UPnP should be turned off by default on focal & jammy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qbittorrent (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I wanted to suggest disabling UPnP by default in the focal and jammy versions, since they're still under security maintenance. This setting was allowing attackers to run arbitrary executables via qbittorrent under the default settings and was fixed in 4.6.x and backported to 4.5.x. But focal and jammy are still using older versions.
Here's the Github issue: https:/
These versions are still affected shown here: https:/
Fix: https:/
The fix is just removing the preprocessor ifs so it's always default to UPnP disabled. I believe you can just cherry pick this commit but I have no idea how the Ubuntu repo tracks the Github repo.
--
I am suggesting this because at least one person is still using an older LTS (presumably) and was directly affected by this: https:/
NOTE that this affects packages qbittorrent and qbittorrent-nox
Just realized that I might've mistaken the release timelines. Both Focal and Jammy seem to be vulnerable and are in extended support and _not_ security maintenance. I assume the older LTS versions in security maintenance will also be unpatched.
In any case, the fix should get backported since some folks are inadvertently exposing themselves to a major security risk.