openSUSE Security Update: Security update for libtorrent-rasterbar, qbittorrent
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2023:0391-1
Rating:             moderate
References:         #1217677 
Cross-References:   CVE-2023-30801
CVSS scores:
                    CVE-2023-30801 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP4
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for libtorrent-rasterbar, qbittorrent fixes the following
   issues:

   Changes in libtorrent-rasterbar:

   - Update to version 2.0.9

     * fix issue with web seed connections when they close and re-open
     * fallocate() not supported is not a fatal error
     * fix proxying of IPv6 connections via IPv4 proxy
     * treat CGNAT address range as local IPs
     * add stricter checking of piece layers when loading torrents
     * add stricter checking of v1 and v2 hashes being consistent
     * cache failed DNS lookups as well as successful ones
     * add an i2p torrent state to control interactions with clear swarms
     * fix i2p SAM protocol parsing of quoted messages
     * expose i2p peer destination in peer_info
     * fix i2p tracker announces
     * fix issue with read_piece() stopping torrent on pieces not yet
       downloaded
     * improve handling of allow_i2p_mixed setting to work for magnet links
     * fix web seed request for renamed single-file torrents
     * fix issue where web seeds could disappear from resume data
     * extend save_resume with additional conditional flags
     * fix issue with retrying trackers in tiers > 0
     * fix last_upload and last_download resume data fields to use posix time
     * improve error messages for no_connect_privileged_ports, by untangle it
       from the port filter
     * fix I2P issue introduced in 2.0.0
     * add async tracker status query, post_trackers()
     * add async torrent status query, post_status()
     * support loading version 2 of resume data format
     * fix issue with odd piece sizes
     * add async piece availability query, post_piece_availability()
     * add async download queue query, post_download_queue()
     * add async file_progress query, post_file_progress()
     * add async peer_info query, post_peer_info()

   - Update to version 2.0.8

     * fix uTP streams timing out instead of closing cleanly
     * add write_torrent_file_buf() overload for generating .torrent files
     * add create_torrent::generate_buf() function to generate into a buffer
     * fix copy_file when the file ends with a sparse region
     * uTP performance, fix packet loss when sending is stalled
     * fix trackers being stuck after session pause/resume
     * fix bug in hash_picker with empty files
     * uTP performance, prevent premature timeouts/resends
     * add option to not memory map files below a certain size
     * settings_pack now returns default values when queried for missing
       settings
     * fix copy_file fall-back when SEEK_HOL/SEEK_DATA is not supported
     * improve error reporting from file copy and move
     * tweak pad file placement to match reference implementation
       (tail-padding)
     * uTP performance, more lenient nagle's algorithm to always allow one
       outstanding undersized packet
     * uTP performance, piggy-back held back undersized packet with ACKs
     * uTP performance, don't send redundant deferred ACKs
     * support incoming SOCKS5 packets with hostnames as source address, for
       UDP trackers
     * ignore duplicate network interface change notifications on linux
     * fix total_want/want accounting when forcing a recheck
     * fix merging metadata with magnet links added on top of existing
       torrents
     * add torrent_flag to default all file priorities to dont_download
     * fix &so= feature in magnet links
     * improve compatibility of SOCKS5 UDP ASSOCIATE
     * fix madvise range for flushing cache in mmap_storage
     * open files with no_cache set in O_SYNC mode

   - Update to version 2.0.7

     * fix issue in use of copy_file_range()
     * avoid open-file race in the file_view_pool
     * fix issue where stop-when-ready would not close files
     * fix issue with duplicate hybrid torrent via separate v1 and v2 magnet
       links
     * added new function to load torrent files, load_torrent_*()
     * support sync_file_range()
     * fix issue in write_torrent_file() when file size is exactly piece size
     * fix file_num_blocks() and file_num_pieces() for empty files
     * add new overload to make_magnet_uri()
     * add missing protocol version to tracker_reply_alert and
       tracker_error_alert
     * fix privilege issue with SetFileValidData()
     * add asynchronous overload of torrent_handle::add_piece()
     * default to a single hashing thread, for full checks
     * Fix bug when checking files and the first piece is invalid

   Changes in qbittorrent, qbittorrent:

   - Update to version 4.6.2

     Bug fixes:

