The default git branch has been renamed from "master" to "main" in the following repositories:

• https://github.com/weechat/weechat
• https://github.com/weechat/weechat.org
• https://github.com/weechat/scripts
• https://github.com/weechat/weechat-relay
• https://github.com/weechat/weercd
• https://github.com/weechat/qweechat.

Version 4.4.2 is available, see bugs fixed in the ChangeLog v4.4.2.

Version 4.4.0 is available, see new features and bugs fixed in the ChangeLog.

Version 4.3.5 is available, see bugs fixed in the ChangeLog v4.3.5.

Version 4.3.3 is available, see bugs fixed in the ChangeLog v4.3.3.

Versions 4.2.3 and 4.3.1 are available, see bugs fixed in the ChangeLog v4.2.3 and ChangeLog v4.3.1.

A brand new relay called "api" has been devleopped since 6 months : it's an HTTP REST API, which should in long term replace completey the "weechat" protocol.

The "api" relay provides the following key features:

• easy client implementation: HTTP REST API, JSON input/output, use of ANSI color codes
• automatic compression of responses (deflate, gzip, zstd and permessage-deflate for websocket)
• data synchronization: real-time sync with websocket or polling with HTTP requests
• no internal structures exposed: no use of pointers & complex structures like hdata
• WeeChat itself can connect to another WeeChat using this protocol (also known as relay "remote")

Documentation: Relay API.

The new /remote command lets you connect to the "api" relay of another running WeeChat (it must expose the same API version).

To connect to a remote WeeChat, just add a relay on the remote (for TLS, which is recommended, replace api by tls.api):

/set relay.network.password "secr3t"
/relay add api 9000

On the client, supposing it's running on the same machine:

/remote add test http://localhost:9000 -password=secr3t
/remote connect test

Then all buffers of remote WeeChat are opened locally by relay and any text or command sent on these buffers are sent and executed on the remote WeeChat.

Input is also synchronized (from remote to local WeeChat only), so that remote buffers like /fset can be used locally, including keys like Alt+Enter to set input with a command to execute.
Only the local buffer mouse actions are not yet supported (ie you can not scroll the fset buffer with mouse).

Version 4.2.1 is available, see bugs fixed in the ChangeLog v4.2.1.

Versions 4.0.8 and 4.1.3 are available, see bugs fixed in the ChangeLog v4.0.8 and ChangeLog v4.1.3.

Versions 4.0.6 and 4.1.1 are available, see bugs fixed in the ChangeLog v4.0.6 and ChangeLog v4.1.1.

Version 4.0.5 is available, see new features and bugs fixed in the ChangeLog.

Version 4.0.3 is available, it fixes the following bugs:

• fix input length and crash after delete of line
• fix display of self IRC CTCP message containing bold attribute
• fix memory leak in IRC message parser
• fix switch to IRC channel manually joined when server option autojoin_dynamic is on and option irc.look.buffer_switch_autojoin is off
• fix display of outgoing IRC notice with channel when capability "echo-message" is enabled
• fix display of IRC CTCP messages received from relay client
• display a warning in build of docs if a locale is missing with fallback to English for auto-generated content

Version 4.0.1 is available, it fixes the following bugs:

• force key "return" to command "/input return" when migrating legacy keys
• display actual key name and command with Alt+k, remove key Alt+K (grab raw key) and associated commands /input grab_raw_key and /input grab_raw_key_command
• check for newline characters in string_is_whitespace_char
• do not convert option name to lower case in API functions config_set_plugin and config_set_desc_plugin
• fix crash on quit with Guile < 3
• reply to a IRC CTCP request sent to self nick
• sent "QUIT" message to IRC servers connected with TLS on /upgrade

Version 4.0.0 is available!

WeeChat now follows a practical semantic versioning and there are breaking changes in this release, please read carefully the release notes.

See ChangeLog for the complete list of new features and bug fixes.

New major features in this release:

• use human readable key bindings
• use 256 colors by default
• make many identifiers case sensitive, rename default aliases to lower case
• display similar command names when a command is unknown
• add item "mouse_status" in default status bar
• rename SSL options to TLS, connect by default with TLS to IRC servers
• improve multiline support, add multiline support in IRC and Relay plugins
• add support of new IRC capabilities: draft/multiline, batch, echo-message (in Relay plugin as well)
• add support of LINELEN and UTF8ONLY in IRC plugin
• add IRC commands /action, /rules, /knock
• display IRC STATUSMSG actions differently from standard actions on channels
• add option "join" in command /autojoin
• add server option "registered_mode", add fields "authentication_method" and "sasl_mechanism_used" in server
• add "${username}" in server options "nicks" and "username", change their default values to use it
• add infos "irc_server_cap" and "irc_server_cap_value"
• add option irc.look.display_host_notice
• add modifier "irc_cap_sync_req"
• add relative move of read marker with /buffer set unread +/-N
• add command /reset
• add option "rename" in command /bar
• add option "split_return" in command /input
• add option "missing" in command /alias
• add $& to replace all arguments with double quotes escaped in aliases
• add options weechat.color.chat_status_disabled and weechat.color.chat_status_enabled, remove options trigger.color.trigger and trigger.color.trigger_disabled
• improve display of color options in fset buffer, add options fset.color.color_name and fset.color.color_name_selected
• add option logger.file.log_conditions
• add info "logger_log_file"
• add modifiers "relay_client_irc_in", "relay_client_irc_out1" and "relay_client_irc_out" in relay irc protocol
• add handshake option "escape_commands" in relay weechat protocol
• add API function config_set_version
• many bugs fixed.

Removed in this release:

• build with autotools (CMake now required)
• RPM packaging
• cpack config

New commands:

• /action
• /knock
• /reset
• /rules

New options:

• fset.color.color_name
• fset.color.color_name_selected
• irc.look.display_host_notice
• irc.server_default.registered_mode
• logger.file.log_conditions
• weechat.look.input_multiline_lead_linebreak
• weechat.color.chat_status_enabled
• weechat.color.chat_status_disabled
• weechat.look.paste_auto_add_newline
• weechat.color.status_name_insecure

Options changed:

• option irc.server_default.ssl renamed to irc.server_default.tls
• option irc.server_default.ssl_cert renamed to irc.server_default.tls_cert
• option irc.server_default.ssl_dhkey_size renamed to irc.server_default.tls_dhkey_size
• option irc.server_default.ssl_fingerprint renamed to irc.server_default.tls_fingerprint
• option irc.server_default.ssl_password renamed to irc.server_default.tls_password
• option irc.server_default.ssl_priorities renamed to irc.server_default.tls_priorities
• option irc.server_default.ssl_verify renamed to irc.server_default.tls_verify
• option relay.network.ssl_cert_key renamed to relay.network.tls_cert_key
• option relay.network.ssl_priorities renamed to relay.network.tls_priorities
• option weechat.color.status_name_ssl renamed to weechat.color.status_name_tls

Options removed:

• trigger.color.trigger
• trigger.color.trigger_disabled

New keys:

• Alt+K (upper case): grab raw key and its command
• In cursor mode:
  • letter "l" (lower case): quote focused line

Major changes are coming in the next WeeChat version, bumped to 4.0.0 (instead of 3.9, as planned initially).

Some breaking changes:

1. key bindings improvements: using names instead of raw codes (eg: meta-left instead of meta2-1;3D)
2. many identifiers have been made case sensitive, including commands, aliases and options
3. build with autotools has been removed, only CMake can now be used to compile WeeChat.

There are other changes, see the ChangeLog.
Note that this version is under development and your feedback is welcome!
Please read carefully the release notes if you're testing it: Release Notes.

Cherry on the cake: WeeChat is now following a "practical" semantic versioning, a less strict version of https://semver.org/.

For more information on all major/breaking changes, see the specifications: https://specs.weechat.org/

This blog is now following automatically your desktop / browser theme, by using light theme and a new dark theme.

Version 3.7 is available!

As usual, many new features and bug fixes, see ChangeLog for detail.

