Official DC++ has important security release-what about us?

Asked by emarkay on 2010-11-03

October 15, 2010 - "We have released a security update to protect users from being directed to potential fake hubs through Openhublist and also removed the old AML client detection URL so nobody can misuse it. Users are open to being fed false information through both methods. This is a critical security update that every user should fix by downloading 1.3.8. There are a few other changes mentioned including encryption enabled by default and improvements to crash reporting system.

We have skipped 1.3.7 because it is a fake version based on 1.3.6 and removes limiter rules. We advise all hub owners and operators to ban it. [Use] ApexDC++ 1.3.8."

http://forums.apexdc.net/topic/3967-released-apexdc-138/

What about "our" Linux version?

Question information

Language:
English Edit question
Status:
Solved
For:
LinuxDC++ Edit question
Assignee:
No assignee Edit question
Solved by:
Steven Sheehy
Solved:
2010-11-05
Last query:
2010-11-05
Last reply:
2010-11-05
Steven Sheehy (steven-sheehy) said : #1

Not sure why you say official DC++ but then link to ApexDC++... but anyway, looks like it does affect DC++ as well. I don't really consider this a "critical security" vulnerability, clients should know that hub lists are third parties and are not to be trusted. The worst it can do is send you to some useless hub and spam you, as far as I can tell. Even the official DC++ has not made a release with the updated code even though they've had it fixed since 9/30 in bazaar, so it couldn't be that critical.

Either way, our trunk is not in a state to make a release at the moment and we unfortunately didn't branch 1.0.3 before the changes. 1.1.0 will be worth the wait, though.

Best Steven Sheehy (steven-sheehy) said : #2

I should add that we will remove openhublist from our trunk though. So if you're using our PPA you will get a partial fix.

emarkay (mrk) said : #3

Thanks Steven Sheehy, that solved my question.