Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
202
security advisorymoderateupdateopenSUSE 2023:0391-1 moderate: libtorrent and qbittorrent fix
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for libtorrent-rasterbar, qbittorrent ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0391-1 Rating: moderate References: #1217677 Cross-References: CVE-2023-30801 CVSS scores: CVE-2023-30801 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP4 openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libtorrent-rasterbar, qbittorrent fixes the following issues: Changes in libtorrent-rasterbar: - Update to version 2.0.9 * fix issue with web seed connections when they close and re-open * fallocate() not supported is not a fatal error * fix proxying of IPv6 connections via IPv4 proxy * treat CGNAT address range as local IPs * add stricter checking of piece layers when loading torrents * add stricter checking of v1 and v2 hashes being consistent * cache failed DNS lookups as well as successful ones * add an i2p torrent state to control interactions with clear swarms * fix i2p SAM protocol parsing of quoted messages * expose i2p peer destination in peer_info * fix i2p tracker announces * fix issue with read_piece() stopping torrent on pieces not yet downloaded * improve handling of allow_i2p_mixed setting to work for magnet links * fix web seed request for renamed single-file torrents * fix issue where web seeds could disappear from resume data * extend save_resume with additional conditional flags * fix issue with retrying trackers in tiers > 0 * fix last_upload and last_download resume data fields to use posix time * improve error messages forno_connect_privileged_ports, by untangle it from the port filter * fix I2P issue introduced in 2.0.0 * add async tracker status query, post_trackers() * add async torrent status query, post_status() * support loading version 2 of resume data format * fix issue with odd piece sizes * add async piece availability query, post_piece_availability() * add async download queue query, post_download_queue() * add async file_progress query, post_file_progress() * add async peer_info query, post_peer_info() - Update to version 2.0.8 * fix uTP streams timing out instead of closing cleanly * add write_torrent_file_buf() overload for generating .torrent files * add create_torrent::generate_buf() function to generate into a buffer * fix copy_file when the file ends with a sparse region * uTP performance, fix packet loss when sending is stalled * fix trackers being stuck after session pause/resume * fix bug in hash_picker with empty files * uTP performance, prevent premature timeouts/resends * add option to not memory map files below a certain size * settings_pack now returns default values when queried for missing settings * fix copy_file fall-back when SEEK_HOL/SEEK_DATA is not supported * improve error reporting from file copy and move * tweak pad file placement to match reference implementation (tail-padding) * uTP performance, more lenient nagle's algorithm to always allow one outstanding undersized packet * uTP performance, piggy-back held back undersized packet with ACKs * uTP performance, don't send redundant deferred ACKs * support incoming SOCKS5 packets with hostnames as source address, for UDP trackers * ignore duplicate network interface change notifications on linux * fix total_want/want accounting when forcing a recheck * fix merging metadata with magnet links added on top of existing torrents * add torrent_flag todefault all file priorities to dont_download * fix &so= feature in magnet links * improve compatibility of SOCKS5 UDP ASSOCIATE * fix madvise range for flushing cache in mmap_storage * open files with no_cache set in O_SYNC mode - Update to version 2.0.7 * fix issue in use of copy_file_range() * avoid open-file race in the file_view_pool * fix issue where stop-when-ready would not close files * fix issue with duplicate hybrid torrent via separate v1 and v2 magnet links * added new function to load torrent files, load_torrent_*() * support sync_file_range() * fix issue in write_torrent_file() when file size is exactly piece size * fix file_num_blocks() and file_num_pieces() for empty files * add new overload to make_magnet_uri() * add missing protocol version to tracker_reply_alert and tracker_error_alert * fix privilege issue with SetFileValidData() * add asynchronous overload of torrent_handle::add_piece() * default to a single hashing thread, for full checks * Fix bug when checking files and the first piece is invalid Changes in qbittorrent, qbittorrent: - Update to version 4.6.2 Bug fixes: * Do not apply share limit if the previous one was applied * Show Add new torrent dialog on main window screen Web UI: * Fix JS memory leak * Disable stdout buffering for qbt-nox Wayland: * Fix parent widget of "Lock qBittorrent" submenu - Also fixes boo#1217677 (CVE-2023-30801, upstream reference gh#qbittorrent/qBittorrent#19738) - Update to version 4.6.1 New features: * Add option to enable previous Add new torrent dialog behavior Fixed bugs: * Prevent crash due to race condition when adding magnet link * Fix Enter key behavior when add new torrent * Add missing main window icon * Update size of selected files when selection is changed * Correctly handle changing save path of torrent w/o metadata *Use appropriate icon for "moving" torrents in transfer list Web UI: * Drop WebUI default credentials * Add I2P settings to WebUI * Fix duplicate scrollbar on Transfer List * Fix incorrect subcategory sorting * Correctly set save path in RSS rules * Allow to request torrents count via WebAPI * Improve performance of getting torrent numbers via WebAPI * Improve free disk space checking for WebAPI Misc: * Fix invisible tray icon with Qt5 in Linux - Update to version 4.6.0 New features: * Add (experimental) I2P support * Provide UI editor for the default theme * Various UI theming improvements * Implement torrent tags editing dialog * Revamp "Watched folder options" and "Automated RSS downloader" dialog * Allow to use another icons in dark mode * Allow to add new torrents to queue top * Allow to filter torrent list by save path * Expose 'socket send/receive buffer size' options * Expose 'max torrent file size' setting * Expose 'bdecode limits' settings * Add options to adjust behavior of merging trackers to existing torrent * Add option to stop seeding when torrent has been inactive * Allow to use proxy per subsystem * Expand the scope of "Proxy hostname lookup" option * Add shortcut for "Ban peer permanently" function * Add option to auto hide zero status filters * Allow to disable confirmation of Pause/Resume All * Add alternative shortcut CTRL+E for CTRL+F * Show filtered port numbers in logs * Add button to copy library versions to clipboard Bug fixes: * Ensure ongoing storage moving job will be completed when shutting down * Refactored many areas to call non UI blocking code * Various improvements to the SQLite backend * Improve startup window state handling * Use tray icon from system theme only if option is set * Inhibit system sleep while torrents are moving * Use hostname instead of domainname in tracker filter list * Visually validate input path in torrent creator dialog * Disable symlink resolving in Torrent creator * Change default value for `file pool size` and `stop tracker timeout` settings * Log when duplicate torrents are being added * Inhibit suspend instead of screen idle * Ensure file name is valid when exporting torrents * Open "Save path" if torrent has no metadata * Prevent torrent starting unexpectedly edge case with magnet * Better ergonomics of the "Add new torrent" dialog WebUI: * Add log viewer * WebAPI: Allow to specify session cookie name * Improve sync API performance * Add filelog settings * Add multi-file renaming * Add "Add to top of queue" option * Implement subcategories * Set "SameSite=None" if CSRF Protection is disabled * Show only hosts in tracker filter list * Set Connection status and Speed limits tooltips * set Cross Origin Opener Policy to `same-origin` * Fix response for HTTP HEAD method * Preserve the network interfaces when connection is down * Add "Add Tags" field for RSS rules * Fix missing error icon RSS: * Add "Rename rule" button to RSS Downloader * Allow to edit RSS feed URL * Allow to assign priority to RSS download rule Search: * Use python isolate mode * Bump python version minimum requirement to 3.7.0 Other: * Numerous code improvements and refactorings - Update to version 4.5.5 Bug fixes: * Fix transfer list tab hotkey * Don't forget to enable the Apply button in the Options dialog * Immediately update torrent status on moving files * Improve performance when scrolling the file list of large torrents * Don't operate on random torrents when multiple are selected and a sort/filter is applied RSS: * Fix overwriting feeds.json with an incomplete load of it - Update to version 4.5.4 Bug fixes: * Allowto disable confirmation of Pause/Resume All * Sync flag icons with upstream Web UI: * Fix category save path - Update to version 4.5.3 Bug fixes: * Correctly check if database needs to be updated * Prevent incorrect log message about torrent content deletion * Improve finished torrent handling * Correctly initialize group box children as disabled in Preferences * Don't miss saving "download path" in SQLite storage * Improve logging of running external program Web UI: * Disable UPnP for web UI by default * Use workaround for IOS file picker * Work around Chrome download limit * Improve 'exporting torrent' behavior - Update to version 4.5.2 Bug fixes: * Don't unexpectedly activate queued torrents when prefetching metadata for added magnets * Update the cached torrent state once recheck is started * Be more likely to allow the system to use power saving modes Web UI: * Migrate away from unsafe function * Blacklist bad ciphers for TLS in the server * Allow only TLS 1.2+ in the server * Allow to set read-only directory as torrent location * Reject requests that contain backslash in path RSS: * Prevent RSS folder from being moved into itself - Update to version 4.5.1 New features: * Re-allow to use icons from system theme Bug fixes: * Fix Speed limit icon size * Revise and fix some text colors * Correctly load folder based UI theme * Fix crash due to invalid encoding of tracker URLs * Don't drop !qB extension when renaming incomplete file * Correctly count the number of torrents in subcategories * Use "additional trackers" when metadata retrieving * Apply correct tab order to Category options dialog * Add all torrents passed via the command line * Fix startup performance on Qt5 * Automatic move will now overwrite existing files * Some fixes for loading Chinese locales *New Pause icon color for toolbar/menu * Adjust env variable for PDB discovery Web UI: * Fix missing "queued" icon * Return paths using platform-independent separator format * Change order of accepted types of file input * Add missing icons * Add "Resume data storage type" option * Make rename file dialog resizable * Prevent incorrect line breaking * Improve hotkeys * Remove suggestions while searching for torrents * Expose "IS PRIVATE" flag * Return name/hash/infohash_v1/infohash_v2 torrent properties Other: * Fix tray icon issues - Update to version 4.5.0 New features: * Add `Auto resize columns` functionality * Allow to use Category paths in `Manual` mode * Allow to disable Automatic mode when default "temp" path changed * Add tuning options related to performance warnings * Add right click menu for status filters * Allow setting the number of maximum active checking torrents * Add option to toggle filters sidebar * Allow to set `working set limit` on non-Windows OS * Add `Export .torrent` action * Add keyboard navigation keys * Allow to use POSIX-compliant disk IO type * Add `Filter files` field in new torrent dialog * Implement new icon/color theme * Add file name filter/blacklist * Add support for custom SMTP ports * Split the OS cache settings into Disk IO read/write modes * When duplicate torrent is added set metadata to existing one * Greatly improve startup time with many torrents * Add keyboard shortcut to Download URL dialog * Add ability to run external program on torrent added * Add infohash and download path columns * Allow to set torrent stop condition * Add a `Moving` status filter * Change color palettes for both dark, light themes * Add a `Use proxy for hostname lookup` option * Introduce a `change listen port` cmd option * Implement `Peer ID Client` column for `Peers` tab * Add port forwarding option for embedded tracker Bug fixes: * Store hybrid torrents using `torrent ID` as basename * Enable Combobox editor for the `Mixed` file download priority * Allow shortcut folders for the Open and Save directory dialogs * Rename content tab `Size` column to `Total Size` * Fix scrolling to the lowermost visible torrent * Allow changing file priorities for finished torrents * Focus save path when Manual mode is selected initially * Disable force reannounce when it is not possible * Add horizontal scrolling for tracker list and torrent content * Enlarge "speed limits" icons * Change Downloaded to Times Downloaded in trackers tab * Remove artificial max limits from `Torrent Queueing` related options * Preserve `skip hash check` when there is no metadata * Fix DHT/PeX/LSD status when it is globally disabled * Fix rate calculation when interval is too low * Add tooltip message when system tray icon isn't available * Improve sender field in mail notifications * Fix "Add torrent dialog" spill-over on smaller screens * Fix peer count issue when tracker responds with zero figure * Don't merge trackers by default * Don't inhibit system sleep/auto shutdown for torrents stuck at downloading metadata * Allow to pause a checking torrent from context menu * Allow to use subnet notation in reverse proxy list * Fine tune translations loading for Chinese locales * Fix torrent content checkboxes not updated properly * Correctly load state of `Use another path for incomplete torrents` in Watched folders * Add confirmation to resume/pause all * Fix wrong count of errored trackers WebUI: * Allow blank lines in multipart form-data input * Make various dialogs resizable * Fix wrong v2 hash string displayed * WebAPI: return correct status * Fix empty selection in language combobox * Store WebUI port settingin human readable number * Add support for exporting .torrent * WebAPI: Add endpoint to set speed limit mode * Improve progress bar rendering * Add transfer list refresh interval settings * Use natural sort * Apply i18n translation only to built-in WebUI * Alert when HTTPS settings are incomplete * Handle drag and drop events * Fix wrong behavior for shutdown action * Don't disable combobox for file priority RSS: * Increase limit of maximum number of articles per feed Other: * Mark as single window app in .desktop file * Add Dockerfile * Remove option of using icons from system theme - Update to version 4.4.5 Bug fixes: * Fix missing trackers when adding magnet link. Affects libtorrent 2.0.x builds. - Update to version 4.4.4. * Improve D-Bus notifications handling Bug fixes: * Correctly handle data decompression with Qt 6.3 * Fix wrong file names displayed in tooltip * Fix incorrect "max outgoing port" setting * Make working set limit available only on libtorrent 2.0.x builds * Try to recover missing tags RSS: * Clear RSS parsing error after use Web API: * Set HTTP method restriction on WebAPI actions - Update to version 4.4.3.1 Bug fixes: * Fix broken translations - Update to version 4.4.3 Bug fixes: * Correctly handle changing of temp save path * Fix storage in SQLite * Correctly apply content layout when "Skip hash check" is enabled * Don't corrupt IDs of v2 torrents * Reduce the number of hashing threads by default (improves hashing speed on HDDs) * Prevent the "update dialog" from blocking input on other windows * Add trackers in exported .torrent files * Fix wrong GUI behavior in "Optional IP address to bind to" setting Web UI: * Fix WebUI crash due to missing tags from config * Show correct location path Patch Instructions: To install thisopenSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-391=1 - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-391=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1 libtorrent-rasterbar-debugsource-2.0.9-bp155.2.3.1 libtorrent-rasterbar-devel-2.0.9-bp155.2.3.1 libtorrent-rasterbar2_0-2.0.9-bp155.2.3.1 libtorrent-rasterbar2_0-debuginfo-2.0.9-bp155.2.3.1 python3-libtorrent-rasterbar-2.0.9-bp155.2.3.1 python3-libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64): qbittorrent-4.6.2-bp155.2.3.1 qbittorrent-debuginfo-4.6.2-bp155.2.3.1 qbittorrent-debugsource-4.6.2-bp155.2.3.1 qbittorrent-nox-4.6.2-bp155.2.3.1 qbittorrent-nox-debuginfo-4.6.2-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (noarch): libtorrent-rasterbar-doc-2.0.9-bp155.2.3.1 - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): libtorrent-rasterbar-devel-2.0.9-bp154.3.3.1 libtorrent-rasterbar2_0-2.0.9-bp154.3.3.1 python3-libtorrent-rasterbar-2.0.9-bp154.3.3.1 qbittorrent-4.6.2-bp154.3.3.1 qbittorrent-debuginfo-4.6.2-bp154.3.3.1 qbittorrent-debugsource-4.6.2-bp154.3.3.1 qbittorrent-nox-4.6.2-bp154.3.3.1 qbittorrent-nox-debuginfo-4.6.2-bp154.3.3.1 - openSUSE Backports SLE-15-SP4 (noarch): libtorrent-rasterbar-doc-2.0.9-bp154.3.3.1 References: https://www.suse.com/security/cve/CVE-2023-30801.html https://bugzilla.suse.com/1217677 . Critical update released for openSUSE addressing a libtorrent and qbittorrent flaw labeled with ID 2023:0391-1.. openSUSE Security, libtorrent fix, qbittorrent update, securitypatch, system update. . LinuxSecurity.com Team
Dec 07, 2023
OpenSUSE
91
security advisorygentoodirectory traversalGentoo GLSA-200907-14 Normal: Rasterbar Libtorrent Directory Overwrite
A directory traversal vulnerability in Rasterbar libtorrent might allow a remote attacker to overwrite arbitrary files.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200907-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Rasterbar libtorrent: Directory traversal Date: July 17, 2009 Bugs: #273156, #273961 ID: 200907-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A directory traversal vulnerability in Rasterbar libtorrent might allow a remote attacker to overwrite arbitrary files. Background ========= Rasterbar libtorrent is a C++ BitTorrent implementation focusing on efficiency and scalability. Deluge is a BitTorrent client that ships a copy of libtorrent. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/rb_libtorrent < 0.13-r1 > = 0.13-r1 2 net-p2p/deluge < 1.1.9 > = 1.1.9 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description ========== census reported a directory traversal vulnerability in src/torrent_info.cpp that can be triggered via .torrent files. Impact ===== A remote attacker could entice a user or automated system using Rasterbar libtorrent to load a specially crafted BitTorrent file to create or overwrite arbitrary files using dot dot sequences in filenames. Workaround ========= There is no known workaround atthis time. Resolution ========= All Rasterbar libtorrent users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "> =net-libs/rb_libtorrent-0.13-r1" All Deluge users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-p2p/deluge-1.1.9" References ========= [ 1 ] CVE-2009-1760 https://www.cve.org/CVERecord?id=CVE-2009-1760 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200907-14 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Jul 17, 2009
Gentoo
89
security advisorymoderatefedoraFedora 9: 2009-6682 Moderate: Deluge Directory Traversal Threat
This release adds a backported upstream patch to fix a directory traversal vulnerability in the included copy of libtorrent which would allow a remote attacker to create or overwrite arbitrary files via a ".." (dot dot) and partial relative pathname in a specially-crafted torrent.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-6682 2009-06-19 12:31:30 -------------------------------------------------------------------------------- Name : deluge Product : Fedora 9 Version : 0.5.9.3 Release : 2.fc9 URL : https://deluge-torrent.org/ Summary : A GTK+ BitTorrent client with support for DHT, UPnP, and PEX Description : Deluge is a new BitTorrent client, created using Python and GTK+. It is intended to bring a native, full-featured client to Linux GTK+ desktop environments such as GNOME and XFCE. It supports features such as DHT (Distributed Hash Tables), PEX (µTorrent-compatible Peer Exchange), and UPnP (Universal Plug-n-Play) that allow one to more easily share BitTorrent data even from behind a router with virtually zero configuration of port-forwarding. -------------------------------------------------------------------------------- Update Information: This release adds a backported upstream patch to fix a directory traversal vulnerability in the included copy of libtorrent which would allow a remote attacker to create or overwrite arbitrary files via a ".." (dot dot) and partial relative pathname in a specially-crafted torrent. -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 18 2009 Peter Gordon - 0.5.9.3-2 - Revert CVS files to to 0.9.5.3 - Add backported patch for the included copy of rb_libtorrent to fix CVE-2009-1760 (#505523): + 0.5.9.3-CVE-2009-1760.diff * Thu Nov 13 2008 Peter Gordon - 1.0.5-1 - Update to new upstream release (1.0.5) - Drop desktop file icon name hack (fixed upstream). - Add setuptools runtime dependency, to fix "Nomodule named pkg_resources" error messages. * Tue Jun 24 2008 Peter Gordon - 0.5.9.3-1 - Update to new upstream release (0.5.9.3) * Fri May 23 2008 Peter Gordon - 0.5.9.1-1 - Update to new upstream release (0.5.9.1) * Fri May 2 2008 Peter Gordon - 0.5.9.0-1 - Update to new upstream release (0.5.9.0) - Drop upstreamed default-preferences patch for disabling new version notifications: - default-prefs-no-release-notifications.patch * Tue Apr 15 2008 Peter Gordon - 0.5.8.9-1 - Update to new upstream release (0.5.8.9) * Wed Mar 26 2008 Peter Gordon - 0.5.8.7-1 - Update to new upstream release (0.5.8.7) -------------------------------------------------------------------------------- References: [ 1 ] Bug #505523 - CVE-2009-1760 rb_libtorrent: arbitrary file overwrite vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=505523 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update deluge' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list
Jun 26, 2009
•Important
Fedora
87
security advisorydenial of servicecriticalDebian 5.0 DSA-1815-1 Critical: libtorrent-rasterbar Denial of Service
It was discovered that the Rasterbar Bittorrent library performed insufficient validation of path names specified in torrent files, which could lead to denial of service by overwriting files. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1815-1
Jun 15, 2009
•Critical
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!