New major features in this release:

• add option "-save" in command "/upgrade"
• add option weechat.look.highlight_disable_regex and buffer property "highlight_disable_regex"
• sort filters by name
• add key Alt+Backspace to delete previous word, change key Ctrl+w to delete previous word until whitespace
• rename API function string_build_with_split_string to string_rebuild_split_string, add arguments "index_start" and "index_end"
• add info "uptime_current"
• add API function crypto_hash_file
• add support of priority in API function hook_line
• add API function string_parse_size
• add API function file_compress
• add buflist variable "${hotlist_priority_number}" (integer version of "${hotlist_priority}")
• display SETNAME command in IRC channels and private buffers, add options irc.color.message_setname and irc.look.smart_filter_setname
• add option irc.look.display_pv_nick_change
• add options to rotate and compress log files: logger.file.rotation_compression_level, logger.file.rotation_compression_type and logger.file.rotation_size_max
• allow special dict value "-" to disable spell checking on a specific buffer
• add elapsed time for trigger execution on monitor buffer when trigger debug is set, add option trigger.color.identifier
• add trigger variable "${tg_hook_type}"
• many bugs fixed.

New keys:

• Alt+Backspace: delete previous word (Ctrl+w: delete previous word until whitespace)

Version 3.5 is available!

As usual, many new features and bug fixes, see ChangeLog for detail.

New major features in this release:

• search in message tags when tags are displayed with "/debug tags"
• add support of date and tags in messages displayed in buffers with free content, add function printf_y_date_tags
• add IRC command /autojoin, add IRC server option "autojoin_dynamic"
• add IRC message tags in messages displayed
• add "zstd" (Zstandard) compression in relay weechat protocol, remove option "compression" from "init" command, rename option relay.network.compression_level to relay.network.compression
• add trigger variables "${tg_tag_irc_xxx}" containing IRC message tags
• many bugs fixed.

One thing is sure, we're not kidding with the security vulnerabilities, and our goal is to be completely transparent with the users about the issues as soon as they are public (ie with a new version, a fix/patch or at least a workaround available).

In this context, the security page has been redesigned from scratch, it is more user-friendly and a lot of new information has been added about each vulnerability.

The URL is unchanged: https://weechat.org/doc/security/.

Among the new information:

• A "WSA" identifier (WeeChat Security Advisory), which is unique by vulnerability, and built like this: WSA-YEAR-ID (YEAR on 4 digits, and the ID starts to 1 for the first vulnerability of this year, 2 for the second, etc.).
• The CVSS vector, score and severity, for more information:
  • FIRST - CVSS v3.1 specification: https://www.first.org/cvss/specification-document
  • NVD - CVSS v3 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
• The vulnerability type, also known as CWE (Common Weakness Enumeration), for more information: https://cwe.mitre.org/
• The short description of the issue.
• The scope: which part of WeeChat is affected: it can be one or multiple plugins or features.
• More detailed information about the mitigation for the issue.
• The credit: who found the issue and reported it to WeeChat security team (displayed only with the agreement of the reporter).

Important: due to the way the CVSS vector, score and severity are computed, the severity level previously displayed has changed for some vulnerabilities and is now higher:

• WSA-2021-1 (Crash on malformed websocket frame in relay plugin): medium -> high (score: 7.5)
• WSA-2020-3 (Buffer overflow on new IRC message 005 with nick prefixes): low -> high (score: 7.5)
• WSA-2020-2 (Crash on malformed IRC message 352 (WHO)): low -> high (score: 7.5)
• WSA-2020-1 (Buffer overflow on malformed IRC message 324 (channel mode)): low -> high (score: 7.5)
• WSA-2013-3 (Crash on IRC commands sent via Relay): medium -> high (score: 7.5)
• WSA-2013-2 (Crash on send of unknown commands to IRC server): low -> medium (score: 5.5)
• WSA-2013-1 (Crash on nicks monitored with /notify): low -> medium (score: 5.5)
• WSA-2006-1 (Crash in API function infobar_printf): low -> medium (score: 6.2)
• WSA-2004-1 (Buffer overflows in build of strings): low -> medium (score: 6.2)

The page is now separated into two parts: the overview with only part of the info, and detail of each vulnerability below.

