LinuxDC++

Official DC++ has important security release-what about us?

Asked by emarkay on 2010-11-03

October 15, 2010 - "We have released a security update to protect users from being directed to potential fake hubs through Openhublist and also removed the old AML client detection URL so nobody can misuse it. Users are open to being fed false information through both methods. This is a critical security update that every user should fix by downloading 1.3.8. There are a few other changes mentioned including encryption enabled by default and improvements to crash reporting system.

We have skipped 1.3.7 because it is a fake version based on 1.3.6 and removes limiter rules. We advise all hub owners and operators to ban it. [Use] ApexDC++ 1.3.8."

http://forums.apexdc.net/topic/3967-released-apexdc-138/

What about "our" Linux version?

Question information

Language:: English Edit question

Status:: Solved

For:: LinuxDC++ Edit question

Assignee:: No assignee Edit question

Solved by:: Steven Sheehy

Solved:: 2010-11-05

Last query:: 2010-11-05

Last reply:: 2010-11-05

Link existing bug

Revision history for this message

Steven Sheehy (steven-sheehy) said on 2010-11-05:

Not sure why you say official DC++ but then link to ApexDC++... but anyway, looks like it does affect DC++ as well. I don't really consider this a "critical security" vulnerability, clients should know that hub lists are third parties and are not to be trusted. The worst it can do is send you to some useless hub and spam you, as far as I can tell. Even the official DC++ has not made a release with the updated code even though they've had it fixed since 9/30 in bazaar, so it couldn't be that critical.

Either way, our trunk is not in a state to make a release at the moment and we unfortunately didn't branch 1.0.3 before the changes. 1.1.0 will be worth the wait, though.

Revision history for this message