Oddbean new post about | logout
 qBittorrent fixes flaw exposing users to MitM attacks for 14 years

qBittorrent has addressed a remote code execution flaw caused by the failure to validate SSL/TLS certificates in the application's DownloadManager, a component that manages downloads throughout the app.

The flaw, introduced in a commit on April 6, 2010, was eventually fixed in the latest release, version 5.0.1, on October 28, 2024, more than 14 years later.

However, as security researcher Sharp Security highlighted in a blog post, the team fixed a notable flaw without adequately informing the users about it and without assigning a CVE to the problem.

See more: https://www.bleepingcomputer.com/news/security/qbittorrent-fixes-flaw-exposing-users-to-mitm-attacks-for-14-years/

#cybersecurity #torrent 
 Damn.... 14 years. How does that even happen? It's not like they weren't aware of the flaw. They knew about it since at least 2010. That's crazy.  
 im using transmission, but out of interest checked. debian repos have old version of qbittorrent, updated 2023-11-22