Well torrentfreak says that (http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/) uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client, uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834

so should we update the client? i am using 1.6.1 right now and waffles already asked all its users to update the clients... Now this could be just a trick to get people to get new versions of utorrent but who knows..

I'm inclined to say just stay put for now.

However, my hunch is that you are a member of a buttload of BT sites, so you can go site to site and record which oens will let you run 1.7.6, or just upgrade and see what happens.

Go on, take one for the team.


.

well its not banned from anywhere other than the trackers that just allow 1.6.1 like biteme

biteme can biteme, I cant live my P2P around one fuckers rules.

I can confirm that there is hella lot more activity in PG2 with public than private. Some private sites I see no blocklist activity at all, other private sites, a bit.

I currently have 175 torrents loaded and nearly 30 trackers. I can arrange by tracker, and start a group en mass. This will either start them all, or make them go red with missing tracker info and lots of blocklist traffic. I cant 100% confirm the finding of others, I just see where it appears to be that way based on my tests.

I'm running almost 20 lists in PG2, and I use the uTorrent Updater to import a huge filter list directly in to uTorrent, ipfilter.dat = 13.6mb.

http://img50.imageshack.us/img50/3332/ipblockingqk1.th.jpg (http://img50.imageshack.us/my.php?image=ipblockingqk1.jpg)




.

u got nice specs there i wish i had a nice pc like u.

u got nice specs there i wish i had a nice pc like u.

Get a job. Save money. Buy computer parts with accrued savings.

Problem solved.

easier saidthan done isus :(

how long does it take to build a computer from scratch?

i work at $9/hr on weekends for 8 hrs/day but it take a lot of time to save money and i got to buy a car too...

easier saidthan done isus :(

how long does it take to build a computer from scratch?

By these calculations - $9/hr on weekends for 8 hrs/day

6 months of total net income, adjusting for depreciation of technology

10 hours labor if you have everything and really know what you want to accomplish.



.

I don't think it takes 10 hours to get a custom rig up and running, I mean if your talking about getting all of your software installed then yeah ten hours but to build it and install the os you are looking at 3-4 hours providing you know what you are doing.

Krell do you use all of the default URL lists in PG2 or do you get your lists elsewhere? I counted 20 there.

thanks guys, i think ill wait for a bit to get some money and then buy all the parts.

i dont really use pg2 anymore cause i dont use my home connection, i only do so like once or twice a week if neccesary, i use my server.

where do u get the lists of which ip's to block on pg2?

new version working on all my sites, including bitmetv. most of my sites recommend upgrading, and they will be banning clients older then the newest version due to the security bug that exists on all previous versions that leads to remote crashes and possibly remote code execution.

Upgrade or beware.

I don't think it takes 10 hours to get a custom rig up and running, I mean if your talking about getting all of your software installed then yeah ten hours but to build it and install the os you are looking at 3-4 hours providing you know what you are doing.

yes, your machine would take 3 - 4 hours

Not mine.


.

Krell do you use all of the default URL lists in PG2 or do you get your lists elsewhere? I counted 20 there.

I use the default urls for PG2

I dont use one of the IANA ones, as I want port 1900 open on my lan.


.

where do u get the lists of which ip's to block on pg2?

List Manager > ADD > Add URL

BE SURE to type the name in the DESCRIPTION form field as you go.




uTorrent ipfilter.dat blocklist ----> uTorrent Update Blocklist v1.0 (http://merwin.bespin.org/utub/uTorrentUpdateBlocklist_1.0.zip)


-------------------------------------
uTorrent Blocklist auto-update script
--------------------------version 1.0
--------------------created by merwin
-------------------------------------

---------------
Introduction---
---------------
This little batch file will automatically download and update your ipfilter.dat
in uTorrent. A very handy tool that I haven't seen anywhere else. It probably
has some problems, but it works fine for me. I tried to put all of the necessary
safeguards in it to avoid any unexpected results.

The blocklist will automatically be downloaded and the current ipfilter.dat (if any)
will be replaced with the downloaded version. Next time you run uTorrent, it
will load the new ipfilter.dat. If don't want to restart uTorrent, you can open
up the uTorrent Preferences and then click OK. The ipfilter.dat will be reloaded.

---------------
How to use it--
---------------
Just unzip the program to a folder somewhere and execute UpdateBlocklist.bat

Normally, it will pause after the update. If you want to have it not pause after it completes, then execute the batch file with any parameter, such as:
UpdateBlocklist.bat script

Run this until it is done

To reload ipfilter.dat without restarting µTorrent (1.6.1 and older), Ctrl+P > Advanced > IPfilter.enable = change to false, APPLY > then to TRUE.


To reload ipfilter.dat without restarting µTorrent (1.7+ only), view the Peers tab, right click, and select "Reload IPFilter."

.

first it was the new version of utorrent that was buggy now its all the old ones that are buggy...(sigh)...

Is that uTorrent blocklist similar to PG p2p block list?

Is that uTorrent blocklist similar to PG p2p block list?

Yes, but not 100% the same mind you, and with both running at the same time I do not see repeats, so if PG2 blocks an IP, then uTorrent doesnt have to deal with it. If it misses an IP, PG2 still can act as a filter.


.

I've seen some trackers ban the new version of utorrent. It's gotten a bit confusing now as to which is the best version to use. I've seen some reports on the utorrent forums that 1.6 might not be affected.

krell, when i used pg2 my log file got to two gigs..how's yours doing?

krell, when i used pg2 my log file got to two gigs..how's yours doing?

My history only goes back one week, and I do not log allowed, only rejected. I can find no log modified on todays date.

µTorrent Addresses Security Hole
January 27, 2008
Thomas Mennecke

http://www.slyck.com/zpics/fontbigger.gif (javascript:fontSize(1)) http://www.slyck.com/zpics/fontsmaller.gif (javascript:fontSize(2))
http://www.slyck.com/newspics/utorrent.jpg There’s nothing worse than downloading the hottest torrent, only to come face to face with a remote security exploit. µTorrent recently experienced two security vulnerabilities this month. The initial "crash bug" exploit was rather mild in nature, while the second exploit left the potential open for remote code execution.

Luigi Auriemma (http://aluigi.altervista.org/adv/ruttorrent-adv.txt), who discovered the "crash bug" exploit on January16, found that µTorrent 1.7.5, and possibly other versions, sometimes crashed when the client tried to interpret the version number of other clients on the network. If a reporting client's version number was too long, it would cause µTorrent to crash. For example, µTorrent could read “BitTorrent 6.0” just fine, however, it would crash if the remote client reported “µTorrent 1.5.5323423423”. Potentially, someone could take advantage of this exploit to intentionally crash other clients. At worst this appeared to be little more than an inconvenience.

BitTorrent, Inc., the company behind µTorrent, was quick to update version 1.7.5 and 1.8 alpha on the 15th and 16th, which addressed the milder “remote crash bug.”

A week later however, additional research found that code execution was possible on version 1.7.5 and perhaps other versions as well. Secunia (http://secunia.com/advisories/28533/) expanded on Luigi’s initial reporting, revealing the exploit’s ominous nature.

“The vulnerability is caused due to a boundary error when displaying the client used by connected peers. This can be exploited to cause a buffer overflow by connecting to the TCP port on which µTorrent is listening and sending a specially crafted packet containing an overly long client string.”

“Successful exploitation allows execution of arbitrary code.”

BitTorrent was quick with an update to these concerns as well. Within a day, µTorrent (http://utorrent.com/download.php) had been upgraded to 1.7.7, while a new build (http://forum.utorrent.com/viewtopic.php?id=31998) was released for 1.8 alpha. For now, the BitTorrent waters are once again safe.


.

1.7.7 released to fix some potential security exploits. Barring any other security issues before the release of 1.8, this will be the last 1.7.x release.

The extension protocol crash bug affects 1.4, 1.5, 1.6, 1.7, and 1.8 builds releases to date. No update will be released for pre 1.7 builds. Upgrading is strongly recommended.

http://download.utorrent.com/1.7.7/utorrent.exe (http://download.utorrent.com/1.7.7/utorrent.exe)

--- 2008-01-25: Version 1.7.7 (build 8179)
- Fix: remote crash bug in WebUI
- Fix: (potential) remote crash bug with extension protocol (affects all 1.4, 1.5, 1.6, 1.7, and 1.8 builds released to date)

--- 2008-01-15: Version 1.7.6 (build 7859)
- Change: do not use adapter subnet to identify local peers
- Fix: double-clicking to open items in RSS releases tab
- Fix: remote crash bug (affects all 1.7.x, and 1.8 builds released to date)
- Fix: limit local peers if disk is congested

--- 2007-09-11: Version 1.7.5 (build 4602)
- Fix: rare crash bug with malformed UPnP response
- Fix: downloads stalled in rare cases

If you'd like to be notified by e-mail of new releases, subscribe to the following thread: http://forum.utorrent.com/viewtopic.php?id=2971 (http://forum.utorrent.com/viewtopic.php?id=2971)

Last edited by Firon (2008-01-15 16:03:39)


.