Archived

This topic is now archived and is closed to further replies.

Firon

µTorrent 2.0.4 released

Recommended Posts

There is a DLL vulnerability in all versions of Windows affecting a great deal of software applications. Subsequently, attack code targeting the μTorrent client surfaced on a third-party website, and while so far no attacks have been reported to us, we have released μTorrent 2.0.4 to fix this vulnerability. The new client disables loading of DLLs from the current working directory and prevents this exploit from functioning. More information about the exploit can be found here: http://www.reuters.com/article/idUS2168761020100825

We take our user's security very seriously, and we sincerely apologize for any inconvenience.

Release notes:

Download it now!

-- 2010-10-07: Version 2.0.4 (build 22450)

- Fix: uTP EACK vulnerability

-- 2010-09-24: Version 2.0.4 (build 22150)

- Fix: uTP ack-timer wrapping issue

- Fix: transfer cap doesn't update unless uTorrent is running

-- 2010-08-28: Version 2.0.4 (build 21586)

- Fix: tracker retry interval bug

-- 2010-08-26: Version 2.0.4 (build 21515)

- Fix: make survey links never show up on XP

- Fix: started and stopped events now correctly sent to torrents with multiple tracker tiers.

-- 2010-08-25: Version 2.0.4 (build 21431)

- Fix: fixed DLL hijack exploit

- Change: add bold text for Ask toolbar offer

- Fix: added groupbox in bandwidth settings

- Fix: Fixed size of static text in transfer cap setting pane to be translatable

- Fix: Fixed peer exchange exploit

- Fix: Safari 5 compatibility for WebUI

- Fix: WebUI security improvements

Share this post


Link to post
Share on other sites

We will autoupdate either later tonight or tomorrow morning. We skipped the beta process for this release because this is more or less the same code that was in BTML 7.0, which has been out for a while now.

Share this post


Link to post
Share on other sites

I'm disappointed to see that you did publish 2.04, yet, didn't take this opportunity to back-port and include most desired and promised functional fixes you did on 2.2 in it.

Even small things that were talked about pre 2.2, like the cancellation of double add-torrent dialog-control and such.

I suggest you review those changes and put them in as well. there is still time !

Share this post


Link to post
Share on other sites

No, we are not backporting anything. 2.2 is slated as the next stable, so the 2.0.x line will get nothing but critical fixes. There will probably not be any more releases of 2.0.x, barring some huge problem coming up within the next month and a half or so.

Share this post


Link to post
Share on other sites

I see...

- Change: add bold text for Ask toolbar offer

- Fix: added groupbox in bandwidth settings

- Fix: Fixed size of static text in transfer cap setting pane to be translatable

- Fix: Safari 5 compatibility for WebUI

VERY critical indeed.. :P

I am aware of the logic behind it, but hey, what am I asking for ?

-- 2010-08-10: Version 2.2 Beta (build 21090)

- Change: remove the "always show add dialog" and merge its functionality with the "show add dialog"

Fix something that was screwed up in the first place, and is already fixed. A bit of flexibility will not kill you guys... ;)

Share this post


Link to post
Share on other sites

The survey problem isn't new to 2.0.4. It seems like we neglected to backport the fix for that, so I'll be doing a re-release of 2.0.4 later (and autoupdate it while I'm at it).

Share this post


Link to post
Share on other sites
i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.

wat can be the reason?

Southrop from BakaBT here to give you an update.

We simply hadn't updated our whitelist at the time. 2.0.4 has been whitelisted for a few hours now. We will probably remove older versions from the whitelist in the near future to ensure the safety of our users.

Thanks to the uTorrent Dev Team for rolling out an update for the security issue so quickly!

You should tell tracker admins that it is important to allow this release as quickly as possible.

I'm in agreement with this opinion. I've been personally posting in trackers that I don't regularly use to petition for 2.0.4 to be whitelisted.

Share this post


Link to post
Share on other sites

Thanks for the continued updates to the 2.0.x branch, it's appreciated - I felt the need to say that after registering almost solely to moan about the 2.2 branch. It's quite reassuring, after I was getting a bit worried about the future of µTorrent development.

Share this post


Link to post
Share on other sites
i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.

wat can be the reason?

Southrop from BakaBT here to give you an update.

We simply hadn't updated our whitelist at the time. 2.0.4 has been whitelisted for a few hours now. We will probably remove older versions from the whitelist in the near future to ensure the safety of our users.

Thanks to the uTorrent Dev Team for rolling out an update for the security issue so quickly!

You should tell tracker admins that it is important to allow this release as quickly as possible.

I'm in agreement with this opinion. I've been personally posting in trackers that I don't regularly use to petition for 2.0.4 to be whitelisted.

thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5.

Share this post


Link to post
Share on other sites
thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5.

So you want to encourage users to remain vulnerable to the exploit that 2.0.4 fixes?

We really don't want to encourage that.

Share this post


Link to post
Share on other sites
thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5.

So you want to encourage users to remain vulnerable to the exploit that 2.0.4 fixes?

We really don't want to encourage that.

not every hackers know how2exploit dll.

u can't tell it is 100% secure even it is safe guarded.

every users want is a stable client even it is an old version.

simply say why most r still using xp not upgrading to win7 because it is stable.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.