SUSE 5181 Published by

A libtorrent-rasterbar, qbittorrent security update has been released for SUSE Linux Enterprise 15 SP4 and SP5



openSUSE-SU-2023:0391-1: moderate: Security update for libtorrent-rasterbar, qbittorrent


openSUSE Security Update: Security update for libtorrent-rasterbar, qbittorrent
_______________________________

Announcement ID: openSUSE-SU-2023:0391-1
Rating: moderate
References: #1217677
Cross-References: CVE-2023-30801
CVSS scores:
CVE-2023-30801 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP4
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for libtorrent-rasterbar, qbittorrent fixes the following
issues:

Changes in libtorrent-rasterbar:

- Update to version 2.0.9

* fix issue with web seed connections when they close and re-open
* fallocate() not supported is not a fatal error
* fix proxying of IPv6 connections via IPv4 proxy
* treat CGNAT address range as local IPs
* add stricter checking of piece layers when loading torrents
* add stricter checking of v1 and v2 hashes being consistent
* cache failed DNS lookups as well as successful ones
* add an i2p torrent state to control interactions with clear swarms
* fix i2p SAM protocol parsing of quoted messages
* expose i2p peer destination in peer_info
* fix i2p tracker announces
* fix issue with read_piece() stopping torrent on pieces not yet
downloaded
* improve handling of allow_i2p_mixed setting to work for magnet links
* fix web seed request for renamed single-file torrents
* fix issue where web seeds could disappear from resume data
* extend save_resume with additional conditional flags
* fix issue with retrying trackers in tiers > 0
* fix last_upload and last_download resume data fields to use posix time
* improve error messages for no_connect_privileged_ports, by untangle it
from the port filter
* fix I2P issue introduced in 2.0.0
* add async tracker status query, post_trackers()
* add async torrent status query, post_status()
* support loading version 2 of resume data format
* fix issue with odd piece sizes
* add async piece availability query, post_piece_availability()
* add async download queue query, post_download_queue()
* add async file_progress query, post_file_progress()
* add async peer_info query, post_peer_info()

- Update to version 2.0.8

* fix uTP streams timing out instead of closing cleanly
* add write_torrent_file_buf() overload for generating .torrent files
* add create_torrent::generate_buf() function to generate into a buffer
* fix copy_file when the file ends with a sparse region
* uTP performance, fix packet loss when sending is stalled
* fix trackers being stuck after session pause/resume
* fix bug in hash_picker with empty files
* uTP performance, prevent premature timeouts/resends
* add option to not memory map files below a certain size
* settings_pack now returns default values when queried for missing
settings
* fix copy_file fall-back when SEEK_HOL/SEEK_DATA is not supported
* improve error reporting from file copy and move
* tweak pad file placement to match reference implementation
(tail-padding)
* uTP performance, more lenient nagle's algorithm to always allow one
outstanding undersized packet
* uTP performance, piggy-back held back undersized packet with ACKs
* uTP performance, don't send redundant deferred ACKs
* support incoming SOCKS5 packets with hostnames as source address, for
UDP trackers
* ignore duplicate network interface change notifications on linux
* fix total_want/want accounting when forcing a recheck
* fix merging metadata with magnet links added on top of existing
torrents
* add torrent_flag to default all file priorities to dont_download
* fix &so= feature in magnet links
* improve compatibility of SOCKS5 UDP ASSOCIATE
* fix madvise range for flushing cache in mmap_storage
* open files with no_cache set in O_SYNC mode

- Update to version 2.0.7

* fix issue in use of copy_file_range()
* avoid open-file race in the file_view_pool
* fix issue where stop-when-ready would not close files
* fix issue with duplicate hybrid torrent via separate v1 and v2 magnet
links
* added new function to load torrent files, load_torrent_*()
* support sync_file_range()
* fix issue in write_torrent_file() when file size is exactly piece size
* fix file_num_blocks() and file_num_pieces() for empty files
* add new overload to make_magnet_uri()
* add missing protocol version to tracker_reply_alert and
tracker_error_alert
* fix privilege issue with SetFileValidData()
* add asynchronous overload of torrent_handle::add_piece()
* default to a single hashing thread, for full checks
* Fix bug when checking files and the first piece is invalid

Changes in qbittorrent, qbittorrent:

- Update to version 4.6.2

Bug fixes:

* Do not apply share limit if the previous one was applied
* Show Add new torrent dialog on main window screen

Web UI:

* Fix JS memory leak
* Disable stdout buffering for qbt-nox

Wayland:

* Fix parent widget of "Lock qBittorrent" submenu

- Also fixes boo#1217677 (CVE-2023-30801, upstream reference
gh#qbittorrent/qBittorrent#19738)

- Update to version 4.6.1

New features:

* Add option to enable previous Add new torrent dialog behavior

Fixed bugs:

* Prevent crash due to race condition when adding magnet link
* Fix Enter key behavior when add new torrent
* Add missing main window icon
* Update size of selected files when selection is changed
* Correctly handle changing save path of torrent w/o metadata
* Use appropriate icon for "moving" torrents in transfer list

Web UI:

* Drop WebUI default credentials
* Add I2P settings to WebUI
* Fix duplicate scrollbar on Transfer List
* Fix incorrect subcategory sorting
* Correctly set save path in RSS rules
* Allow to request torrents count via WebAPI
* Improve performance of getting torrent numbers via WebAPI
* Improve free disk space checking for WebAPI

Misc:

* Fix invisible tray icon with Qt5 in Linux

- Update to version 4.6.0

New features:

* Add (experimental) I2P support
* Provide UI editor for the default theme
* Various UI theming improvements
* Implement torrent tags editing dialog
* Revamp "Watched folder options" and "Automated RSS downloader" dialog
* Allow to use another icons in dark mode
* Allow to add new torrents to queue top
* Allow to filter torrent list by save path
* Expose 'socket send/receive buffer size' options
* Expose 'max torrent file size' setting
* Expose 'bdecode limits' settings
* Add options to adjust behavior of merging trackers to existing torrent
* Add option to stop seeding when torrent has been inactive
* Allow to use proxy per subsystem
* Expand the scope of "Proxy hostname lookup" option
* Add shortcut for "Ban peer permanently" function
* Add option to auto hide zero status filters
* Allow to disable confirmation of Pause/Resume All
* Add alternative shortcut CTRL+E for CTRL+F
* Show filtered port numbers in logs
* Add button to copy library versions to clipboard

Bug fixes:

* Ensure ongoing storage moving job will be completed when shutting down
* Refactored many areas to call non UI blocking code
* Various improvements to the SQLite backend
* Improve startup window state handling
* Use tray icon from system theme only if option is set
* Inhibit system sleep while torrents are moving
* Use hostname instead of domain name in tracker filter list
* Visually validate input path in torrent creator dialog
* Disable symlink resolving in Torrent creator
* Change default value for `file pool size` and `stop tracker timeout`
settings
* Log when duplicate torrents are being added
* Inhibit suspend instead of screen idle
* Ensure file name is valid when exporting torrents
* Open "Save path" if torrent has no metadata
* Prevent torrent starting unexpectedly edge case with magnet
* Better ergonomics of the "Add new torrent" dialog

WebUI:

* Add log viewer
* WebAPI: Allow to specify session cookie name
* Improve sync API performance
* Add filelog settings
* Add multi-file renaming
* Add "Add to top of queue" option
* Implement subcategories
* Set "SameSite=None" if CSRF Protection is disabled
* Show only hosts in tracker filter list
* Set Connection status and Speed limits tooltips
* set Cross Origin Opener Policy to `same-origin`
* Fix response for HTTP HEAD method
* Preserve the network interfaces when connection is down
* Add "Add Tags" field for RSS rules
* Fix missing error icon

RSS:

* Add "Rename rule" button to RSS Downloader
* Allow to edit RSS feed URL
* Allow to assign priority to RSS download rule

Search:

* Use python isolate mode
* Bump python version minimum requirement to 3.7.0

Other:

* Numerous code improvements and refactorings

- Update to version 4.5.5

Bug fixes:

* Fix transfer list tab hotkey
* Don't forget to enable the Apply button in the Options dialog
* Immediately update torrent status on moving files
* Improve performance when scrolling the file list of large torrents
* Don't operate on random torrents when multiple are selected and a
sort/filter is applied

RSS:

* Fix overwriting feeds.json with an incomplete load of it

- Update to version 4.5.4

Bug fixes:

* Allow to disable confirmation of Pause/Resume All
* Sync flag icons with upstream

Web UI:

* Fix category save path

- Update to version 4.5.3

Bug fixes:

* Correctly check if database needs to be updated
* Prevent incorrect log message about torrent content deletion
* Improve finished torrent handling
* Correctly initialize group box children as disabled in Preferences
* Don't miss saving "download path" in SQLite storage
* Improve logging of running external program

Web UI:

* Disable UPnP for web UI by default
* Use workaround for IOS file picker
* Work around Chrome download limit
* Improve 'exporting torrent' behavior

- Update to version 4.5.2

Bug fixes:

* Don't unexpectedly activate queued torrents when prefetching metadata
for added magnets
* Update the cached torrent state once recheck is started
* Be more likely to allow the system to use power saving modes

Web UI:

* Migrate away from unsafe function
* Blacklist bad ciphers for TLS in the server
* Allow only TLS 1.2+ in the server
* Allow to set read-only directory as torrent location
* Reject requests that contain backslash in path

RSS:

* Prevent RSS folder from being moved into itself

- Update to version 4.5.1

New features:

* Re-allow to use icons from system theme

Bug fixes:

* Fix Speed limit icon size
* Revise and fix some text colors
* Correctly load folder based UI theme
* Fix crash due to invalid encoding of tracker URLs
* Don't drop !qB extension when renaming incomplete file
* Correctly count the number of torrents in subcategories
* Use "additional trackers" when metadata retrieving
* Apply correct tab order to Category options dialog
* Add all torrents passed via the command line
* Fix startup performance on Qt5
* Automatic move will now overwrite existing files
* Some fixes for loading Chinese locales
* New Pause icon color for toolbar/menu
* Adjust env variable for PDB discovery

Web UI:

* Fix missing "queued" icon
* Return paths using platform-independent separator format
* Change order of accepted types of file input
* Add missing icons
* Add "Resume data storage type" option
* Make rename file dialog resizable
* Prevent incorrect line breaking
* Improve hotkeys
* Remove suggestions while searching for torrents
* Expose "IS PRIVATE" flag
* Return name/hash/infohash_v1/infohash_v2 torrent properties

Other:

* Fix tray icon issues

- Update to version 4.5.0

New features:

* Add `Auto resize columns` functionality
* Allow to use Category paths in `Manual` mode
* Allow to disable Automatic mode when default "temp" path changed
* Add tuning options related to performance warnings
* Add right click menu for status filters
* Allow setting the number of maximum active checking torrents
* Add option to toggle filters sidebar
* Allow to set `working set limit` on non-Windows OS
* Add `Export .torrent` action
* Add keyboard navigation keys
* Allow to use POSIX-compliant disk IO type
* Add `Filter files` field in new torrent dialog
* Implement new icon/color theme
* Add file name filter/blacklist
* Add support for custom SMTP ports
* Split the OS cache settings into Disk IO read/write modes
* When duplicate torrent is added set metadata to existing one
* Greatly improve startup time with many torrents
* Add keyboard shortcut to Download URL dialog
* Add ability to run external program on torrent added
* Add infohash and download path columns
* Allow to set torrent stop condition
* Add a `Moving` status filter
* Change color palettes for both dark, light themes
* Add a `Use proxy for hostname lookup` option
* Introduce a `change listen port` cmd option
* Implement `Peer ID Client` column for `Peers` tab
* Add port forwarding option for embedded tracker

Bug fixes:

* Store hybrid torrents using `torrent ID` as basename
* Enable Combobox editor for the `Mixed` file download priority
* Allow shortcut folders for the Open and Save directory dialogs
* Rename content tab `Size` column to `Total Size`
* Fix scrolling to the lowermost visible torrent
* Allow changing file priorities for finished torrents
* Focus save path when Manual mode is selected initially
* Disable force reannounce when it is not possible
* Add horizontal scrolling for tracker list and torrent content
* Enlarge "speed limits" icons
* Change Downloaded to Times Downloaded in trackers tab
* Remove artificial max limits from `Torrent Queueing` related
options
* Preserve `skip hash check` when there is no metadata
* Fix DHT/PeX/LSD status when it is globally disabled
* Fix rate calculation when interval is too low
* Add tooltip message when system tray icon isn't available
* Improve sender field in mail notifications
* Fix "Add torrent dialog" spill-over on smaller screens
* Fix peer count issue when tracker responds with zero figure
* Don't merge trackers by default
* Don't inhibit system sleep/auto shutdown for torrents stuck at
downloading metadata
* Allow to pause a checking torrent from context menu
* Allow to use subnet notation in reverse proxy list
* Fine tune translations loading for Chinese locales
* Fix torrent content checkboxes not updated properly
* Correctly load state of `Use another path for incomplete torrents` in
Watched folders
* Add confirmation to resume/pause all
* Fix wrong count of errored trackers

WebUI:

* Allow blank lines in multipart form-data input
* Make various dialogs resizable
* Fix wrong v2 hash string displayed
* WebAPI: return correct status
* Fix empty selection in language combobox
* Store WebUI port setting in human readable number
* Add support for exporting .torrent
* WebAPI: Add endpoint to set speed limit mode
* Improve progress bar rendering
* Add transfer list refresh interval settings
* Use natural sort
* Apply i18n translation only to built-in WebUI
* Alert when HTTPS settings are incomplete
* Handle drag and drop events
* Fix wrong behavior for shutdown action
* Don't disable combobox for file priority

RSS:

* Increase limit of maximum number of articles per feed

Other:

* Mark as single window app in .desktop file
* Add Dockerfile
* Remove option of using icons from system theme

- Update to version 4.4.5

Bug fixes:

* Fix missing trackers when adding magnet link. Affects libtorrent 2.0.x
builds.

- Update to version 4.4.4.

* Improve D-Bus notifications handling

Bug fixes:

* Correctly handle data decompression with Qt 6.3
* Fix wrong file names displayed in tooltip
* Fix incorrect "max outgoing port" setting
* Make working set limit available only on libtorrent 2.0.x builds
* Try to recover missing tags

RSS:

* Clear RSS parsing error after use

Web API:

* Set HTTP method restriction on WebAPI actions

- Update to version 4.4.3.1

Bug fixes:

* Fix broken translations

- Update to version 4.4.3

Bug fixes:

* Correctly handle changing of temp save path
* Fix storage in SQLite
* Correctly apply content layout when "Skip hash check" is enabled
* Don't corrupt IDs of v2 torrents
* Reduce the number of hashing threads by default (improves hashing
speed on HDDs)
* Prevent the "update dialog" from blocking input on other windows
* Add trackers in exported .torrent files
* Fix wrong GUI behavior in "Optional IP address to bind to" setting

Web UI:

* Fix WebUI crash due to missing tags from config
* Show correct location path

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-391=1

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-391=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1
libtorrent-rasterbar-debugsource-2.0.9-bp155.2.3.1
libtorrent-rasterbar-devel-2.0.9-bp155.2.3.1
libtorrent-rasterbar2_0-2.0.9-bp155.2.3.1
libtorrent-rasterbar2_0-debuginfo-2.0.9-bp155.2.3.1
python3-libtorrent-rasterbar-2.0.9-bp155.2.3.1
python3-libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64):

qbittorrent-4.6.2-bp155.2.3.1
qbittorrent-debuginfo-4.6.2-bp155.2.3.1
qbittorrent-debugsource-4.6.2-bp155.2.3.1
qbittorrent-nox-4.6.2-bp155.2.3.1
qbittorrent-nox-debuginfo-4.6.2-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (noarch):

libtorrent-rasterbar-doc-2.0.9-bp155.2.3.1

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

libtorrent-rasterbar-devel-2.0.9-bp154.3.3.1
libtorrent-rasterbar2_0-2.0.9-bp154.3.3.1
python3-libtorrent-rasterbar-2.0.9-bp154.3.3.1
qbittorrent-4.6.2-bp154.3.3.1
qbittorrent-debuginfo-4.6.2-bp154.3.3.1
qbittorrent-debugsource-4.6.2-bp154.3.3.1
qbittorrent-nox-4.6.2-bp154.3.3.1
qbittorrent-nox-debuginfo-4.6.2-bp154.3.3.1

- openSUSE Backports SLE-15-SP4 (noarch):

libtorrent-rasterbar-doc-2.0.9-bp154.3.3.1

References:

https://www.suse.com/security/cve/CVE-2023-30801.html
https://bugzilla.suse.com/1217677