2015-08-30 09:02:25 |
Xavier Guillot |
bug |
|
|
added bug |
2015-08-30 09:04:15 |
Xavier Guillot |
information type |
Private Security |
Public Security |
|
2015-08-30 09:05:23 |
Launchpad Janitor |
libtorrent-rasterbar (Ubuntu): status |
New |
Confirmed |
|
2015-08-30 09:49:54 |
Xavier Guillot |
description |
Hi,
Sorry to create deliberately a duplicate, but even if original bug was assigned I'm not sure who receive all the updates and I can't modify the existing one to declare it as security concerned, now:
https://bugs.launchpad.net/bugs/1485365
A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent-rasterbar library.
As Debian package has already been updated in experimental: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785676
I guess it should be easy now for Ubuntu to make version 1.0.6 with the fix available for all distributions, as clients such Deluge and qBitTorrent depend from libtorrent-rasterbar.
Transmission seems not concerned: https://trac.transmissionbt.com/ticket/5984
And Vuze is working on it, package will have to be updated short after their next release: http://forum.vuze.com/Thread-Update-Vuze-with-libuTP-patch-to-correct-bug-allowing-DRDoS-attacks
Here are data on this bug:
http://blog.bittorrent.com/2015/08/27/mitigating-drdos-vulnerability-in-the-bittorrent-ecosystem/
https://github.com/arvidn/libtorrent/commit/677e64275405a3a2fd9017c8b4c51f9cc5e0a2e1
http://www.researchgate.net/publication/280878634_P2P_File-Sharing_in_Hell_Exploiting_BitTorrent_Vulnerabilities_to_Launch_Distributed_Reflective_DoS_Attacks
Thanks and best regards,
Xavier Guillot |
Hi,
Sorry to create deliberately a duplicate, but even if original bug was assigned I'm not sure who receive all the updates and I can't modify the existing one to declare it as security concerned, now:
https://bugs.launchpad.net/bugs/1485365
A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent-rasterbar library.
As Debian package has already been updated in experimental: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785676
I guess it should be easy now for Ubuntu to make version 1.0.6 with the fix available for all distributions, as clients such Deluge and qBitTorrent depend from libtorrent-rasterbar.
Transmission seems not concerned: https://trac.transmissionbt.com/ticket/5984
And Vuze is working on it, package will have to be updated short after their next release: http://forum.vuze.com/Thread-Update-Vuze-with-libuTP-patch-to-correct-bug-allowing-DRDoS-attacks
Here are data on this bug:
http://blog.bittorrent.com/2015/08/27/mitigating-drdos-vulnerability-in-the-bittorrent-ecosystem/
https://github.com/arvidn/libtorrent/commit/677e64275405a3a2fd9017c8b4c51f9cc5e0a2e1
http://www.researchgate.net/publication/280878634_P2P_File-Sharing_in_Hell_Exploiting_BitTorrent_Vulnerabilities_to_Launch_Distributed_Reflective_DoS_Attacks
Moreover, libtorrent-rasterbar version 0.15.10 (present in Ubuntu Precise and Debian wheezy), 0.16.18 (Ubuntu Vivid, Debian sid, jessie)... are also affected by CVE-2015-5685:
https://security-tracker.debian.org/tracker/CVE-2015-5685
Thanks and best regards,
Xavier Guillot |
|
2015-08-30 14:26:48 |
Andrew Starr-Bochicchio |
nominated for series |
|
Ubuntu Vivid |
|
2015-08-30 14:26:48 |
Andrew Starr-Bochicchio |
bug task added |
|
libtorrent-rasterbar (Ubuntu Vivid) |
|
2015-08-30 14:26:48 |
Andrew Starr-Bochicchio |
nominated for series |
|
Ubuntu Precise |
|
2015-08-30 14:26:48 |
Andrew Starr-Bochicchio |
bug task added |
|
libtorrent-rasterbar (Ubuntu Precise) |
|
2015-08-30 14:26:48 |
Andrew Starr-Bochicchio |
nominated for series |
|
Ubuntu Trusty |
|
2015-08-30 14:26:48 |
Andrew Starr-Bochicchio |
bug task added |
|
libtorrent-rasterbar (Ubuntu Trusty) |
|
2015-08-30 14:26:58 |
Andrew Starr-Bochicchio |
libtorrent-rasterbar (Ubuntu): status |
Confirmed |
In Progress |
|
2015-08-30 14:27:02 |
Andrew Starr-Bochicchio |
libtorrent-rasterbar (Ubuntu): assignee |
|
Andrew Starr-Bochicchio (andrewsomething) |
|
2015-08-31 20:20:13 |
Seth Arnold |
libtorrent-rasterbar (Ubuntu): status |
In Progress |
Incomplete |
|
2015-08-31 20:20:15 |
Seth Arnold |
libtorrent-rasterbar (Ubuntu Precise): status |
New |
Incomplete |
|
2015-08-31 20:20:16 |
Seth Arnold |
libtorrent-rasterbar (Ubuntu Trusty): status |
New |
Incomplete |
|
2015-08-31 20:20:18 |
Seth Arnold |
libtorrent-rasterbar (Ubuntu Vivid): status |
New |
Incomplete |
|
2015-08-31 20:20:35 |
Seth Arnold |
libtorrent-rasterbar (Ubuntu): status |
Incomplete |
In Progress |
|
2015-09-01 02:13:47 |
Andrew Starr-Bochicchio |
libtorrent-rasterbar (Ubuntu): status |
In Progress |
Fix Released |
|
2015-09-04 15:09:44 |
Nick B. |
bug |
|
|
added subscriber Nick B. |
2021-10-14 02:20:43 |
Steve Langasek |
libtorrent-rasterbar (Ubuntu Precise): status |
Incomplete |
Won't Fix |
|