DC++ 0.866 goes stable – Vulnerability disclosure

May 28, 2017 by Leave a comment

DC++ 0.866 has been marked as stable today. As it was announced before the new version fixes a serious denial of service problem that can be relatively easily triggered by any malicious user of any hub running without defenses applied.

In short, a specially crafted main chat or private message consisting of large number of empty lines can make older versions of DC++ completely stop responding.

Details of the vulnerability are available in the original bug report entry.

The bug causing this problem exists in all versions of DC++ between 0.760 and 0.865.

Above the client update requirement, hubs can relatively easily mitigate this problem by disallowing any hundreds or thousands line long main chat and private messages to be (repeatedly) sent through the hub.

Since there’s no guarantee of proper hubside defense against this bug being implemented on all connected hubs and the vulnerability can also be exploited by sending messages through a direct encrypted private message channel, we strongly recommend all DC++ users to upgrade to the latest release as soon as possible.

Filed under DC++, General, Security

About emtee
I started to use DC using DC++ in 2003 when its version number was around 0.260. Since then I've been amazed by the DC network: a professional but still easy-to-use way of P2P file sharing. I was invited to the DC++ team in 2006 where - in the beginning - I had been doing user support and some testing only. A few years later I started to add small contributions to the DC++ code as well so for many years I'd been doing mostly bug fixes, testing, feature proposals and improvements. At the same time I worked on improving the documentation for both DC++ and ADCH++ as well. These days I'm trying to maintain the whole code and the infrastructure behind to keep these software secure and usable for a prolonged time. My ultimate goal is to help making the DC network as more user friendly as possible.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: