locally connected users for technical reasons,
so use ```/WHOIS Nick Nick``` to see it for remote users.
Changes:
* The oper notices and logging with regards to server linking have changed
a little. They are more consistent and log more now.
* When an IRCOp tries to oper up from an insecure connection we will now
mention the https://www.unrealircd.org/docs/FAQ#oper-requires-tls page.
This message is customizable through
[set::plaintext-policy::oper-message](https://www.unrealircd.org/docs/Set_block#set::plaintext-policy).
* The French HELPOP text was updated.
UnrealIRCd 5.0.3.1
-------------------
This fixes a crash issue after REHASH in 5.0.3.
UnrealIRCd 5.0.3
-----------------
Fixes:
* Fix serious flood issue in labeled-response implementation.
* An IRCOp SQUIT'ing a far remote server may cause a broken link topology
* In channels that are +D (delayed join), PARTs were not shown correctly to
channel operators.
Enhancements:
* A new HISTORY command for history playback (```HISTORY #channel number-of-lines```)
which allows you to fetch more lines than the on-join history playback.
Of course, taking into account the set limits in the +H channel mode.
This command is one of the [two interfaces](https://www.unrealircd.org/docs/Channel_history#Ways_to_retrieve_history)
to [Channel history](https://www.unrealircd.org/docs/Channel_history).
* Two new [message tags](https://www.unrealircd.org/docs/Message_tags),
```unrealircd.org/userip``` and ```unrealircd.org/userhost```
which communicate the user@ip and real user@host to IRCOps.
Changes:
* Drop the draft/ prefix now that the IRCv3
[labeled-response](https://ircv3.net/specs/extensions/labeled-response.html)
specification is out of draft.
* The operclass permission ```immune:target-limit``` is now called
```immune:max-concurrent-conversations```, since it bypasses
[set::anti-flood::max-concurrent-conversations](https://www.unrealircd.org/docs/Set_block#set::anti-flood::max-concurrent-conversations).
For 99% of the users this change is not important, but it may be
if you use highly customized [operclass blocks](https://www.unrealircd.org/docs/Operclass_block)
Are you upgrading from UnrealIRCd 4.x to UnrealIRCd 5? If so,
then check out the *UnrealIRCd 5* release notes [further down](#unrealircd-5). At the
very least, check out [Upgrading from 4.x](https://www.unrealircd.org/docs/Upgrading_from_4.x).
Upgrade notes (seem like there are very few breaking changes):
https://www.unrealircd.org/docs/Upgrading_from_4.x
What's new in UnrealIRCd 5:
* Channel history. You can now see the last couple of lines that have
been said on channels when you JOIN. For this you need to set channel
mode +H, eg: eg: /MODE #chan +H 15:1440
* More IRCv3 features. Additional details are communicated to clients
which may help with displaying information. Implemented specs are:
account-tag, message-ids, time, echo-message, labeled-response and
BATCH.
* Ban exceptions (/ELINE). You can now exempt users dynamically on IRC
from *LINES, spamfilter, throttling, blacklist checking, connection
floods, bypassing antirandom, etc. Just type /ELINE on IRC to see
details.
* *LINES and Spamfilters are remembered: All of these are saved to a
file every few minutes and saved across reboots. This uses the new
tkldb module (loaded by default). No need for services for that
anymore.
* Persistent channels are remembered: For channels which have mode +P
set we now save all channel settings across reboots (topic, regular
modes and +beI lists). This via the channeldb module (loaded by
default).
* Anti connect-flood measures. In the last few 4.2.x versions we
introduced Connthrottle and reputation. In 5.x these modules are now
loaded by default for increased security.
* Easily restrict commands to fight drones. You can now disable any
command or impose restrictions, such as: command can only be executed
after being connected for XX seconds, or if you are identified to
services, etc. See the example for how to restrict LIST, INVITE and
messaging.
* Module manager for managing 3rd party modules easily. Install and
update modules with a single command.
