DC++ 0.866 goes stable – Vulnerability disclosure

DC++ 0.866 has been marked as stable today. As it was announced before the new version fixes a serious denial of service problem that can be relatively easily triggered by any malicious user of any hub running without defenses applied.

In short, a specially crafted main chat or private message consisting of large number of empty lines can make older versions of DC++ completely stop responding.

Details of the vulnerability are available in the original bug report entry.

The bug causing this problem exists in all versions of DC++ between 0.760 and 0.865.

Above the client update requirement, hubs can relatively easily mitigate this problem by disallowing any hundreds or thousands line long main chat and private messages to be (repeatedly) sent through the hub.

Since there’s no guarantee of proper hubside defense against this bug being implemented on all connected hubs and the vulnerability can also be exploited by sending messages through a direct encrypted private message channel, we strongly recommend all DC++ users to upgrade to the latest release as soon as possible.

About emtee
I started to use DC using DC++ in 2003 when its version number was around 0.261. Since then I've been amazed by the DC network: a professional but still easy-to-use way of P2P file sharing. I was invited to the DC++ development team in 2006 where - in the beginning - I had been doing user support and testing only. A few years later I started to add small contributions to the DC++ code as well so these days I do mostly bug fixes, testing and improvements as well as I take part of the improvement of the documentation for both DC++ and ADCH++. I translated the whole DC++ help file to my native language (Hungarian) and currently maintaining the whole HU locale stuff for DC++. My ultimate goal is to help making the DC network as more user friendly as possible.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: