DC++ 0.866 goes stable – Vulnerability disclosure
May 28, 2017 Leave a comment
DC++ 0.866 has been marked as stable today. As it was announced before the new version fixes a serious denial of service problem that can be relatively easily triggered by any malicious user of any hub running without defenses applied.
In short, a specially crafted main chat or private message consisting of large number of empty lines can make older versions of DC++ completely stop responding.
Details of the vulnerability are available in the original bug report entry.
The bug causing this problem exists in all versions of DC++ between 0.760 and 0.865.
Above the client update requirement, hubs can relatively easily mitigate this problem by disallowing any hundreds or thousands line long main chat and private messages to be (repeatedly) sent through the hub.
Since there’s no guarantee of proper hubside defense against this bug being implemented on all connected hubs and the vulnerability can also be exploited by sending messages through a direct encrypted private message channel, we strongly recommend all DC++ users to upgrade to the latest release as soon as possible.