Hi, I'm not familiar with Fedora so please excuse me if I don't fill the bug correctly or miss something (duplicate...). A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent library. Severity is high and I think it should be updated to the latest version 1.0.6 which has the fix in it, as clients like Deluge or qBitTorrent depend from libtorrent. Here are data on this bug: http://blog.bittorrent.com/2015/08/27/mitigating-drdos-vulnerability-in-the-bittorrent-ecosystem/ https://github.com/arvidn/libtorrent/commit/677e64275405a3a2fd9017c8b4c51f9cc5e0a2e1 http://www.researchgate.net/publication/280878634_P2P_File-Sharing_in_Hell_Exploiting_BitTorrent_Vulnerabilities_to_Launch_Distributed_Reflective_DoS_Attacks Moreover, libtorrent version 0.14.10, 0.15.10, 0.16.18 are also affected by CVE-2015-5685: https://security-tracker.debian.org/tracker/CVE-2015-5685 It seems that all current Fedora versions ship libtorrent 0.13.4 but I guess it is concerned, too. https://apps.fedoraproject.org/packages/libtorrent/overview/ Thanks and best regards, Xavier Guillot
Fortunately for libtorrent, the vulnerability is actually in rb_libtorrent.
Hi, I'm pushing version 1.0.6 in all Fedora (21,22,23) and EPEL (el7). I'll work to push it to el5 and el6 too very soon, so we should be covered very soon. You can follow the single packages as they reach the stable repository: https://bodhi.fedoraproject.org/updates/?packages=rb_libtorrent. Thanks a lot for the information
Sorry, forgot to close even if it has been fixed quite a while ago