     * Do not apply share limit if the previous one was applied
     * Show Add new torrent dialog on main window screen

     Web UI:

     * Fix JS memory leak
     * Disable stdout buffering for qbt-nox

     Wayland:

     * Fix parent widget of "Lock qBittorrent" submenu

   - Also fixes boo#1217677 (CVE-2023-30801, upstream reference
     gh#qbittorrent/qBittorrent#19738)

   - Update to version 4.6.1

     New features:

     * Add option to enable previous Add new torrent dialog behavior

     Fixed bugs:

     * Prevent crash due to race condition when adding magnet link
     * Fix Enter key behavior when add new torrent
     * Add missing main window icon
     * Update size of selected files when selection is changed
     * Correctly handle changing save path of torrent w/o metadata
     * Use appropriate icon for "moving" torrents in transfer list

     Web UI:

     * Drop WebUI default credentials
     * Add I2P settings to WebUI
     * Fix duplicate scrollbar on Transfer List
     * Fix incorrect subcategory sorting
     * Correctly set save path in RSS rules
     * Allow to request torrents count via WebAPI
     * Improve performance of getting torrent numbers via WebAPI
     * Improve free disk space checking for WebAPI

     Misc:

     * Fix invisible tray icon with Qt5 in Linux


   - Update to version 4.6.0

     New features:

     * Add (experimental) I2P support
     * Provide UI editor for the default theme
     * Various UI theming improvements
     * Implement torrent tags editing dialog
     * Revamp "Watched folder options" and "Automated RSS downloader" dialog
     * Allow to use another icons in dark mode
     * Allow to add new torrents to queue top
     * Allow to filter torrent list by save path
     * Expose 'socket send/receive buffer size' options
     * Expose 'max torrent file size' setting
     * Expose 'bdecode limits' settings
     * Add options to adjust behavior of merging trackers to existing torrent
     * Add option to stop seeding when torrent has been inactive
     * Allow to use proxy per subsystem
     * Expand the scope of "Proxy hostname lookup" option
     * Add shortcut for "Ban peer permanently" function
     * Add option to auto hide zero status filters
     * Allow to disable confirmation of Pause/Resume All
     * Add alternative shortcut CTRL+E for CTRL+F
     * Show filtered port numbers in logs
     * Add button to copy library versions to clipboard

     Bug fixes:

     * Ensure ongoing storage moving job will be completed when shutting down
     * Refactored many areas to call non UI blocking code
     * Various improvements to the SQLite backend
     * Improve startup window state handling
     * Use tray icon from system theme only if option is set
     * Inhibit system sleep while torrents are moving
     * Use hostname instead of domain name in tracker filter list
     * Visually validate input path in torrent creator dialog
     * Disable symlink resolving in Torrent creator
     * Change default value for `file pool size` and `stop tracker timeout`
       settings
     * Log when duplicate torrents are being added
     * Inhibit suspend instead of screen idle
     * Ensure file name is valid when exporting torrents
     * Open "Save path" if torrent has no metadata
     * Prevent torrent starting unexpectedly edge case with magnet
     * Better ergonomics of the "Add new torrent" dialog

     WebUI:

     * Add log viewer
     * WebAPI: Allow to specify session cookie name
     * Improve sync API performance
     * Add filelog settings
     * Add multi-file renaming
     * Add "Add to top of queue" option
     * Implement subcategories
     * Set "SameSite=None" if CSRF Protection is disabled
     * Show only hosts in tracker filter list
     * Set Connection status and Speed limits tooltips
     * set Cross Origin Opener Policy to `same-origin`
     * Fix response for HTTP HEAD method
     * Preserve the network interfaces when connection is down
     * Add "Add Tags" field for RSS rules
     * Fix missing error icon

     RSS:

     * Add "Rename rule" button to RSS Downloader
     * Allow to edit RSS feed URL
     * Allow to assign priority to RSS download rule

     Search:

     * Use python isolate mode
     * Bump python version minimum requirement to 3.7.0

     Other:

     * Numerous code improvements and refactorings

   - Update to version 4.5.5

     Bug fixes:

     * Fix transfer list tab hotkey
     * Don't forget to enable the Apply button in the Options dialog
     * Immediately update torrent status on moving files
     * Improve performance when scrolling the file list of large torrents
     * Don't operate on random torrents when multiple are selected and a
       sort/filter is applied

