View previous topic :: View next topic |
Author |
Message |
George Site Admin
Joined: 19 Sep 2005 Posts: 2153
|
Posted: Fri Mar 09, 2007 6:24 pm Post subject: 2.1.2 released |
|
|
Bryan Burns of Juniper networks found 2 security vulnerabilities in KTorrent. These have now been fixed in the 2.1.2 release.
This is just 2.1.1 with these 2 fixes. It would be advisable to upgrade. |
|
Back to top |
|
|
Linder
Joined: 07 Jan 2007 Posts: 26
|
Posted: Fri Mar 09, 2007 6:48 pm Post subject: |
|
|
How severe are they? How worried should I be using kTorrent 2.1 for a couple of weeks ahead? |
|
Back to top |
|
|
George Site Admin
Joined: 19 Sep 2005 Posts: 2153
|
Posted: Fri Mar 09, 2007 7:06 pm Post subject: |
|
|
Personally I don't think they are that bad.
One is just the fact that we accepted .. in paths of filenames.
So you could have multifile torrents with the following files :
../../foo/bar/avi
That's not really dangerous and you can easily see that when you get to the file selection dialog. You could overwrite some files, but not system files (provided you are not running as root).
The other is a problem where we accepted have messages with bogus chunk indexes. I'm not really convinced if this can be exploited, but I'm no hacker. |
|
Back to top |
|
|
jdong
Joined: 18 Sep 2006 Posts: 201
|
Posted: Fri Mar 09, 2007 8:51 pm Post subject: |
|
|
The first bug is much more concerning than the second (I too am no hacker), but one can more or less brute-force #1 to install bashrc's with bogus paths... and on a 100-file torrent people will not look thru all the files
In any case, 2.1.2 candidate packages are up for review in Feisty, I am currently cranking out Edgy and Dapper variants of them, expect packages in about 30 minutes. |
|
Back to top |
|
|
jdong
Joined: 18 Sep 2006 Posts: 201
|
|
Back to top |
|
|
KVV
Joined: 10 Mar 2007 Posts: 1
|
Posted: Sat Mar 10, 2007 11:35 am Post subject: |
|
|
I don't like in new KTorrnet version, that you remove the Downloads | Uploads | Search !
They were very cool. . .but now. . .with this section Groups...bad
I'm still with 2.0.3 and I will now upgrade...
Please, just make plugin that enable these tabs!
Now ktorrent is ugly! |
|
Back to top |
|
|
George Site Admin
Joined: 19 Sep 2005 Posts: 2153
|
Posted: Sat Mar 10, 2007 11:40 am Post subject: |
|
|
That has already been addressed in the SVN version. |
|
Back to top |
|
|
jdong
Joined: 18 Sep 2006 Posts: 201
|
Posted: Tue Mar 13, 2007 3:37 am Post subject: |
|
|
Ok, update on the Ubuntu packaging situation:
(1) Kubuntu and Ubuntu leaders are not interested in the 2.1.1 or 2.1.2 bugfix releases being in Feisty, because of the magnitude of changes
(2) The 2.1.2 security fixes have been backported for every Ubuntu release from breezy to feisty! So users are safe in the security sense.
(3) Edgy and Dapper users can use the packages I posted above if they really want a 2.1.2.
(4) Feisty will get 2.1.2 from me when the development slows down a bit (i.e. Beta or RC release)
(5) When Feisty+1's development repositories open (like a week after Feisty's release), I will begin the backporting process of official 2.1.2 packages. |
|
Back to top |
|
|
|