** Description changed: Hi, Sorry to create deliberately a duplicate, but even if original bug was assigned I'm not sure who receive all the updates and I can't modify the existing one to declare it as security concerned, now: https://bugs.launchpad.net/bugs/1485365 A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent-rasterbar library. As Debian package has already been updated in experimental: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785676 I guess it should be easy now for Ubuntu to make version 1.0.6 with the fix available for all distributions, as clients such Deluge and qBitTorrent depend from libtorrent-rasterbar. Transmission seems not concerned: https://trac.transmissionbt.com/ticket/5984 And Vuze is working on it, package will have to be updated short after their next release: http://forum.vuze.com/Thread-Update-Vuze-with- libuTP-patch-to-correct-bug-allowing-DRDoS-attacks Here are data on this bug: http://blog.bittorrent.com/2015/08/27/mitigating-drdos-vulnerability-in-the-bittorrent-ecosystem/ https://github.com/arvidn/libtorrent/commit/677e64275405a3a2fd9017c8b4c51f9cc5e0a2e1 http://www.researchgate.net/publication/280878634_P2P_File-Sharing_in_Hell_Exploiting_BitTorrent_Vulnerabilities_to_Launch_Distributed_Reflective_DoS_Attacks + Moreover, libtorrent-rasterbar version 0.15.10 (present in Ubuntu Precise and Debian wheezy), 0.16.18 (Ubuntu Vivid, Debian sid, jessie)... are also affected by CVE-2015-5685: + https://security-tracker.debian.org/tracker/CVE-2015-5685 + Thanks and best regards, Xavier Guillot
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1490250 Title: Update libtorrent-rasterbar to 1.0.6 - Fix DRDoS critical bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libtorrent-rasterbar/+bug/1490250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