The overview shows synthesized data (click for full size):

Below this, the detail of each vulnerability is displayed, for example this detail about the latest security vulnerability, fixed in version 3.2.1 (September 2021):

For convenience, a list of vulnerabilities by WeeChat version is also available:

For the record and reference (especially old severities), the previous security page was:

Version 3.4 is available!

As usual, many new features and bug fixes, see ChangeLog for detail.

New major features in this release:

• improve the IRC message parser
• add command /toggle
• add user variables in evaluation of expressions with "define:name,value"
• add support of static arrays in hdata
• hide key and password in command "/msg nickserv setpass nick key password"
• add dark theme in documentation (automatic theme, following browser/desktop settings)
• add support of Ruby 3.0
• many bugs fixed.

A brand new dark theme has been added on WeeChat.org!

The use of this dark theme is automatic (following your desktop/browser configuration).
It can be forced by a new link displayed at the bottom of any page: "Theme: auto (dark, light)".

New dark theme (click for full size):

The light theme:

Hope you like this new eye-friendly dark theme!

Version 3.2.1 is available, it fixes a security vulnerability: a malformed websocket frame received in relay plugin can cause a crash (CVE-2021-40516).

Upgrade is recommended for all users.

IRC SASL SCRAM authentication has been added in WeeChat 3.2, with 3 new mechanisms:

• scram-sha-1: SASL SCRAM with SHA-1 digest algorithm,
• scram-sha-256: SASL SCRAM with SHA-256 digest algorithm,
• scram-sha-512: SASL SCRAM with SHA-512 digest algorithm.

References:

• Support of SASL mechanisms in IRC clients: https://ircv3.net/docs/sasl-mechs
• RFC 7677 (SCRAM-SHA-256 and SCRAM-SHA-256-PLUS): https://datatracker.ietf.org/doc/ht...

Due to the recent events affecting freenode (see references below), the WeeChat official and unofficial channels have moved from freenode to libera.chat:

• official channels: #weechat, #weechat-fr
• non-official channels: #weechat-de, #weechat-fi
• off-topic channel: #weechat-offtopic

To add a new libera server and connect to it, joining only the English support channel:

/server add libera irc.libera.chat/6697 -ssl -autojoin=#weechat
/connect libera

To join the French channel as well:

/server add libera irc.libera.chat/6697 -ssl -autojoin=#weechat,#weechat-fr
/connect libera

If all your freenode channels have moved to libera, you can also rename the server and change the address:

/disconnect freenode
/server rename freenode libera
/set irc.server.libera.addresses "irc.libera.chat/6697"
/set irc.server.libera.ssl on
/connect libera

See you soon on libera!

References:

• https://arstechnica.com/gadgets/202...
• https://hackaday.com/2021/05/20/fre...
• https://www.kline.sh/

You've sent your password to the wrong window (ie: WeeChat), and it is now public, viewed by 1,500 people?
For now, you have to change your password.

For the future, a new script is now available: anti_password.py.

How does it work?

When you press Enter to send text to a buffer, the script detects if the input is a password, in two ways:

1. If the input matches a condition: number of words, lower/upper/digit/special chars.
2. If a secured data value is in the input (reminder: secured data is the recommended way to store all your passwords in WeeChat) (requires WeeChat ≥ 3.1).

If a password is detected, the text is not sent to the buffer (3 times with the default config).

Note: the WeeChat commands (ie /xxx) are ignored and are always sent.

Options

There are 4 options to configure the script (see /fset anti_password for a list of options with help):

• allowed_regex: allowed regular expression (checked first)
• password_condition: the condition used to detect a password
• check_secured_data: whether the script checks for secured data (disabled, input equals secured data or secured data included in input)
• max_rejects: the number of times the same input is rejected; after this number, the input is finally sent to the buffer.

Keep your passwords safe!

Updated on 2021-03-13: added option allowed_regex.