     RSS:

     * Fix overwriting feeds.json with an incomplete load of it

   - Update to version 4.5.4

     Bug fixes:

     * Allow to disable confirmation of Pause/Resume All
     * Sync flag icons with upstream

     Web UI:

     * Fix category save path

   - Update to version 4.5.3

     Bug fixes:

     * Correctly check if database needs to be updated
     * Prevent incorrect log message about torrent content deletion
     * Improve finished torrent handling
     * Correctly initialize group box children as disabled in Preferences
     * Don't miss saving "download path" in SQLite storage
     * Improve logging of running external program

     Web UI:

     * Disable UPnP for web UI by default
     * Use workaround for IOS file picker
     * Work around Chrome download limit
     * Improve 'exporting torrent' behavior

   - Update to version 4.5.2

     Bug fixes:

     * Don't unexpectedly activate queued torrents when prefetching metadata
       for added magnets
     * Update the cached torrent state once recheck is started
     * Be more likely to allow the system to use power saving modes

     Web UI:

     * Migrate away from unsafe function
     * Blacklist bad ciphers for TLS in the server
     * Allow only TLS 1.2+ in the server
     * Allow to set read-only directory as torrent location
     * Reject requests that contain backslash in path

     RSS:

     * Prevent RSS folder from being moved into itself

   - Update to version 4.5.1

     New features:

     * Re-allow to use icons from system theme

     Bug fixes:

     * Fix Speed limit icon size
     * Revise and fix some text colors
     * Correctly load folder based UI theme
     * Fix crash due to invalid encoding of tracker URLs
     * Don't drop !qB extension when renaming incomplete file
     * Correctly count the number of torrents in subcategories
     * Use "additional trackers" when metadata retrieving
     * Apply correct tab order to Category options dialog
     * Add all torrents passed via the command line
     * Fix startup performance on Qt5
     * Automatic move will now overwrite existing files
     * Some fixes for loading Chinese locales
     * New Pause icon color for toolbar/menu
     * Adjust env variable for PDB discovery

     Web UI:

     * Fix missing "queued" icon
     * Return paths using platform-independent separator format
     * Change order of accepted types of file input
     * Add missing icons
     * Add "Resume data storage type" option
     * Make rename file dialog resizable
     * Prevent incorrect line breaking
     * Improve hotkeys
     * Remove suggestions while searching for torrents
     * Expose "IS PRIVATE" flag
     * Return name/hash/infohash_v1/infohash_v2 torrent properties

     Other:

     * Fix tray icon issues

   - Update to version 4.5.0

     New features:

     * Add `Auto resize columns` functionality
     * Allow to use Category paths in `Manual` mode
     * Allow to disable Automatic mode when default "temp" path changed
     * Add tuning options related to performance warnings
     * Add right click menu for status filters
     * Allow setting the number of maximum active checking torrents
     * Add option to toggle filters sidebar
     * Allow to set `working set limit` on non-Windows OS
     * Add `Export .torrent` action
     * Add keyboard navigation keys
     * Allow to use POSIX-compliant disk IO type
     * Add `Filter files` field in new torrent dialog
     * Implement new icon/color theme
     * Add file name filter/blacklist
     * Add support for custom SMTP ports
     * Split the OS cache settings into Disk IO read/write modes
     * When duplicate torrent is added set metadata to existing one
     * Greatly improve startup time with many torrents
     * Add keyboard shortcut to Download URL dialog
     * Add ability to run external program on torrent added
     * Add infohash and download path columns
     * Allow to set torrent stop condition
     * Add a `Moving` status filter
     * Change color palettes for both dark, light themes
     * Add a `Use proxy for hostname lookup` option
     * Introduce a `change listen port` cmd option
     * Implement `Peer ID Client` column for `Peers` tab
     * Add port forwarding option for embedded tracker

     Bug fixes:

     * Store hybrid torrents using `torrent ID` as basename
     * Enable Combobox editor for the `Mixed` file download priority
     * Allow shortcut folders for the Open and Save directory dialogs
     * Rename content tab `Size` column to `Total Size`
     * Fix scrolling to the lowermost visible torrent
     * Allow changing file priorities for finished torrents
     * Focus save path when Manual mode is selected initially
     * Disable force reannounce when it is not possible
     * Add horizontal scrolling for tracker list and torrent content
     * Enlarge "speed limits" icons
     * Change Downloaded to Times Downloaded in trackers tab
     * Remove artificial max limits from `Torrent Queueing` related
       options
     * Preserve `skip hash check` when there is no metadata
     * Fix DHT/PeX/LSD status when it is globally disabled
     * Fix rate calculation when interval is too low
     * Add tooltip message when system tray icon isn't available
     * Improve sender field in mail notifications
     * Fix "Add torrent dialog" spill-over on smaller screens
     * Fix peer count issue when tracker responds with zero figure
     * Don't merge trackers by default
     * Don't inhibit system sleep/auto shutdown for torrents stuck at
       downloading metadata
     * Allow to pause a checking torrent from context menu
     * Allow to use subnet notation in reverse proxy list
     * Fine tune translations loading for Chinese locales
     * Fix torrent content checkboxes not updated properly
     * Correctly load state of `Use another path for incomplete torrents` in
       Watched folders
     * Add confirmation to resume/pause all
     * Fix wrong count of errored trackers

     WebUI:

     * Allow blank lines in multipart form-data input
     * Make various dialogs resizable
     * Fix wrong v2 hash string displayed
     * WebAPI: return correct status
     * Fix empty selection in language combobox
     * Store WebUI port setting in human readable number
     * Add support for exporting .torrent
     * WebAPI: Add endpoint to set speed limit mode
     * Improve progress bar rendering
     * Add transfer list refresh interval settings
     * Use natural sort
     * Apply i18n translation only to built-in WebUI
     * Alert when HTTPS settings are incomplete
     * Handle drag and drop events
     * Fix wrong behavior for shutdown action
     * Don't disable combobox for file priority

     RSS:

     * Increase limit of maximum number of articles per feed

     Other:

     * Mark as single window app in .desktop file
     * Add Dockerfile
     * Remove option of using icons from system theme

   - Update to version 4.4.5

     Bug fixes:

     * Fix missing trackers when adding magnet link. Affects libtorrent 2.0.x
       builds.

   - Update to version 4.4.4.

     * Improve D-Bus notifications handling

     Bug fixes:

     * Correctly handle data decompression with Qt 6.3
     * Fix wrong file names displayed in tooltip
     * Fix incorrect "max outgoing port" setting
     * Make working set limit available only on libtorrent 2.0.x builds
     * Try to recover missing tags

     RSS:

     * Clear RSS parsing error after use

     Web API:

     * Set HTTP method restriction on WebAPI actions

   - Update to version 4.4.3.1

     Bug fixes:

     * Fix broken translations

   - Update to version 4.4.3

     Bug fixes:

     * Correctly handle changing of temp save path
     * Fix storage in SQLite
     * Correctly apply content layout when "Skip hash check" is enabled
     * Don't corrupt IDs of v2 torrents
     * Reduce the number of hashing threads by default (improves hashing
       speed on HDDs)
     * Prevent the "update dialog" from blocking input on other windows
     * Add trackers in exported .torrent files
     * Fix wrong GUI behavior in "Optional IP address to bind to" setting

     Web UI:

     * Fix WebUI crash due to missing tags from config
     * Show correct location path


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2023-391=1

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2023-391=1



Package List:

   - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

      libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1
      libtorrent-rasterbar-debugsource-2.0.9-bp155.2.3.1
      libtorrent-rasterbar-devel-2.0.9-bp155.2.3.1
      libtorrent-rasterbar2_0-2.0.9-bp155.2.3.1
      libtorrent-rasterbar2_0-debuginfo-2.0.9-bp155.2.3.1
      python3-libtorrent-rasterbar-2.0.9-bp155.2.3.1
      python3-libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1

   - openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64):

      qbittorrent-4.6.2-bp155.2.3.1
      qbittorrent-debuginfo-4.6.2-bp155.2.3.1
      qbittorrent-debugsource-4.6.2-bp155.2.3.1
      qbittorrent-nox-4.6.2-bp155.2.3.1
      qbittorrent-nox-debuginfo-4.6.2-bp155.2.3.1

   - openSUSE Backports SLE-15-SP5 (noarch):

      libtorrent-rasterbar-doc-2.0.9-bp155.2.3.1

   - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

      libtorrent-rasterbar-devel-2.0.9-bp154.3.3.1
      libtorrent-rasterbar2_0-2.0.9-bp154.3.3.1
      python3-libtorrent-rasterbar-2.0.9-bp154.3.3.1
      qbittorrent-4.6.2-bp154.3.3.1
      qbittorrent-debuginfo-4.6.2-bp154.3.3.1
      qbittorrent-debugsource-4.6.2-bp154.3.3.1
      qbittorrent-nox-4.6.2-bp154.3.3.1
      qbittorrent-nox-debuginfo-4.6.2-bp154.3.3.1

   - openSUSE Backports SLE-15-SP4 (noarch):

      libtorrent-rasterbar-doc-2.0.9-bp154.3.3.1


References:

   https://www.suse.com/security/cve/CVE-2023-30801.html
   https://bugzilla.suse.com/1217677

openSUSE: 2023:0391-1 moderate: libtorrent-rasterbar, qbittorrent

December 7, 2023
An update that fixes one vulnerability is now available

Description

This update for libtorrent-rasterbar, qbittorrent fixes the following issues: Changes in libtorrent-rasterbar: - Update to version 2.0.9 * fix issue with web seed connections when they close and re-open * fallocate() not supported is not a fatal error * fix proxying of IPv6 connections via IPv4 proxy * treat CGNAT address range as local IPs * add stricter checking of piece layers when loading torrents * add stricter checking of v1 and v2 hashes being consistent * cache failed DNS lookups as well as successful ones * add an i2p torrent state to control interactions with clear swarms * fix i2p SAM protocol parsing of quoted messages * expose i2p peer destination in peer_info * fix i2p tracker announces * fix issue with read_piece() stopping torrent on pieces not yet downloaded * improve handling of allow_i2p_mixed setting to work for magnet links * fix web seed request for renamed single-file torrents * fix issue where web seeds could disappear from resume data * extend save_resume with additional conditional flags * fix issue with retrying trackers in tiers > 0 * fix last_upload and last_download resume data fields to use posix time * improve error messages for no_connect_privileged_ports, by untangle it from the port filter * fix I2P issue introduced in 2.0.0 * add async tracker status query, post_trackers() * add async torrent status query, post_status() * support loading version 2 of resume data format * fix issue with odd piece sizes * add async piece availability query, post_piece_availability() * add async download queue query, post_download_queue() * add async file_progress query, post_file_progress() * add async peer_info query, post_peer_info() - Update to version 2.0.8 * fix uTP streams timing out instead of closing cleanly * add write_torrent_file_buf() overload for generating .torrent files * add create_torrent::generate_buf() function to generate into a buffer * fix copy_file when the file ends with a sparse region * uTP performance, fix packet loss when sending is stalled * fix trackers being stuck after session pause/resume * fix bug in hash_picker with empty files * uTP performance, prevent premature timeouts/resends * add option to not memory map files below a certain size * settings_pack now returns default values when queried for missing settings * fix copy_file fall-back when SEEK_HOL/SEEK_DATA is not supported * improve error reporting from file copy and move * tweak pad file placement to match reference implementation (tail-padding) * uTP performance, more lenient nagle's algorithm to always allow one outstanding undersized packet * uTP performance, piggy-back held back undersized packet with ACKs * uTP performance, don't send redundant deferred ACKs * support incoming SOCKS5 packets with hostnames as source address, for UDP trackers * ignore duplicate network interface change notifications on linux * fix total_want/want accounting when forcing a recheck * fix merging metadata with magnet links added on top of existing torrents * add torrent_flag to default all file priorities to dont_download * fix &so= feature in magnet links * improve compatibility of SOCKS5 UDP ASSOCIATE * fix madvise range for flushing cache in mmap_storage * open files with no_cache set in O_SYNC mode - Update to version 2.0.7 * fix issue in use of copy_file_range() * avoid open-file race in the file_view_pool * fix issue where stop-when-ready would not close files * fix issue with duplicate hybrid torrent via separate v1 and v2 magnet links * added new function to load torrent files, load_torrent_*() * support sync_file_range() * fix issue in write_torrent_file() when file size is exactly piece size * fix file_num_blocks() and file_num_pieces() for empty files * add new overload to make_magnet_uri() * add missing protocol version to tracker_reply_alert and tracker_error_alert * fix privilege issue with SetFileValidData() * add asynchronous overload of torrent_handle::add_piece() * default to a single hashing thread, for full checks * Fix bug when checking files and the first piece is invalid Changes in qbittorrent, qbittorrent: - Update to version 4.6.2 Bug fixes: * Do not apply share limit if the previous one was applied * Show Add new torrent dialog on main window screen Web UI: * Fix JS memory leak * Disable stdout buffering for qbt-nox Wayland: * Fix parent widget of "Lock qBittorrent" submenu - Also fixes boo#1217677 (CVE-2023-30801, upstream reference gh#qbittorrent/qBittorrent#19738) - Update to version 4.6.1 New features: * Add option to enable previous Add new torrent dialog behavior Fixed bugs: * Prevent crash due to race condition when