openSUSE Security Update: Security update for libtorrent-rasterbar, qbittorrent
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0391-1
Rating: moderate
References: #1217677
Cross-References: CVE-2023-30801
CVSS scores:
CVE-2023-30801 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
openSUSE Backports SLE-15-SP5
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for libtorrent-rasterbar, qbittorrent fixes the following
issues:
Changes in libtorrent-rasterbar:
- Update to version 2.0.9
* fix issue with web seed connections when they close and re-open
* fallocate() not supported is not a fatal error
* fix proxying of IPv6 connections via IPv4 proxy
* treat CGNAT address range as local IPs
* add stricter checking of piece layers when loading torrents
* add stricter checking of v1 and v2 hashes being consistent
* cache failed DNS lookups as well as successful ones
* add an i2p torrent state to control interactions with clear swarms
* fix i2p SAM protocol parsing of quoted messages
* expose i2p peer destination in peer_info
* fix i2p tracker announces
* fix issue with read_piece() stopping torrent on pieces not yet
downloaded
* improve handling of allow_i2p_mixed setting to work for magnet links
* fix web seed request for renamed single-file torrents
* fix issue where web seeds could disappear from resume data
* extend save_resume with additional conditional flags
* fix issue with retrying trackers in tiers > 0
* fix last_upload and last_download resume data fields to use posix time
* improve error messages for no_connect_privileged_ports, by untangle it
from the port filter
* fix I2P issue introduced in 2.0.0
* add async tracker status query, post_trackers()
* add async torrent status query, post_status()
* support loading version 2 of resume data format
* fix issue with odd piece sizes
* add async piece availability query, post_piece_availability()
* add async download queue query, post_download_queue()
* add async file_progress query, post_file_progress()
* add async peer_info query, post_peer_info()
- Update to version 2.0.8
* fix uTP streams timing out instead of closing cleanly
* add write_torrent_file_buf() overload for generating .torrent files
* add create_torrent::generate_buf() function to generate into a buffer
* fix copy_file when the file ends with a sparse region
* uTP performance, fix packet loss when sending is stalled
* fix trackers being stuck after session pause/resume
* fix bug in hash_picker with empty files
* uTP performance, prevent premature timeouts/resends
* add option to not memory map files below a certain size
* settings_pack now returns default values when queried for missing
settings
* fix copy_file fall-back when SEEK_HOL/SEEK_DATA is not supported
* improve error reporting from file copy and move
* tweak pad file placement to match reference implementation
(tail-padding)
* uTP performance, more lenient nagle's algorithm to always allow one
outstanding undersized packet
* uTP performance, piggy-back held back undersized packet with ACKs
* uTP performance, don't send redundant deferred ACKs
* support incoming SOCKS5 packets with hostnames as source address, for
UDP trackers
* ignore duplicate network interface change notifications on linux
* fix total_want/want accounting when forcing a recheck
* fix merging metadata with magnet links added on top of existing
torrents
* add torrent_flag to default all file priorities to dont_download
* fix &so= feature in magnet links
* improve compatibility of SOCKS5 UDP ASSOCIATE
* fix madvise range for flushing cache in mmap_storage
* open files with no_cache set in O_SYNC mode
- Update to version 2.0.7
* fix issue in use of copy_file_range()
* avoid open-file race in the file_view_pool
* fix issue where stop-when-ready would not close files
* fix issue with duplicate hybrid torrent via separate v1 and v2 magnet
links
* added new function to load torrent files, load_torrent_*()
* support sync_file_range()
* fix issue in write_torrent_file() when file size is exactly piece size
* fix file_num_blocks() and file_num_pieces() for empty files
* add new overload to make_magnet_uri()
* add missing protocol version to tracker_reply_alert and
tracker_error_alert
* fix privilege issue with SetFileValidData()
* add asynchronous overload of torrent_handle::add_piece()
* default to a single hashing thread, for full checks
* Fix bug when checking files and the first piece is invalid
Changes in qbittorrent, qbittorrent:
- Update to version 4.6.2
Bug fixes:
* Do not apply share limit if the previous one was applied
* Show Add new torrent dialog on main window screen
Web UI:
* Fix JS memory leak
* Disable stdout buffering for qbt-nox
Wayland:
* Fix parent widget of "Lock qBittorrent" submenu
- Also fixes boo#1217677 (CVE-2023-30801, upstream reference
gh#qbittorrent/qBittorrent#19738)
- Update to version 4.6.1
New features:
* Add option to enable previous Add new torrent dialog behavior
Fixed bugs:
* Prevent crash due to race condition when adding magnet link
* Fix Enter key behavior when add new torrent
* Add missing main window icon
* Update size of selected files when selection is changed
* Correctly handle changing save path of torrent w/o metadata
* Use appropriate icon for "moving" torrents in transfer list
Web UI:
* Drop WebUI default credentials
* Add I2P settings to WebUI
* Fix duplicate scrollbar on Transfer List
* Fix incorrect subcategory sorting
* Correctly set save path in RSS rules
* Allow to request torrents count via WebAPI
* Improve performance of getting torrent numbers via WebAPI
* Improve free disk space checking for WebAPI
Misc:
* Fix invisible tray icon with Qt5 in Linux
- Update to version 4.6.0
New features:
* Add (experimental) I2P support
* Provide UI editor for the default theme
* Various UI theming improvements
* Implement torrent tags editing dialog
* Revamp "Watched folder options" and "Automated RSS downloader" dialog
* Allow to use another icons in dark mode
* Allow to add new torrents to queue top
* Allow to filter torrent list by save path
* Expose 'socket send/receive buffer size' options
* Expose 'max torrent file size' setting
* Expose 'bdecode limits' settings
* Add options to adjust behavior of merging trackers to existing torrent
* Add option to stop seeding when torrent has been inactive
* Allow to use proxy per subsystem
* Expand the scope of "Proxy hostname lookup" option
* Add shortcut for "Ban peer permanently" function
* Add option to auto hide zero status filters
* Allow to disable confirmation of Pause/Resume All
* Add alternative shortcut CTRL+E for CTRL+F
* Show filtered port numbers in logs
* Add button to copy library versions to clipboard
Bug fixes:
* Ensure ongoing storage moving job will be completed when shutting down
* Refactored many areas to call non UI blocking code
* Various improvements to the SQLite backend
* Improve startup window state handling
* Use tray icon from system theme only if option is set
* Inhibit system sleep while torrents are moving
* Use hostname instead of domain name in tracker filter list
* Visually validate input path in torrent creator dialog
* Disable symlink resolving in Torrent creator
* Change default value for `file pool size` and `stop tracker timeout`
settings
* Log when duplicate torrents are being added
* Inhibit suspend instead of screen idle
* Ensure file name is valid when exporting torrents
* Open "Save path" if torrent has no metadata
* Prevent torrent starting unexpectedly edge case with magnet
* Better ergonomics of the "Add new torrent" dialog
WebUI:
* Add log viewer
* WebAPI: Allow to specify session cookie name
* Improve sync API performance
* Add filelog settings
* Add multi-file renaming
* Add "Add to top of queue" option
* Implement subcategories
* Set "SameSite=None" if CSRF Protection is disabled
* Show only hosts in tracker filter list
* Set Connection status and Speed limits tooltips
* set Cross Origin Opener Policy to `same-origin`
* Fix response for HTTP HEAD method
* Preserve the network interfaces when connection is down
* Add "Add Tags" field for RSS rules
* Fix missing error icon
RSS:
* Add "Rename rule" button to RSS Downloader
* Allow to edit RSS feed URL
* Allow to assign priority to RSS download rule
Search:
* Use python isolate mode
* Bump python version minimum requirement to 3.7.0
Other:
* Numerous code improvements and refactorings
- Update to version 4.5.5
Bug fixes:
* Fix transfer list tab hotkey
* Don't forget to enable the Apply button in the Options dialog
* Immediately update torrent status on moving files
* Improve performance when scrolling the file list of large torrents
* Don't operate on random torrents when multiple are selected and a
sort/filter is applied
RSS:
* Fix overwriting feeds.json with an incomplete load of it