* Condition configuration. You can have condition configuration where
you e.g. @define $IP "203.0.113.1" and can use $IP everywhere in the
configuration file. Similarly, support for @if-blocks. This is
especially useful for advanced users who like to use the same
configuration file on multiple machines, usually with the help of
remote includes.
* Improved Channel Mode +L now kicks in for any rejected join, so not
just for +l but also for +b, +i, +O, +z, +R and +k. If, for example,
the channel is +L #insecure and also +z then, when an insecure user
ties to join they will be redirected to #insecure.
* Ban forwards. New extended ban ~f to forward users to the specified
channel if the ban matches. Example: MODE #chan +b
~f:#badisp:*!*@*.isp.org
* Improved WebSocket support. We already supported websockets, but now
we support websocket type 'text', which is compatible with web IRC
clients such as Kiwi IRC.
* Code cleanups. The biggest effort of all went into cleaning up old
code and making the code much more readable. This also means that
UnrealIRCd 5 will not be able to link with really older servers or
services, like UnrealIRCd 3.2.x.
* Windows version is 64-bits. This should allow for increased address
space and security. This also means UnrealIRCd 5 will not run on
32-bits Windows (should be rare nowadays, anyway)
The pkgsrc version was being used, but not being detected properly
by configure. I'm guessing the configure script is assuming Debian
version numbers or something.
This release fixes a crash issue if UnrealIRCd is configured to use utf8 or
chinese character sets in set::allowed-nickchars. We don't expect many users
to run their IRCd with this enabled, as the utf8 support was tagged as
experimental and the chinese/gbk implementation is incomplete.
This release also contains a number of other fixes and enhancements.
In particular the reputation and connthrottle modules are now working
better and there were some major Windows fixes.
The tarball was silently updated without a release. After diffing this
against the git tag, the updated tarball seems to change some if statements
from if (x = y) to if (x == y)...
766055d5c0
The bug fixed by this change is apparently not exploitable.
Changes between version 4.2.1 and 4.2.2:
Improvements:
Quicker connection handshake for clients which use CAP and/or SASL.
With "TOPIC #chan" and "MODE #chan +b" (and +e/+I) you can see who set the topic and bans/exempts/invex. The default is to only show the nick of the person who set the item. This can be changed (not the default) by setting:
set { topic-setter nick-user-host; };
set { ban-setter nick-user-host; };
The 'set by' and 'set at' information for +beI lists are now synchronized when servers link. You still see the MODE originating from the server, however when the banlist is queried you will now be able to see the original nick and time of the bansetter rather than serv.er.name. If you want the OLD behavior you can use: set { ban-setter-sync no; };
The default maximum topic length has been increased from 307 to 360.
You can now set more custom limits. The default settings are shown below:
set {
topic-length 360; /* maximum: 360 */
away-length 307; /* maximum: 360 */
quit-length 307; /* maximum: 395 */
kick-length 307; /* maximum: 360 */
};
The message sent to users upon *LINE can now be adjusted completely via set::reject-message::kline and set::reject-message::gline.
New set::anti-flood::max-concurrent-conversations which configures the maximum number of conversations a user can have with other users at the same time.
Until now this was hardcoded at limiting /MSG and /INVITE to 20 different users in a 15 second period. The new default is 10 users, which serves as a protection measure against spambots.
New set::max-targets-per-command which configures the maximum number of targets accepted for a command, such as 4 to allow e.g. /MSG nick1,nick2,nick3,nick4 hi.
Also changed the following defaults (previously hardcoded):
PRIVMSG from 20 to 4 targets, to counter /amsg spam
NOTICE from 20 to 1 target, to counter /anotice spam
KICK from 1 to 4 targets, to make it easier for channel operators to quickly kick a large amount of spambots
Added INVITE and KNOCK flood protection (command rate limiting):
set::anti-flood::invite-flood now defaults to 4 per 60 seconds (previously the effective limit was 1 invite per 6 seconds).
set::anti-flood::knock-flood now defaults to 4 per 120 seconds.
New set::outdated-tls-policy which describes what to do with clients that use outdated SSL/TLS protocols (eg: TLSv1.0) and ciphers.