adding magnet link * Fix Enter key behavior when add new torrent * Add missing main window icon * Update size of selected files when selection is changed * Correctly handle changing save path of torrent w/o metadata * Use appropriate icon for "moving" torrents in transfer list Web UI: * Drop WebUI default credentials * Add I2P settings to WebUI * Fix duplicate scrollbar on Transfer List * Fix incorrect subcategory sorting * Correctly set save path in RSS rules * Allow to request torrents count via WebAPI * Improve performance of getting torrent numbers via WebAPI * Improve free disk space checking for WebAPI Misc: * Fix invisible tray icon with Qt5 in Linux - Update to version 4.6.0 New features: * Add (experimental) I2P support * Provide UI editor for the default theme * Various UI theming improvements * Implement torrent tags editing dialog * Revamp "Watched folder options" and "Automated RSS downloader" dialog * Allow to use another icons in dark mode * Allow to add new torrents to queue top * Allow to filter torrent list by save path * Expose 'socket send/receive buffer size' options * Expose 'max torrent file size' setting * Expose 'bdecode limits' settings * Add options to adjust behavior of merging trackers to existing torrent * Add option to stop seeding when torrent has been inactive * Allow to use proxy per subsystem * Expand the scope of "Proxy hostname lookup" option * Add shortcut for "Ban peer permanently" function * Add option to auto hide zero status filters * Allow to disable confirmation of Pause/Resume All * Add alternative shortcut CTRL+E for CTRL+F * Show filtered port numbers in logs * Add button to copy library versions to clipboard Bug fixes: * Ensure ongoing storage moving job will be completed when shutting down * Refactored many areas to call non UI blocking code * Various improvements to the SQLite backend * Improve startup window state handling * Use tray icon from system theme only if option is set * Inhibit system sleep while torrents are moving * Use hostname instead of domain name in tracker filter list * Visually validate input path in torrent creator dialog * Disable symlink resolving in Torrent creator * Change default value for `file pool size` and `stop tracker timeout` settings * Log when duplicate torrents are being added * Inhibit suspend instead of screen idle * Ensure file name is valid when exporting torrents * Open "Save path" if torrent has no metadata * Prevent torrent starting unexpectedly edge case with magnet * Better ergonomics of the "Add new torrent" dialog WebUI: * Add log viewer * WebAPI: Allow to specify session cookie name * Improve sync API performance * Add filelog settings * Add multi-file renaming * Add "Add to top of queue" option * Implement subcategories * Set "SameSite=None" if CSRF Protection is disabled * Show only hosts in tracker filter list * Set Connection status and Speed limits tooltips * set Cross Origin Opener Policy to `same-origin` * Fix response for HTTP HEAD method * Preserve the network interfaces when connection is down * Add "Add Tags" field for RSS rules * Fix missing error icon RSS: * Add "Rename rule" button to RSS Downloader * Allow to edit RSS feed URL * Allow to assign priority to RSS download rule Search: * Use python isolate mode * Bump python version minimum requirement to 3.7.0 Other: * Numerous code improvements and refactorings - Update to version 4.5.5 Bug fixes: * Fix transfer list tab hotkey * Don't forget to enable the Apply button in the Options dialog * Immediately update torrent status on moving files * Improve performance when scrolling the file list of large torrents * Don't operate on random torrents when multiple are selected and a sort/filter is applied RSS: * Fix overwriting feeds.json with an incomplete load of it - Update to version 4.5.4 Bug fixes: * Allow to disable confirmation of Pause/Resume All * Sync flag icons with upstream Web UI: * Fix category save path - Update to version 4.5.3 Bug fixes: * Correctly check if database needs to be updated * Prevent incorrect log message about torrent content deletion * Improve finished torrent handling * Correctly initialize group box children as disabled in Preferences * Don't miss saving "download path" in SQLite storage * Improve logging of running external program Web UI: * Disable UPnP for web UI by default * Use workaround for IOS file picker * Work around Chrome download limit * Improve 'exporting torrent' behavior - Update to version 4.5.2 Bug fixes: * Don't unexpectedly activate queued torrents when prefetching metadata for added magnets * Update the cached torrent state once recheck is started * Be more likely to allow the system to use power saving modes Web UI: * Migrate away from unsafe function * Blacklist bad ciphers for TLS in the server * Allow only TLS 1.2+ in the server * Allow to set read-only directory as torrent location * Reject requests that contain backslash in path RSS: * Prevent RSS folder from being moved into itself - Update to version 4.5.1 New features: * Re-allow to use icons from system theme Bug fixes: * Fix Speed limit icon size * Revise and fix some text colors * Correctly load folder based UI theme * Fix crash due to invalid encoding of tracker URLs * Don't drop !qB extension when renaming incomplete file * Correctly count the number of torrents in subcategories * Use "additional trackers" when metadata retrieving * Apply correct tab order to Category options dialog * Add all torrents passed via the command line * Fix startup