File _patchinfo of Package patchinfo.18207

<patchinfo incident="18207">
  <issue tracker="bnc" id="1217677">VUL-0: CVE-2023-30801: qbittorrent: default credentials allowed by default</issue>
  <issue tracker="cve" id="2023-30801"/>
  <packager>alois</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for libtorrent-rasterbar, qbittorrent</summary>
  <description>This update for libtorrent-rasterbar, qbittorrent fixes the following issues:

Changes in libtorrent-rasterbar:

- Update to version 2.0.9

  * fix issue with web seed connections when they close and
    re-open
  * fallocate() not supported is not a fatal error
  * fix proxying of IPv6 connections via IPv4 proxy
  * treat CGNAT address range as local IPs
  * add stricter checking of piece layers when loading torrents
  * add stricter checking of v1 and v2 hashes being consistent
  * cache failed DNS lookups as well as successful ones
  * add an i2p torrent state to control interactions with clear
    swarms
  * fix i2p SAM protocol parsing of quoted messages
  * expose i2p peer destination in peer_info
  * fix i2p tracker announces
  * fix issue with read_piece() stopping torrent on pieces not
    yet downloaded
  * improve handling of allow_i2p_mixed setting to work for
    magnet links
  * fix web seed request for renamed single-file torrents
  * fix issue where web seeds could disappear from resume data
  * extend save_resume with additional conditional flags
  * fix issue with retrying trackers in tiers &gt; 0
  * fix last_upload and last_download resume data fields to use
    posix time
  * improve error messages for no_connect_privileged_ports, by
    untangle it from the port filter
  * fix I2P issue introduced in 2.0.0
  * add async tracker status query, post_trackers()
  * add async torrent status query, post_status()
  * support loading version 2 of resume data format
  * fix issue with odd piece sizes
  * add async piece availability query, post_piece_availability()
  * add async download queue query, post_download_queue()
  * add async file_progress query, post_file_progress()
  * add async peer_info query, post_peer_info()

- Update to version 2.0.8

  * fix uTP streams timing out instead of closing cleanly
  * add write_torrent_file_buf() overload for generating
    .torrent files
  * add create_torrent::generate_buf() function to generate into
    a buffer
  * fix copy_file when the file ends with a sparse region
  * uTP performance, fix packet loss when sending is stalled
  * fix trackers being stuck after session pause/resume
  * fix bug in hash_picker with empty files
  * uTP performance, prevent premature timeouts/resends
  * add option to not memory map files below a certain size
  * settings_pack now returns default values when queried for
    missing settings
  * fix copy_file fall-back when SEEK_HOL/SEEK_DATA is not
    supported
  * improve error reporting from file copy and move
  * tweak pad file placement to match reference implementation
    (tail-padding)
  * uTP performance, more lenient nagle's algorithm to always
    allow one outstanding undersized packet
  * uTP performance, piggy-back held back undersized packet with
    ACKs
  * uTP performance, don't send redundant deferred ACKs
  * support incoming SOCKS5 packets with hostnames as source
    address, for UDP trackers
  * ignore duplicate network interface change notifications on
    linux
  * fix total_want/want accounting when forcing a recheck
  * fix merging metadata with magnet links added on top of
    existing torrents
  * add torrent_flag to default all file priorities to
    dont_download
  * fix &amp;so= feature in magnet links
  * improve compatibility of SOCKS5 UDP ASSOCIATE
  * fix madvise range for flushing cache in mmap_storage
  * open files with no_cache set in O_SYNC mode

- Update to version 2.0.7

  * fix issue in use of copy_file_range()
  * avoid open-file race in the file_view_pool
  * fix issue where stop-when-ready would not close files
  * fix issue with duplicate hybrid torrent via separate v1 and
    v2 magnet links
  * added new function to load torrent files, load_torrent_*()
  * support sync_file_range()
  * fix issue in write_torrent_file() when file size is exactly
    piece size
  * fix file_num_blocks() and file_num_pieces() for empty files
  * add new overload to make_magnet_uri()
  * add missing protocol version to tracker_reply_alert and
    tracker_error_alert
  * fix privilege issue with SetFileValidData()
  * add asynchronous overload of torrent_handle::add_piece()
  * default to a single hashing thread, for full checks
  * Fix bug when checking files and the first piece is invalid

Changes in qbittorrent, qbittorrent:

- Update to version 4.6.2

  Bug fixes:

  * Do not apply share limit if the previous one was applied
  * Show Add new torrent dialog on main window screen

  Web UI:

  * Fix JS memory leak
  * Disable stdout buffering for qbt-nox

  Wayland:

  * Fix parent widget of "Lock qBittorrent" submenu

- Also fixes boo#1217677 (CVE-2023-30801, upstream reference
  gh#qbittorrent/qBittorrent#19738)

- Update to version 4.6.1

  New features:

  * Add option to enable previous Add new torrent dialog behavior

  Fixed bugs:

  * Prevent crash due to race condition when adding magnet link
  * Fix Enter key behavior when add new torrent
  * Add missing main window icon
  * Update size of selected files when selection is changed
  * Correctly handle changing save path of torrent w/o metadata
  * Use appropriate icon for "moving" torrents in transfer list

  Web UI:

  * Drop WebUI default credentials
  * Add I2P settings to WebUI
  * Fix duplicate scrollbar on Transfer List
  * Fix incorrect subcategory sorting
  * Correctly set save path in RSS rules
  * Allow to request torrents count via WebAPI
  * Improve performance of getting torrent numbers via WebAPI
  * Improve free disk space checking for WebAPI

  Misc:

  * Fix invisible tray icon with Qt5 in Linux


- Update to version 4.6.0

  New features:

  * Add (experimental) I2P support
  * Provide UI editor for the default theme
  * Various UI theming improvements
  * Implement torrent tags editing dialog
  * Revamp "Watched folder options" and "Automated RSS
    downloader" dialog
  * Allow to use another icons in dark mode
  * Allow to add new torrents to queue top
  * Allow to filter torrent list by save path
  * Expose 'socket send/receive buffer size' options
  * Expose 'max torrent file size' setting
  * Expose 'bdecode limits' settings
  * Add options to adjust behavior of merging trackers to
    existing torrent
  * Add option to stop seeding when torrent has been inactive
  * Allow to use proxy per subsystem
  * Expand the scope of "Proxy hostname lookup" option
  * Add shortcut for "Ban peer permanently" function
  * Add option to auto hide zero status filters
  * Allow to disable confirmation of Pause/Resume All
  * Add alternative shortcut CTRL+E for CTRL+F
  * Show filtered port numbers in logs
  * Add button to copy library versions to clipboard

  Bug fixes:

  * Ensure ongoing storage moving job will be completed when
    shutting down
  * Refactored many areas to call non UI blocking code
  * Various improvements to the SQLite backend
  * Improve startup window state handling
  * Use tray icon from system theme only if option is set
  * Inhibit system sleep while torrents are moving
  * Use hostname instead of domain name in tracker filter list
  * Visually validate input path in torrent creator dialog
  * Disable symlink resolving in Torrent creator
  * Change default value for `file pool size` and `stop tracker
    timeout` settings
  * Log when duplicate torrents are being added
  * Inhibit suspend instead of screen idle
  * Ensure file name is valid when exporting torrents
  * Open "Save path" if torrent has no metadata
  * Prevent torrent starting unexpectedly edge case with magnet
  * Better ergonomics of the "Add new torrent" dialog

  WebUI:

  * Add log viewer
  * WebAPI: Allow to specify session cookie name
  * Improve sync API performance
  * Add filelog settings
  * Add multi-file renaming
  * Add "Add to top of queue" option
  * Implement subcategories
  * Set "SameSite=None" if CSRF Protection is disabled
  * Show only hosts in tracker filter list
  * Set Connection status and Speed limits tooltips
  * set Cross Origin Opener Policy to `same-origin`
  * Fix response for HTTP HEAD method
  * Preserve the network interfaces when connection is down
  * Add "Add Tags" field for RSS rules
  * Fix missing error icon

  RSS:

  * Add "Rename rule" button to RSS Downloader
  * Allow to edit RSS feed URL
  * Allow to assign priority to RSS download rule

  Search:

  * Use python isolate mode
  * Bump python version minimum requirement to 3.7.0

  Other:

  * Numerous code improvements and refactorings

- Update to version 4.5.5

  Bug fixes:

  * Fix transfer list tab hotkey
  * Don't forget to enable the Apply button in the Options dialog
  * Immediately update torrent status on moving files
  * Improve performance when scrolling the file list of large
    torrents
  * Don't operate on random torrents when multiple are selected
    and a sort/filter is applied

  RSS:

  * Fix overwriting feeds.json with an incomplete load of it

- Update to version 4.5.4

  Bug fixes:

  * Allow to disable confirmation of Pause/Resume All
  * Sync flag icons with upstream

  Web UI:

  * Fix category save path

- Update to version 4.5.3

  Bug fixes:

  * Correctly check if database needs to be updated
  * Prevent incorrect log message about torrent content deletion
  * Improve finished torrent handling
  * Correctly initialize group box children as disabled in
    Preferences
  * Don't miss saving "download path" in SQLite storage
  * Improve logging of running external program

  Web UI:

  * Disable UPnP for web UI by default
  * Use workaround for IOS file picker
  * Work around Chrome download limit
  * Improve 'exporting torrent' behavior

- Update to version 4.5.2

  Bug fixes:

  * Don't unexpectedly activate queued torrents when prefetching
    metadata for added magnets
  * Update the cached torrent state once recheck is started
  * Be more likely to allow the system to use power saving modes

  Web UI:

  * Migrate away from unsafe function
  * Blacklist bad ciphers for TLS in the server
  * Allow only TLS 1.2+ in the server
  * Allow to set read-only directory as torrent location
  * Reject requests that contain backslash in path

  RSS:

  * Prevent RSS folder from being moved into itself

- Update to version 4.5.1

  New features:

  * Re-allow to use icons from system theme 

  Bug fixes:

  * Fix Speed limit icon size 
  * Revise and fix some text colors 
  * Correctly load folder based UI theme 
  * Fix crash due to invalid encoding of tracker URLs 
  * Don't drop !qB extension when renaming incomplete file 
  * Correctly count the number of torrents in subcategories 
  * Use "additional trackers" when metadata retrieving 
  * Apply correct tab order to Category options dialog 
  * Add all torrents passed via the command line 
  * Fix startup performance on Qt5 
  * Automatic move will now overwrite existing files 
  * Some fixes for loading Chinese locales 
  * New Pause icon color for toolbar/menu 
  * Adjust env variable for PDB discovery 

  Web UI:

  * Fix missing "queued" icon 
  * Return paths using platform-independent separator format 
  * Change order of accepted types of file input 
  * Add missing icons 
  * Add "Resume data storage type" option 
  * Make rename file dialog resizable 
  * Prevent incorrect line breaking 
  * Improve hotkeys 
  * Remove suggestions while searching for torrents 
  * Expose "IS PRIVATE" flag 
  * Return name/hash/infohash_v1/infohash_v2 torrent properties 

  Other:

  * Fix tray icon issues 

- Update to version 4.5.0

  New features:

  * Add `Auto resize columns` functionality
  * Allow to use Category paths in `Manual` mode
  * Allow to disable Automatic mode when default "temp" path
    changed
  * Add tuning options related to performance warnings
  * Add right click menu for status filters
  * Allow setting the number of maximum active checking torrents
  * Add option to toggle filters sidebar
  * Allow to set `working set limit` on non-Windows OS
  * Add `Export .torrent` action
  * Add keyboard navigation keys
  * Allow to use POSIX-compliant disk IO type
  * Add `Filter files` field in new torrent dialog
  * Implement new icon/color theme
  * Add file name filter/blacklist
  * Add support for custom SMTP ports
  * Split the OS cache settings into Disk IO read/write modes
  * When duplicate torrent is added set metadata to existing one
  * Greatly improve startup time with many torrents
  * Add keyboard shortcut to Download URL dialog
  * Add ability to run external program on torrent added
  * Add infohash and download path columns
  * Allow to set torrent stop condition
  * Add a `Moving` status filter
  * Change color palettes for both dark, light themes
  * Add a `Use proxy for hostname lookup` option
  * Introduce a `change listen port` cmd option
  * Implement `Peer ID Client` column for `Peers` tab
  * Add port forwarding option for embedded tracker

  Bug fixes:

  * Store hybrid torrents using `torrent ID` as basename
  * Enable Combobox editor for the `Mixed` file download priority
  * Allow shortcut folders for the Open and Save directory
    dialogs
  * Rename content tab `Size` column to `Total Size`
  * Fix scrolling to the lowermost visible torrent
  * Allow changing file priorities for finished torrents
  * Focus save path when Manual mode is selected initially
  * Disable force reannounce when it is not possible
  * Add horizontal scrolling for tracker list and torrent content
  * Enlarge "speed limits" icons
  * Change Downloaded to Times Downloaded in trackers tab
  * Remove artificial max limits from `Torrent Queueing` related
    options
  * Preserve `skip hash check` when there is no metadata
  * Fix DHT/PeX/LSD status when it is globally disabled
  * Fix rate calculation when interval is too low
  * Add tooltip message when system tray icon isn't available
  * Improve sender field in mail notifications
  * Fix "Add torrent dialog" spill-over on smaller screens
  * Fix peer count issue when tracker responds with zero figure
  * Don't merge trackers by default
  * Don't inhibit system sleep/auto shutdown for torrents stuck
    at downloading metadata
  * Allow to pause a checking torrent from context menu
  * Allow to use subnet notation in reverse proxy list
  * Fine tune translations loading for Chinese locales
  * Fix torrent content checkboxes not updated properly
  * Correctly load state of `Use another path for incomplete
    torrents` in Watched folders
  * Add confirmation to resume/pause all
  * Fix wrong count of errored trackers

  WebUI:

  * Allow blank lines in multipart form-data input
  * Make various dialogs resizable
  * Fix wrong v2 hash string displayed
  * WebAPI: return correct status
  * Fix empty selection in language combobox
  * Store WebUI port setting in human readable number
  * Add support for exporting .torrent
  * WebAPI: Add endpoint to set speed limit mode
  * Improve progress bar rendering
  * Add transfer list refresh interval settings
  * Use natural sort
  * Apply i18n translation only to built-in WebUI
  * Alert when HTTPS settings are incomplete
  * Handle drag and drop events
  * Fix wrong behavior for shutdown action
  * Don't disable combobox for file priority

  RSS:

  * Increase limit of maximum number of articles per feed

  Other:

  * Mark as single window app in .desktop file
  * Add Dockerfile
  * Remove option of using icons from system theme

- Update to version 4.4.5

  Bug fixes:

  * Fix missing trackers when adding magnet link. Affects
    libtorrent 2.0.x builds.

- Update to version 4.4.4.

  * Improve D-Bus notifications handling

  Bug fixes:

  * Correctly handle data decompression with Qt 6.3
  * Fix wrong file names displayed in tooltip
  * Fix incorrect "max outgoing port" setting
  * Make working set limit available only on libtorrent 2.0.x
    builds
  * Try to recover missing tags

  RSS:

  * Clear RSS parsing error after use

  Web API:

  * Set HTTP method restriction on WebAPI actions

- Update to version 4.4.3.1

  Bug fixes:

  * Fix broken translations

- Update to version 4.4.3

  Bug fixes:

  * Correctly handle changing of temp save path
  * Fix storage in SQLite
  * Correctly apply content layout when "Skip hash check" is
    enabled
  * Don't corrupt IDs of v2 torrents
  * Reduce the number of hashing threads by default (improves
    hashing speed on HDDs)
  * Prevent the "update dialog" from blocking input on other
    windows
  * Add trackers in exported .torrent files
  * Fix wrong GUI behavior in "Optional IP address to bind to"
    setting

  Web UI:

  * Fix WebUI crash due to missing tags from config
  * Show correct location path

</description>
</patchinfo>
openSUSE Build Service is sponsored by