Bug 1258209

Summary: Update libtorrent to 1.0.6 - Fix DRDoS critical bug
Product: [Fedora] Fedora Reporter: Xavier Guillot <Valeryan_24>
Component: rb_libtorrentAssignee: leigh scott <leigh123linux>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: cse.cem+redhatbugz, fale, leigh123linux, sanjay.ankur
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-10 14:07:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xavier Guillot 2015-08-30 10:08:15 UTC 
Hi,

I'm not familiar with Fedora so please excuse me if I don't fill the bug correctly or miss something (duplicate...).

A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent library.

Severity is high and I think it should be updated to the latest version 1.0.6 which has the fix in it, as clients like Deluge or qBitTorrent depend from libtorrent.

Here are data on this bug:
http://blog.bittorrent.com/2015/08/27/mitigating-drdos-vulnerability-in-the-bittorrent-ecosystem/
https://github.com/arvidn/libtorrent/commit/677e64275405a3a2fd9017c8b4c51f9cc5e0a2e1
http://www.researchgate.net/publication/280878634_P2P_File-Sharing_in_Hell_Exploiting_BitTorrent_Vulnerabilities_to_Launch_Distributed_Reflective_DoS_Attacks

Moreover, libtorrent version 0.14.10, 0.15.10, 0.16.18 are also affected by CVE-2015-5685:
https://security-tracker.debian.org/tracker/CVE-2015-5685

It seems that all current Fedora versions ship libtorrent 0.13.4 but I guess it is concerned, too.
https://apps.fedoraproject.org/packages/libtorrent/overview/

Thanks and best regards,

Xavier Guillot
Comment 1 Conrad Meyer 2015-08-30 15:24:51 UTC 
Fortunately for libtorrent, the vulnerability is actually in rb_libtorrent.
Comment 2 Fabio Alessandro Locati 2015-08-30 22:55:00 UTC 
Hi,
I'm pushing version 1.0.6 in all Fedora (21,22,23) and EPEL (el7). I'll work to push it to el5 and el6 too very soon, so we should be covered very soon. You can follow the single packages as they reach the stable repository: https://bodhi.fedoraproject.org/updates/?packages=rb_libtorrent.

Thanks a lot for the information
Comment 3 Fabio Alessandro Locati 2015-12-10 14:07:35 UTC 
Sorry, forgot to close even if it has been fixed quite a while ago