Your message dated Wed, 29 Nov 2023 22:47:09 +0000
with message-id <[email protected]>
and subject line Bug#1056379: fixed in qbittorrent 4.5.2-3+deb12u1
has caused the Debian Bug report #1056379,
regarding qbittorrent-nox: WebUI UPnP enabled by default, security risk
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056379: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056379
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: qbittorrent-nox
Version: 4.5.2-3
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
* What led up to the situation?
Tinkering off and on with a testing server, qbittorrent-nox installed, webUI
open to lan, default login credentials were not changed. Outside parties gained
access to webUI through the UPnP, downloaded a dummy torrent, and ran a script
via the "run command on torrent completion."
* What exactly did you do (or not do) that was effective (or
ineffective)?
Shutdown the machine.
* What was the outcome of this action?
Wipe and re install.
* What outcome did you expect instead?
I take responsibility here, as I did not change the default login credentials
for the webUI, thinking it was only accessible from my LAN. However after some
searches I find I'm not the only one got caught by this, which is probably why
the bots are scanning for it. Upstream has since changed the default for the
WebUI UPnP to "OFF". See here:
https://github.com/qbittorrent/qBittorrent/pull/18832
Is it possible to backport this setting? Thanks for all that you do!
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages qbittorrent-nox depends on:
ii libc6 2.36-9+deb12u3
ii libgcc-s1 12.2.0-14
ii libqt5core5a 5.15.8+dfsg-11
ii libqt5network5 5.15.8+dfsg-11
ii libqt5sql5 5.15.8+dfsg-11
ii libqt5sql5-sqlite 5.15.8+dfsg-11
ii libqt5xml5 5.15.8+dfsg-11
ii libssl3 3.0.11-1~deb12u2
ii libstdc++6 12.2.0-14
ii libtorrent-rasterbar2.0 2.0.8-1+b1
ii zlib1g 1:1.2.13.dfsg-1
qbittorrent-nox recommends no packages.
qbittorrent-nox suggests no packages.
--- End Message ---
--- Begin Message ---
Source: qbittorrent
Source-Version: 4.5.2-3+deb12u1
Done: Christian Marillat <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qbittorrent, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Marillat <[email protected]> (supplier of updated qbittorrent
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 Nov 2023 16:26:29 +0100
Source: qbittorrent
Architecture: source
Version: 4.5.2-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Christian Marillat <[email protected]>
Changed-By: Christian Marillat <[email protected]>
Closes: 1056379
Changes:
qbittorrent (4.5.2-3+deb12u1) bookworm; urgency=medium
.
* Disable UPnP for web UI by default in qbittorrent-nox (Closes: #1056379)
Checksums-Sha1:
67959546e536984b87a1caa305682ed18e85bb1f 1965 qbittorrent_4.5.2-3+deb12u1.dsc
a5e79cafeaea0ab53ca701518bb7e98304db8948 120964
qbittorrent_4.5.2-3+deb12u1.debian.tar.xz
493e39687bdb6b4f41505250dc07ec8e05c2d80a 6078
qbittorrent_4.5.2-3+deb12u1_source.buildinfo
Checksums-Sha256:
db1718b16f105e1a7a54107cfac278cc5bd842e9f738d1dc141aa093aa248627 1965
qbittorrent_4.5.2-3+deb12u1.dsc
b218c1bc278d0c7b3b2a5b2ac2332ec8dbce3674adb36ef63a078ea77e9441a1 120964
qbittorrent_4.5.2-3+deb12u1.debian.tar.xz
45a33814f67269dba214d9fb398f5f406638bd73ef2d8785fb43760c35824ecf 6078
qbittorrent_4.5.2-3+deb12u1_source.buildinfo
Files:
bf11575c0a401dcdf4c9d51410225be2 1965 net optional
qbittorrent_4.5.2-3+deb12u1.dsc
a556b0b8571468c5c3d5dea3e7f257fd 120964 net optional
qbittorrent_4.5.2-3+deb12u1.debian.tar.xz
503dd46e7d7453bbf698cbe112d87794 6078 net optional
qbittorrent_4.5.2-3+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEpAH/mTaPofmBUt51XICMK2VVgRcFAmVhNiYACgkQXICMK2VV
gRfkNg/8CueLpRAch4wrEUzIu70yGxf7mFBBYVIZ3h5V0AI7Bt92S11gVPesnswn
il2BfNyj77ZeqRIhosv/olEOcNcUtQQdPGYNFRDAW+lsk2xdQQ3koKGkBmTuEY2J
HiDkKBGx+lGXpu5LnNUkqI62TRB3B8nn289pZ0Go3GE0qbigS1sgAbdnTSDBP77C
aObcrZ1v/F5QuA+ivehkNJh4A+8FJKvPuGLSeB8y+v6WMdsJA4OwZzLOPIEdpDSM
WHBeVneFiiDHM493lIeEJzUFxvhulwVNHvMyj0UJYneqoYsIG78MeDOhr/3VwnR2
9InMJLWS55cnhwrfR8UGrYY/WaL6MfAJSzWQcVTu2Oh0Bzl5idW/qFUmMpJs7ad8
i3UsmLgrKLgd1loPZt4GSjgIOKbPPRbdMIDB4jboepwyNDbl7ivtx36aBz0hBDyd
5F3GFCTs6eV79qGHPkQSTjPVHeCpS65YbDJDWC+o3rFSU0cqyu2gE17pK0imFIqI
4MzehjtFpu8z4Que7TesctU8Ukcr6woYVZit49+KFDiodHJonW4mCkmKnrVBrBuO
bSYts2BxrI9a3DXTMXa+S2YxLQUDo/KOMZfOdngvTkel0ZqKNA46ofCfLj+JSG6a
5UoFTzQ4wswNVOeCWy9s/mDMza4Hb4pyi5nC1YsK4YPDfv5HPIs=
=m2Uv
-----END PGP SIGNATURE-----
--- End Message ---
