Official DC++ has important security release-what about us?

Asked by emarkay

October 15, 2010 - "We have released a security update to protect users from being directed to potential fake hubs through Openhublist and also removed the old AML client detection URL so nobody can misuse it. Users are open to being fed false information through both methods. This is a critical security update that every user should fix by downloading 1.3.8. There are a few other changes mentioned including encryption enabled by default and improvements to crash reporting system.

We have skipped 1.3.7 because it is a fake version based on 1.3.6 and removes limiter rules. We advise all hub owners and operators to ban it. [Use] ApexDC++ 1.3.8."

What about "our" Linux version?

Question information

English Edit question
LinuxDC++ Edit question
No assignee Edit question
Solved by:
Steven Sheehy
Last query:
Last reply:
Revision history for this message
Steven Sheehy (steven-sheehy) said :

Not sure why you say official DC++ but then link to ApexDC++... but anyway, looks like it does affect DC++ as well. I don't really consider this a "critical security" vulnerability, clients should know that hub lists are third parties and are not to be trusted. The worst it can do is send you to some useless hub and spam you, as far as I can tell. Even the official DC++ has not made a release with the updated code even though they've had it fixed since 9/30 in bazaar, so it couldn't be that critical.

Either way, our trunk is not in a state to make a release at the moment and we unfortunately didn't branch 1.0.3 before the changes. 1.1.0 will be worth the wait, though.

Revision history for this message
Best Steven Sheehy (steven-sheehy) said :

I should add that we will remove openhublist from our trunk though. So if you're using our PPA you will get a partial fix.

Revision history for this message
emarkay (mrk) said :

Thanks Steven Sheehy, that solved my question.