- Update to version 4.5.4
Bug fixes:
* Allow to disable confirmation of Pause/Resume All
* Sync flag icons with upstream
Web UI:
* Fix category save path
- Update to version 4.5.3
Bug fixes:
* Correctly check if database needs to be updated
* Prevent incorrect log message about torrent content deletion
* Improve finished torrent handling
* Correctly initialize group box children as disabled in Preferences
* Don't miss saving "download path" in SQLite storage
* Improve logging of running external program
Web UI:
* Disable UPnP for web UI by default
* Use workaround for IOS file picker
* Work around Chrome download limit
* Improve 'exporting torrent' behavior
- Update to version 4.5.2
Bug fixes:
* Don't unexpectedly activate queued torrents when prefetching metadata
for added magnets
* Update the cached torrent state once recheck is started
* Be more likely to allow the system to use power saving modes
Web UI:
* Migrate away from unsafe function
* Blacklist bad ciphers for TLS in the server
* Allow only TLS 1.2+ in the server
* Allow to set read-only directory as torrent location
* Reject requests that contain backslash in path
RSS:
* Prevent RSS folder from being moved into itself
- Update to version 4.5.1
New features:
* Re-allow to use icons from system theme
Bug fixes:
* Fix Speed limit icon size
* Revise and fix some text colors
* Correctly load folder based UI theme
* Fix crash due to invalid encoding of tracker URLs
* Don't drop !qB extension when renaming incomplete file
* Correctly count the number of torrents in subcategories
* Use "additional trackers" when metadata retrieving
* Apply correct tab order to Category options dialog
* Add all torrents passed via the command line
* Fix startup performance on Qt5
* Automatic move will now overwrite existing files
* Some fixes for loading Chinese locales
* New Pause icon color for toolbar/menu
* Adjust env variable for PDB discovery
Web UI:
* Fix missing "queued" icon
* Return paths using platform-independent separator format
* Change order of accepted types of file input
* Add missing icons
* Add "Resume data storage type" option
* Make rename file dialog resizable
* Prevent incorrect line breaking
* Improve hotkeys
* Remove suggestions while searching for torrents
* Expose "IS PRIVATE" flag
* Return name/hash/infohash_v1/infohash_v2 torrent properties
Other:
* Fix tray icon issues
- Update to version 4.5.0
New features:
* Add `Auto resize columns` functionality
* Allow to use Category paths in `Manual` mode
* Allow to disable Automatic mode when default "temp" path changed
* Add tuning options related to performance warnings
* Add right click menu for status filters
* Allow setting the number of maximum active checking torrents
* Add option to toggle filters sidebar
* Allow to set `working set limit` on non-Windows OS
* Add `Export .torrent` action
* Add keyboard navigation keys
* Allow to use POSIX-compliant disk IO type
* Add `Filter files` field in new torrent dialog
* Implement new icon/color theme
* Add file name filter/blacklist
* Add support for custom SMTP ports
* Split the OS cache settings into Disk IO read/write modes
* When duplicate torrent is added set metadata to existing one
* Greatly improve startup time with many torrents
* Add keyboard shortcut to Download URL dialog
* Add ability to run external program on torrent added
* Add infohash and download path columns
* Allow to set torrent stop condition
* Add a `Moving` status filter
* Change color palettes for both dark, light themes
* Add a `Use proxy for hostname lookup` option
* Introduce a `change listen port` cmd option
* Implement `Peer ID Client` column for `Peers` tab
* Add port forwarding option for embedded tracker
Bug fixes:
* Store hybrid torrents using `torrent ID` as basename
* Enable Combobox editor for the `Mixed` file download priority
* Allow shortcut folders for the Open and Save directory dialogs
* Rename content tab `Size` column to `Total Size`
* Fix scrolling to the lowermost visible torrent
* Allow changing file priorities for finished torrents
* Focus save path when Manual mode is selected initially
* Disable force reannounce when it is not possible
* Add horizontal scrolling for tracker list and torrent content
* Enlarge "speed limits" icons
* Change Downloaded to Times Downloaded in trackers tab
* Remove artificial max limits from `Torrent Queueing` related
options
* Preserve `skip hash check` when there is no metadata
* Fix DHT/PeX/LSD status when it is globally disabled
* Fix rate calculation when interval is too low
* Add tooltip message when system tray icon isn't available
* Improve sender field in mail notifications
* Fix "Add torrent dialog" spill-over on smaller screens
* Fix peer count issue when tracker responds with zero figure
* Don't merge trackers by default
* Don't inhibit system sleep/auto shutdown for torrents stuck at
downloading metadata
* Allow to pause a checking torrent from context menu
* Allow to use subnet notation in reverse proxy list
* Fine tune translations loading for Chinese locales
* Fix torrent content checkboxes not updated properly
* Correctly load state of `Use another path for incomplete torrents` in
Watched folders
* Add confirmation to resume/pause all
* Fix wrong count of errored trackers
WebUI:
* Allow blank lines in multipart form-data input
* Make various dialogs resizable
* Fix wrong v2 hash string displayed
* WebAPI: return correct status
* Fix empty selection in language combobox
* Store WebUI port setting in human readable number
* Add support for exporting .torrent
* WebAPI: Add endpoint to set speed limit mode
* Improve progress bar rendering
* Add transfer list refresh interval settings
* Use natural sort
* Apply i18n translation only to built-in WebUI
* Alert when HTTPS settings are incomplete
* Handle drag and drop events
* Fix wrong behavior for shutdown action
* Don't disable combobox for file priority
RSS:
* Increase limit of maximum number of articles per feed
Other:
* Mark as single window app in .desktop file
* Add Dockerfile
* Remove option of using icons from system theme
- Update to version 4.4.5
Bug fixes:
* Fix missing trackers when adding magnet link. Affects libtorrent 2.0.x
builds.
- Update to version 4.4.4.
* Improve D-Bus notifications handling
Bug fixes:
* Correctly handle data decompression with Qt 6.3
* Fix wrong file names displayed in tooltip
* Fix incorrect "max outgoing port" setting
* Make working set limit available only on libtorrent 2.0.x builds
* Try to recover missing tags
RSS:
* Clear RSS parsing error after use
Web API:
* Set HTTP method restriction on WebAPI actions
- Update to version 4.4.3.1
Bug fixes:
* Fix broken translations
- Update to version 4.4.3
Bug fixes:
* Correctly handle changing of temp save path
* Fix storage in SQLite
* Correctly apply content layout when "Skip hash check" is enabled
* Don't corrupt IDs of v2 torrents
* Reduce the number of hashing threads by default (improves hashing
speed on HDDs)
* Prevent the "update dialog" from blocking input on other windows
* Add trackers in exported .torrent files
* Fix wrong GUI behavior in "Optional IP address to bind to" setting
Web UI:
* Fix WebUI crash due to missing tags from config
* Show correct location path
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP5:
zypper in -t patch openSUSE-2023-391=1
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-391=1
Package List:
- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):
libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1
libtorrent-rasterbar-debugsource-2.0.9-bp155.2.3.1
libtorrent-rasterbar-devel-2.0.9-bp155.2.3.1
libtorrent-rasterbar2_0-2.0.9-bp155.2.3.1
libtorrent-rasterbar2_0-debuginfo-2.0.9-bp155.2.3.1
python3-libtorrent-rasterbar-2.0.9-bp155.2.3.1
python3-libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1
- openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64):
qbittorrent-4.6.2-bp155.2.3.1
qbittorrent-debuginfo-4.6.2-bp155.2.3.1
qbittorrent-debugsource-4.6.2-bp155.2.3.1
qbittorrent-nox-4.6.2-bp155.2.3.1
qbittorrent-nox-debuginfo-4.6.2-bp155.2.3.1
- openSUSE Backports SLE-15-SP5 (noarch):
libtorrent-rasterbar-doc-2.0.9-bp155.2.3.1
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
libtorrent-rasterbar-devel-2.0.9-bp154.3.3.1
libtorrent-rasterbar2_0-2.0.9-bp154.3.3.1
python3-libtorrent-rasterbar-2.0.9-bp154.3.3.1
qbittorrent-4.6.2-bp154.3.3.1
qbittorrent-debuginfo-4.6.2-bp154.3.3.1
qbittorrent-debugsource-4.6.2-bp154.3.3.1
qbittorrent-nox-4.6.2-bp154.3.3.1
qbittorrent-nox-debuginfo-4.6.2-bp154.3.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
libtorrent-rasterbar-doc-2.0.9-bp154.3.3.1
References:
https://www.suse.com/security/cve/CVE-2023-30801.html
https://bugzilla.suse.com/1217677
