This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1258209 - Update libtorrent to 1.0.6 - Fix DRDoS critical bug
Update libtorrent to 1.0.6 - Fix DRDoS critical bug
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: rb_libtorrent (Show other bugs)
rawhide
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: leigh scott
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-30 06:08 EDT by Xavier Guillot
Modified: 2015-12-10 09:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-10 09:07:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1490250 None None None Never

  None (edit)
Description Xavier Guillot 2015-08-30 06:08:15 EDT
Hi,

I'm not familiar with Fedora so please excuse me if I don't fill the bug correctly or miss something (duplicate...).

A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent library.

Severity is high and I think it should be updated to the latest version 1.0.6 which has the fix in it, as clients like Deluge or qBitTorrent depend from libtorrent.

Here are data on this bug:
http://blog.bittorrent.com/2015/08/27/mitigating-drdos-vulnerability-in-the-bittorrent-ecosystem/
https://github.com/arvidn/libtorrent/commit/677e64275405a3a2fd9017c8b4c51f9cc5e0a2e1
http://www.researchgate.net/publication/280878634_P2P_File-Sharing_in_Hell_Exploiting_BitTorrent_Vulnerabilities_to_Launch_Distributed_Reflective_DoS_Attacks

Moreover, libtorrent version 0.14.10, 0.15.10, 0.16.18 are also affected by CVE-2015-5685:
https://security-tracker.debian.org/tracker/CVE-2015-5685

It seems that all current Fedora versions ship libtorrent 0.13.4 but I guess it is concerned, too.
https://apps.fedoraproject.org/packages/libtorrent/overview/

Thanks and best regards,

Xavier Guillot
Comment 1 Conrad Meyer 2015-08-30 11:24:51 EDT
Fortunately for libtorrent, the vulnerability is actually in rb_libtorrent.
Comment 2 Fabio Alessandro Locati 2015-08-30 18:55:00 EDT
Hi,
I'm pushing version 1.0.6 in all Fedora (21,22,23) and EPEL (el7). I'll work to push it to el5 and el6 too very soon, so we should be covered very soon. You can follow the single packages as they reach the stable repository: https://bodhi.fedoraproject.org/updates/?packages=rb_libtorrent.

Thanks a lot for the information
Comment 3 Fabio Alessandro Locati 2015-12-10 09:07:35 EST
Sorry, forgot to close even if it has been fixed quite a while ago

Note You need to log in before you can comment on or make changes to this bug.