This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1258209 - Update libtorrent to 1.0.6 - Fix DRDoS critical bug
Update libtorrent to 1.0.6 - Fix DRDoS critical bug
Product: Fedora
Classification: Fedora
Component: rb_libtorrent (Show other bugs)
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: leigh scott
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-08-30 06:08 EDT by Xavier Guillot
Modified: 2015-12-10 09:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-10 09:07:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1490250 None None None Never

  None (edit)
Description Xavier Guillot 2015-08-30 06:08:15 EDT

I'm not familiar with Fedora so please excuse me if I don't fill the bug correctly or miss something (duplicate...).

A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent library.

Severity is high and I think it should be updated to the latest version 1.0.6 which has the fix in it, as clients like Deluge or qBitTorrent depend from libtorrent.

Here are data on this bug:

Moreover, libtorrent version 0.14.10, 0.15.10, 0.16.18 are also affected by CVE-2015-5685:

It seems that all current Fedora versions ship libtorrent 0.13.4 but I guess it is concerned, too.

Thanks and best regards,

Xavier Guillot
Comment 1 Conrad Meyer 2015-08-30 11:24:51 EDT
Fortunately for libtorrent, the vulnerability is actually in rb_libtorrent.
Comment 2 Fabio Alessandro Locati 2015-08-30 18:55:00 EDT
I'm pushing version 1.0.6 in all Fedora (21,22,23) and EPEL (el7). I'll work to push it to el5 and el6 too very soon, so we should be covered very soon. You can follow the single packages as they reach the stable repository:

Thanks a lot for the information
Comment 3 Fabio Alessandro Locati 2015-12-10 09:07:35 EST
Sorry, forgot to close even if it has been fixed quite a while ago

Note You need to log in before you can comment on or make changes to this bug.