The default settings are to warn in all cases: users connecting, opers /OPER'ing up and servers linking in. The user will see a message telling them to upgrade their IRC client.
This should help with migrating such users, since in the future, say one or two years from now, we would want to change the default to only allow TSLv1.2+ with ciphers that provide Forward Secrecy. Instead of rejecting clients without any error message, this provides a way to warn them and give them some time to upgrade their outdated IRC client.
Major issues fixed:
Crash issue in the 'websocket' module.
Minor issues fixed:
The advertised "link-security" was incorrectly downgraded from level 2 to 1 if spkifp was used as an authentication method.
In case of a crash, the ./unrealircd backtrace script was not working correctly in non-English environments, leading to less accurate bug reports.
Various crashes if a server receives incorrect commands from a trusted linked server.
A number of memory leaks on REHASH (about 1K).
SASL was not working post-registration, eg: when services link back in. This is now fixed in UnrealIRCd, but may require a services update as well.
Changed:
The noctcp user mode (+T) will now only block CTCP's and not CTCP REPLIES. Also, IRCOps can bypass user mode +T restrictions.
The server will warn if your ulines { } are matching UnrealIRCd servers.
The m_whox module now contains various features that m_who already had.
Also, m_whox will try to convert classic UnrealIRCd WHO requests such as "WHO +i 127.0.0.1" to whox style "WHO 127.0.0.1 i".
Unfortunately auto-converting WHO requests is not always possible. When in doubt the WHOX syntax is assumed. Users are thus (still) encouraged to use the whox style when m_whox is loaded.
For module coders:
New hook HOOKTYPE_WELCOME (aClient *acptr, int after_numeric): allows you to send a message at very specific places during the initial welcome.
New Isupport functions: IsupportSet, IsupportSetFmt and IsupportDelByName.
The M_ANNOUNCE flag in the command add functions should no longer be used as CMDS= is removed. Please update your module.
New "SJSBY" in PROTOCTL, which is used in SJOIN to sync extra data. See the last part of the SJOIN documentation.
For a command with 2 arguments, eg "PRIVMSG #a :txt", parv[1] is "#a", parv[2] is "txt" and parv[3] is NULL. Any arguments beyond that, such as parv[4] should not be accessed. To help module coders with detecting such bugs we now poison unused parv[] elements that should never be accessed. Note that without this poison your code will also crash, now it just crashes more consistently.
IRC protocol:
This section is intended for client coders and people interested in IRC protocol technicalities
Many changes in the tokens used in numeric 005 (RPL_ISUPPORT):
Removed CMDS= because this was an unnecessary abstraction and it was not picked up by any other IRCd.
The tokens KNOCK MAP USERIP have been added (moved from CMDS=..)
STARTTLS is no longer advertised in 005 since doing so would be too late. Also, STARTTLS is not the preferred method of using SSL/TLS.
Added TARGMAX= to communicate set::max-targets-per-command limits.
Removed the MAXTARGETS= token because TARGMAX= replaces it.
Added DEAF=d to signal what user mode is used for "deaf"
Added QUITLEN to communicate the set::quit-length setting (after all, why communicate length for KICK but not for QUIT?)
The 005 tokens are now sorted alphabetically
When hitting the TARGMAX limit (set::max-targets-per-command), for example with "/MSG k001,k002,k003,k004,k005 hi", you will see:
:server 407 me k005 :Too many targets. The maximum is 4 for PRIVMSG.
When hitting the set::anti-flood::max-concurrent-conversations limit (so not per command, but per time frame), you will see:
:server 439 me k011 :Message target change too fast. Please wait 7 seconds
When hitting the set::anti-flood::invite-flood limit you will get:
:server 263 me INVITE :Flooding detected. Please wait a while and try again.
When hitting the set::anti-flood::knock-flood limit you will get:
:server 480 me :Cannot knock on #channel (You are KNOCK flooding)
Not a protocol change. But when a server returns from a netsplit and syncs modes such as: :server MODE #chan +b this!is@an.old.ban
Then later on you can query the banlist (MODE #chan b) and you may see the actual original setter and timestamp of the ban. So if a user wishes to see the banlist then IRC clients are encouraged to actively query the banlist before displaying it. Fortunately most clients do this.
