Red Hat Bugzilla – Bug 1258209
Update libtorrent to 1.0.6 - Fix DRDoS critical bug
Last modified: 2015-12-10 09:07:35 EST
I'm not familiar with Fedora so please excuse me if I don't fill the bug correctly or miss something (duplicate...).
A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent library.
Severity is high and I think it should be updated to the latest version 1.0.6 which has the fix in it, as clients like Deluge or qBitTorrent depend from libtorrent.
Here are data on this bug:
Moreover, libtorrent version 0.14.10, 0.15.10, 0.16.18 are also affected by CVE-2015-5685:
It seems that all current Fedora versions ship libtorrent 0.13.4 but I guess it is concerned, too.
Thanks and best regards,
Fortunately for libtorrent, the vulnerability is actually in rb_libtorrent.
I'm pushing version 1.0.6 in all Fedora (21,22,23) and EPEL (el7). I'll work to push it to el5 and el6 too very soon, so we should be covered very soon. You can follow the single packages as they reach the stable repository: https://bodhi.fedoraproject.org/updates/?packages=rb_libtorrent.
Thanks a lot for the information
Sorry, forgot to close even if it has been fixed quite a while ago