performance on Qt5 * Automatic move will now overwrite existing files * Some fixes for loading Chinese locales * New Pause icon color for toolbar/menu * Adjust env variable for PDB discovery Web UI: * Fix missing "queued" icon * Return paths using platform-independent separator format * Change order of accepted types of file input * Add missing icons * Add "Resume data storage type" option * Make rename file dialog resizable * Prevent incorrect line breaking * Improve hotkeys * Remove suggestions while searching for torrents * Expose "IS PRIVATE" flag * Return name/hash/infohash_v1/infohash_v2 torrent properties Other: * Fix tray icon issues - Update to version 4.5.0 New features: * Add `Auto resize columns` functionality * Allow to use Category paths in `Manual` mode * Allow to disable Automatic mode when default "temp" path changed * Add tuning options related to performance warnings * Add right click menu for status filters * Allow setting the number of maximum active checking torrents * Add option to toggle filters sidebar * Allow to set `working set limit` on non-Windows OS * Add `Export .torrent` action * Add keyboard navigation keys * Allow to use POSIX-compliant disk IO type * Add `Filter files` field in new torrent dialog * Implement new icon/color theme * Add file name filter/blacklist * Add support for custom SMTP ports * Split the OS cache settings into Disk IO read/write modes * When duplicate torrent is added set metadata to existing one * Greatly improve startup time with many torrents * Add keyboard shortcut to Download URL dialog * Add ability to run external program on torrent added * Add infohash and download path columns * Allow to set torrent stop condition * Add a `Moving` status filter * Change color palettes for both dark, light themes * Add a `Use proxy for hostname lookup` option * Introduce a `change listen port` cmd option * Implement `Peer ID Client` column for `Peers` tab * Add port forwarding option for embedded tracker Bug fixes: * Store hybrid torrents using `torrent ID` as basename * Enable Combobox editor for the `Mixed` file download priority * Allow shortcut folders for the Open and Save directory dialogs * Rename content tab `Size` column to `Total Size` * Fix scrolling to the lowermost visible torrent * Allow changing file priorities for finished torrents * Focus save path when Manual mode is selected initially * Disable force reannounce when it is not possible * Add horizontal scrolling for tracker list and torrent content * Enlarge "speed limits" icons * Change Downloaded to Times Downloaded in trackers tab * Remove artificial max limits from `Torrent Queueing` related options * Preserve `skip hash check` when there is no metadata * Fix DHT/PeX/LSD status when it is globally disabled * Fix rate calculation when interval is too low * Add tooltip message when system tray icon isn't available * Improve sender field in mail notifications * Fix "Add torrent dialog" spill-over on smaller screens * Fix peer count issue when tracker responds with zero figure * Don't merge trackers by default * Don't inhibit system sleep/auto shutdown for torrents stuck at downloading metadata * Allow to pause a checking torrent from context menu * Allow to use subnet notation in reverse proxy list * Fine tune translations loading for Chinese locales * Fix torrent content checkboxes not updated properly * Correctly load state of `Use another path for incomplete torrents` in Watched folders * Add confirmation to resume/pause all * Fix wrong count of errored trackers WebUI: * Allow blank lines in multipart form-data input * Make various dialogs resizable * Fix wrong v2 hash string displayed * WebAPI: return correct status * Fix empty selection in language combobox * Store WebUI port setting in human readable number * Add support for exporting .torrent * WebAPI: Add endpoint to set speed limit mode * Improve progress bar rendering * Add transfer list refresh interval settings * Use natural sort * Apply i18n translation only to built-in WebUI * Alert when HTTPS settings are incomplete * Handle drag and drop events * Fix wrong behavior for shutdown action * Don't disable combobox for file priority RSS: * Increase limit of maximum number of articles per feed Other: * Mark as single window app in .desktop file * Add Dockerfile * Remove option of using icons from system theme - Update to version 4.4.5 Bug fixes: * Fix missing trackers when adding magnet link. Affects libtorrent 2.0.x builds. - Update to version 4.4.4. * Improve D-Bus notifications handling Bug fixes: * Correctly handle data decompression with Qt 6.3 * Fix wrong file names displayed in tooltip * Fix incorrect "max outgoing port" setting * Make working set limit available only on libtorrent 2.0.x builds * Try to recover missing tags RSS: * Clear RSS parsing error after use Web API: * Set HTTP method restriction on WebAPI actions - Update to version 4.4.3.1 Bug fixes: * Fix broken translations - Update to version 4.4.3 Bug fixes: * Correctly handle changing of temp save path * Fix storage in SQLite * Correctly apply content layout when "Skip hash check" is enabled * Don't corrupt IDs of v2 torrents * Reduce the number of hashing threads by default (improves hashing speed on HDDs) * Prevent the "update dialog" from blocking input on other windows * Add trackers in exported .torrent files * Fix wrong GUI behavior in "Optional IP address to bind to" setting Web UI: * Fix WebUI crash due to missing tags from config * Show correct location path

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-391=1 - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-391=1


Package List

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1 libtorrent-rasterbar-debugsource-2.0.9-bp155.2.3.1 libtorrent-rasterbar-devel-2.0.9-bp155.2.3.1 libtorrent-rasterbar2_0-2.0.9-bp155.2.3.1 libtorrent-rasterbar2_0-debuginfo-2.0.9-bp155.2.3.1 python3-libtorrent-rasterbar-2.0.9-bp155.2.3.1 python3-libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64): qbittorrent-4.6.2-bp155.2.3.1 qbittorrent-debuginfo-4.6.2-bp155.2.3.1 qbittorrent-debugsource-4.6.2-bp155.2.3.1 qbittorrent-nox-4.6.2-bp155.2.3.1 qbittorrent-nox-debuginfo-4.6.2-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (noarch): libtorrent-rasterbar-doc-2.0.9-bp155.2.3.1 - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): libtorrent-rasterbar-devel-2.0.9-bp154.3.3.1 libtorrent-rasterbar2_0-2.0.9-bp154.3.3.1 python3-libtorrent-rasterbar-2.0.9-bp154.3.3.1 qbittorrent-4.6.2-bp154.3.3.1 qbittorrent-debuginfo-4.6.2-bp154.3.3.1 qbittorrent-debugsource-4.6.2-bp154.3.3.1 qbittorrent-nox-4.6.2-bp154.3.3.1 qbittorrent-nox-debuginfo-4.6.2-bp154.3.3.1 - openSUSE Backports SLE-15-SP4 (noarch): libtorrent-rasterbar-doc-2.0.9-bp154.3.3.1


References

https://www.suse.com/security/cve/CVE-2023-30801.html https://bugzilla.suse.com/1217677


Severity
Announcement ID: openSUSE-SU-2023:0391-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 openSUSE Backports SLE-15-SP5 .

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo