Hi, I use regularly Deluge to share torrent files.
I just read an article about an important fix on BitTorrent clients:
http://blog.bittorrent.com/2015/08/27/m ... ecosystem/
It explains that developers made a patch to the libuTP software to stop "possibility of exploiting BitTorrent protocols for Distributed Reflective Denial of Service Attacks (DRDoS)".
https://github.com/bittorrent/libutp/co ... 6cea885760
As libuTP is an essential component for BT apps, I wonder if Deluge also needs to be updated ?
Thanks, Xavier
Update Deluge with libuTP patch correct bug allowing DRDoS ?
-
- New User
- Posts: 2
- Joined: Sat Aug 29, 2015 6:38 pm
Re: Update Deluge with libuTP patch correct bug allowing DRD
This would be something to be fixed in libtorrent as opposed to deluge. Deluge uses libtorrent for the main torrenting protocol and is just a fancy gui for the front end.
You could use the LtConfig plugin to disable uTP. That might work to disable the issue.
You could use the LtConfig plugin to disable uTP. That might work to disable the issue.
Re: Update Deluge with libuTP patch correct bug allowing DRD
https://github.com/arvidn/libtorrent/co ... 9cc5e0a2e1
I believe this is the fix for us. And you can find libtorrent builds for linux on the deluge ubuntu ppa and i have build of libtorrent i made for windows here: http://doadin.github.io/ .
If anyone is wondering about my builds of libtorrent they are made with boost 1.59_msvc9_32 and msvc9.
I believe this is the fix for us. And you can find libtorrent builds for linux on the deluge ubuntu ppa and i have build of libtorrent i made for windows here: http://doadin.github.io/ .
If anyone is wondering about my builds of libtorrent they are made with boost 1.59_msvc9_32 and msvc9.
-
- New User
- Posts: 2
- Joined: Sat Aug 29, 2015 6:38 pm
Re: Update Deluge with libuTP patch correct bug allowing DRD
Hi, thanks for the quick reply - and the excellent work on Deluge !
And for the explanations - I'm not developer, I don't understand the code.
OK, it seems we have to wait libtorrent package update on distributions.
The link you posted regarding libtorrent patch (back-ported utp vulnerability fix) dated from 19th July, as the libuTP fix from the article was only 11 days ago, but it seems libtorrent has its own uTP implementation:
http://arstechnica.com/civis/viewtopic.php?p=29648417
And libtorrent maintainer just confirmed me that 1.0.6 version has the fix in it.
Nevertheless, even not correlated to this DRDoS vulnerability, bug has already been filled on Ubuntu for upgrading to latest libtorrent version, it should be available soon:
https://bugs.launchpad.net/ubuntu/+sour ... ug/1485365
For Debian it's done: https://bugs.debian.org/cgi-bin/bugrepo ... bug=785676
For those interested, this publication:
http://www.researchgate.net/publication ... oS_Attacks
And for the explanations - I'm not developer, I don't understand the code.
OK, it seems we have to wait libtorrent package update on distributions.
The link you posted regarding libtorrent patch (back-ported utp vulnerability fix) dated from 19th July, as the libuTP fix from the article was only 11 days ago, but it seems libtorrent has its own uTP implementation:
http://arstechnica.com/civis/viewtopic.php?p=29648417
And libtorrent maintainer just confirmed me that 1.0.6 version has the fix in it.
Nevertheless, even not correlated to this DRDoS vulnerability, bug has already been filled on Ubuntu for upgrading to latest libtorrent version, it should be available soon:
https://bugs.launchpad.net/ubuntu/+sour ... ug/1485365
For Debian it's done: https://bugs.debian.org/cgi-bin/bugrepo ... bug=785676
For those interested, this publication:
http://www.researchgate.net/publication ... oS_Attacks