DC++ 0.851

A new security & stability update of DC++ has been released today.

There are no user visible new features this time; besides the latest OpenSSL security fixes and hardening secure connection further by disallowing weak ciphersuites this DC++ version largely focuses on mitigating malicious situations where DC++ can be used for distributed denial of service (DDoS) attacks when beeing logged in to certain malevolent NMDC hubs.

Please note that most, if not all previous DC++ versions are affected of this problem therefore this release is highly recommended for everyone still using any older DC++ versions. Once all maintained NMDC hub software implements the mitigation for this problem it is highly probable that many existing hubs will require this DC++ release as the minimum version to use.

If no critical issues found, DC++ 0.851 should be marked as the new stable DC++ release within a short period of time.

For the complete list of changes in version 0.851, please explore the changelog.

DC++ 0.850

The first new DC++ release in the last nine months, version 0.850 fixes and hardens security related functions further notably to avoid all popular TLS exploits emerged since last April.

This release also contains stability and performance updates of various 3rd party libraries and improvements of the latest version of the compiler.

For complete list of fixes and upgraded libraries, please explore the changelog items and the linked bug discussions.

DC++ 0.842

The first stable release of the 0.840 series of DC++ is out. Besides a few SSL encryption related and stability fixes this version largely focuses on implementing various features asked for or recommended by the user community through our feature tracker.

The changelog shows all the implemented new features and fixes.

DC++ 0.842 also provides protection against the infamous “Heartbleed” OpenSSL vulnerability. This security hole has existed in DC++ since version 0.799.

There’s a high chance of version 0.842 is the last mainstream DC++ release that supports Windows XP.  Due to the still large userbase of the already unsupported operating system, security and major stability fixes are possible for a few more months using a separate branch targeting XP only. The update reminder system is modified so in case of any forthcoming version targeting Vista and later being released, XP users won’t see the notification dialog anymore.

From that time on people running Windows XP will see the update nag dialog only if there’s an update targeting their old OS. However, starting with version 0.840 every XP user gets a special reminder at startup about the EOS of DC++ in their operating system.

Due to the nice new features and security fixes the upgrade is highly recommended.

DC++ 0.831

A new bug fixing service release of DC++ has been released today fixing the following problems introduced with version 0.830:

  • One of the bugs, marked as critical, prevents DC++ to respond to TTH searches on NMDC hubs.
  • A problem with too small protocol command size limits can cause problems for hubs sending large user commands.
  • The newly introduced direct encrypted private message channels are getting disconnected after some idle time.

All the fixed problems exist in version 0.830 only thus older versions are not affected. For users running DC++ 0.830 the upgrade is highly recommended.

DC++ 0.830

Today we marked the first version of  the 0.83x series of DC++ as stable. The new release brings plenty of stability updates as well as introduces a new ADC feature to improve privacy.

The privacy improvement is actually an implementation of an ADC protocol extension called CCPM. Basically, it allows two peers to initate an SSL encrypted direct connection channel for sending and receiving private messages.

Until now, all private messages in the DC network has been gone through a hub where both users were logged in. While this method is great for controlling unwanted messages (spamming) it also makes possible for the hub owner to spy on any private communications.

Enter CCPM, a feature that still needs a hub to initiate the direct encrypted connection but the hub is needed only for the start. After the direct channel has been estabilished the messages go directly between the peers in an encrypted way. The channel initiation requires the two users to be logged on a secure ADC hub (ADCS).

The whole discussion of the protocol features and CCPM implementation can be found here (the implementation details with screenshots starts in this position of the thread). The built-in help of DC++ also describes the feature in the Private message window page and the availabe controlling options in the Certificates’ settings page (once updated, links will be added to  the web version of the DC++ help, too).

The list of other fixes in version 0.830 speak for themselves yet again this time, explore the changelog items and the linked bug discussions in them for more information.

DC++ 0.828

A new stability update of DC++ is released today. Above the fixed stability issues, DC++ 0.828 also comes with a few minor feature updates. No detailed discussion of the changes this time; you can browse the changelog for the list of all improvements and fixed issues as they speak for themselves.

Upgrade is recommended for users of any earlier versions.

DC++ 0.825

A new security & stability update of DC++ is released today. There are no new features this time; the update fixes a couple of severe security vulnerabilities discovered since the release of  version 0.822. The following problems were fixed:

  • The client can crash in case of multiple partial file list uploads, requested at the same time or shortly one after the other. This problem hits the previous two releases (versions 0.820 & 0.822).
  • The originator of some type of ADC protocol messages aren’t correctly verified. This allows a malicious client to block outgoing connections of other users logged into an ADC hub by sending commands to be accepted from the hub only. This problem exists in all earlier versions of DC++ and the solution needs fixes in various ADC hubsoftware as well. More detailed description of this vulnerability can be found in the original bug report.

Due to the nature of these bugs an immediate upgrade is recommended.