If the set::topic-setter or set::ban-setter are set to nick-user-host then the "added by" field in numerics that show these entries will contain nick!user@host instead of nick, eg:
:server 367 me #channel this!is@some.banbansetter!user@some.host 1549461765
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
pkgsrc changes:
- Remove obsolete and broken MESSAGE files.
- Find zlib correctly when enabled.
- Add SMF manifest.
- Update patch files and add comments where necessary.
Upstream changes:
- This release fixes a SASL Denial of Service issue
Patch provided by Marco Wessel in joyent/pkgsrc#306.
Problems found with existing distfiles:
distfiles/icb-5.0.9.tar.gz
distfiles/icb.2.1.4.tar.Z
distfiles/zenicb-19981202.tar.gz
No changes made to these /distinfo files.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
WRKSRC is now handled automatically. Let options.mk include bsd.prefs.mk
instead of pulling it in again in Makefile. CONFIGURE_ARGS for hub and leaf
no longer exist. Removed from PKG_OPTIONS. Specifying hostname in
CONFIGURE_ARGS is also no longer available. Removed. ${IRCD_SHARE}/networks
files are no longer provided. Removing from post-install and PLIST. From
Changes:
- Fix compilation issue when disabling stacked extbans. https://bugs.gentoo.org/389949
- Fix compilation issues with bundled tre and ./curlinstall-ed curl caused by over-generic regexes. Reported by warg.
- Include CMDS=STARTTLS in ISUPPORT/numeric 005 to let clients discover STARTTLS support through VERSION, before or after registration (#4064).
- Added patch from nenotopia to use more modern LUSERS numerics (#3967).
- Fix small error in oper block documentation, reported by Stealth (#2318).
- Config parser failed to check for invalid set::ssl options, reported and patch by fbi (#4035).
- Tweak: send actual channel name and not user supplied channel in KICK, reported and patch by Stealth (#3298).
- Services coders: Added support for ESVID. Instead of a number you can
now store a string (of max NICKLEN size) as service stamp.
- Show account name in /WHOIS, for ESVID-capable services packages, patch from nenotopia (#3966).
- Added extended ban ~a:<account name> which matches users who are logged
in to services with that account name. This works only on services that
support ESVID. Patch from nenotopia (#3966).
- Updated extended ban documentation in help.conf and unreal32docs:
new bantype ~a, and some text about extended bans & invex (+I).
- compile fix for just-checked-in patches.
- extban ~a = also allowed for invex
- Throw up an error if a password in the configuration file is too long
(max 48 characters), reported by JasonTik, based on patch from
WolfSage (#3223).
- Enforce matching of unrealircd version and PACKAGE_VERSION macros (#4014).
- Make default service stamp 0 (zero) again, instead of '*' which was
introduced by ESVID changes a few days ago. This makes anope happy,
and also means nothing will change in a non-ESVID scenario.
- Fix misuse of stdarg.h macros when calling vsyslog() (#4065 by Jimini).
- Ditch vsyslog() as it's only a waste of CPU, inspired by #4065.
- Add CAP support. Currently implemented are: multi-prefix (NAMESX), and
userhost-in-names (UHNAMES). Patch from nenotopia (#4018, #4066)
- Fix issue with CAP & NOSPOOF. Patch from nenolod (#4077).
- Advertise 'tls' (STARTTLS) capability in CAP. Patch from nenolod (#4081).
- New user mode +I (IRCOp only) which hides idle times to other users,
suggested and patch supplied by Nath & binki (#3953).
- Added remove_oper_modes(), which works just like remove_oper_snomasks(),
- Get rid of networks/ directory, and all references to it. Suggested by
katsklaw and others (#4056).
- Added doc/example.es.conf, translated by Severus_Snape.
- Make the accept code check if the fd is within bounds instead of relying
on OpenFiles to be correct.
- Moved nospoof to config file, suggested by and patch from nenolod (#4078).
- Even when 'M' was listed in set::oper-only-stats you could still do a
'/STATS m'. Unlike other stats characters, case insensitivity was not
checked for this one. Reported by and patch from Apocalypse (#4086).
- Added patch from Adam for poll() support (#1245).
update my own fd check code for poll support
- Some more changes and fixes regarding poll patch:
- make c-ares use 100% poll. and make sure we never deal with negative fds.
- UnrealIRCd now supports poll() instead of select().
- Speed optimization: First, moved a large part of vsendto_prefix_one into
vmakebuf_local_withprefix. Then use this new function - which creates the
buffer-to-be-sent - at the top of functions like sendto_channel_butserv
and sendto_common_channels and send the prepared buffer in the loop that
comes after it. This means we only prepare the buffer once and then send
it many times, rather than both building and sending it XYZ times.
Benchmarking connect-join-quit of 10k clients:
100 users per channel: no noticeable speed improvement
1000 users per channel: 18% faster
10000 users in one channel: 50% faster
As you can see, unfortunately, for a typical irc network there isn't much
speed improvement. However, if you have a couple of 500+ user channels or
get attacked by clones then you may see some improvement in speed and/or lower
CPU usage.
- Call m_cap_Init() when m_cap is loaded through commands.so. Reported by nenolod.
- Fix for speed optimization a few lines up, was accidentally using ident
username (which might have been 'unknown') instead of effective username.
- Added support for SASL, patch from nenolod (#4079).
- Fix crash in AUTHENTICATE (SASL commit from an hour or so ago).
- Tweak SASL code to conform to current coding style.
- Split up PROTOCTL line, since with the addition of ESVID we exceeded
MAXPARA when using ZIP links.
- Poll I/O engine: get_client_by_pollfd() may return -1 when there's a race
condition. Don't abort, instead just skip those clients.
- Fix win32 installer: apparently it sometimes complained about not having
- the Visual C++ 2008 redistributable package installed when this was not true.
- Fix Windows build.
- Win32 compile fix (nenolod)
- Print out a warning when we can't write to a log file. When booting this
goes to the boot screen. When we are already booted it's sent to all
IRCOps with a limit of max. 1 message per 5 minutes.
- Refuse to boot when we can't write to any log file.
- Remove old no-stealth configuration directive from documentation,
reported by katsklaw, patch from warg (#4036).
- Added 'away-notify' client capability, which informs the client of any AWAY state changes of users on the same channel. Patch from nenolod (#4097).
- Add support for account-notify client capability (#4098). This capability
can be used to request passive notifications for accountname changes.
- If set::options::dont-resolve is enabled, then use only the IP information
from a WEBIRC message, reported by Ismat (#4103).
- Moved sendto_connectnotice, and thus the call to HOOKTYPE_LOCAL_CONNECT,
so it gets called after the broadcast of NICK to other servers.
- Fix bug caused by new I/O engine (both with and without USE_POLL):
queued data on the receive queue (eg: due to fake lag) was not processed
unless we got new data from the client.
- Add support for server-enforced mode locks (MLOCK).
This allows the IRCd to enforce MLOCKs that are set by services, which
eliminates clashes between users setting modes and services enforcing
it's mlock on channels. (#3055)
- complete the previous patch (MLOCK).. mostly just bringing it up to date & code-style
- Fixed another SASL crash bug. Always use HookAddEx, not HookAdd!
Crash occured after the first quit of a user after a REHASH.
- SASL now needs to be enabled explicitly by setting a set::sasl-server.
- Changed numeric 307 (RPL_WHOISREGNICK) to 'is identified for this nick',
- Win32 installer (SSL): Uncheck 'create certificate' checkbox when
server.cert.pem exists, and check it if the file doesn't exist.
- Win32 installer: Latest InnoSetup no longer supports Windows 95/98,
so update Minversion to make the .iss compile.
- Module coders: added HOOKTYPE_AWAY (sptr, away-reason).
- Add optional oper::require-modes setting to the oper block. (#4008 by katsklaw)
- Clarify that hiddenhost-prefix must be the same on linked servers for
bans to function properly (#4090, patch from warg, reported in #4043
by maxb).
- Add /SILENCE to HTML documentation (reported by Severus_Snape in
#4072, patch from warg).
- Show "Ping timeout: XYZ seconds" instead of just "Ping timeout".
- a bigger scratch buffer makes me sleep at night ;)
- Install server.*.pem files, patch from katsklaw (#3988).
- The ./Config script will now ask whether to generate an SSL
certificate when it does not exist (defaults to Yes), instead of
always generating one.
- Added missing Mod_Header to m_sasl.c
- Remove old reference to networks/ directory from Windows installer
- Disable sending of UHNAMES when HTM (High Traffic Mode) is ON,
- Disable sending of UHNAMES when HTM (High Traffic Mode) is ON,
- Add 'class' option to allow/deny channel so you can allow/deny
users based on their class. Patch from fspijkerman (#4125).
- Use poll() in the remote includes functions when USE_POLL is
defined (#4091).
- Fix bug where recursive includes would hang the IRCd, patch from
binki with some minor modifications, reported by warg (#3919).
- Upgraded to c-ares 1.9.1. Updated configure & other files.
- various win32 fixes:
- Disable USE_POLL on Windows, since it doesn't work with XP and has
no advantage anyway. Reported by nenolod (#4129).
- Various updates to makefile.win32 and .iss file, found during
building new versions of zlib, openssl, and curl.
- Added set::options::disable-cap, which can be used to disable the
new CAP support (#4104).
- Added auth method 'sslclientcertfp' which provides an alternative
method to authenticate users with SSL client certificates based
on SHA256 fingerprints. This can be used instead of the already
existing 'sslclientcert' so you don't have to use an external file.
One way to get the SHA256 fingerprint would be:
openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint
Suggested and patch supplied by Jobe (#4019).
- Added documentation on the new sslclientcertfp
- Moved documentation on authentication types to one place and refer
to it from each section (oper::password, vhost::password,
link::password-receive, etc).
- Windows: fix MOTD file always showing a date of 1/1/1970, reported
by maxarturo (#4102).
- Removed unreal32docs.es.html (outdated since 2006-12-22),
unreal32docs.gr.html (outdated since 2006-12-02), and
unreal32docs.nl.html (outdated since 2009-01-18, possibly 2007-07-12).
- Remove wircd.def, needs to be re-generated almost each build anyway..
- Use our own (v)snprintf if not available.
- Use a more robust method of learning the server origin for a SASL agent.
- Use a more robust method of learning the server origin for a SASL
agent. Fixes crash reported by Adam.
- Import unreal32docs Spanish translation by Karim Benzema.
- In the Mercurial repository the Changes file no longer exists (except
for a dummy file). You now need to run ./createchangelog to generate it.
Of course in official releases the Changes file will be present and
contain all details.
- From now on, the Changes file is based on the history of the Mercurial
repository. This means we no longer have to write text manually to the
Changes file. This simple change helps a lot in future development
because patches will no longer break when they are being ported from
one branch to another.
- Update ./createchangelog to make it only show changes on default branch.
- If you are running the IRCd as root and use IRC_USER/IRC_GROUP then we now
change ownership of the log file to that user/group so it can still write
after the setuid(). Reported by asmadeus (#4152).
- Fix duplicate user@host in away-notify and account-notify, reported by grawity (#4153).
- '/rehash -global' did often not rehash all servers. Reported by Cronus (#4143)
- allow channel: Permit multiple channel items in one block again, was broken by patch from #4125.
- Update the documentation about set::dns::nameserver to reflect reality (that the setting is only used if c-ares can?t read /etc/resolv.conf).
- Don't remove oper-modes such as +S from non-local clients.
- Pull in poll(2) stuff before any other ircd include files. (#4155)
- Windows: Fix strange linking bug. Outgoing connects from a Windows
IRCd caused a garbled SERVER protocol message, causing 'cannot find
server' errors and killing of users. Reported by Sunkat (#4183).
- Custom modules: move EXLIBS= so shared libraries are always linked.
