Crise

release Security Advisory: OpenSSL, ApexDC, Heartbleed and You.

20 posts in this topic

Update: The release of 1.5.11 has been officially rolled out. Full changelog available now. If you haven't done so yet please head on over to the download page and update your installation of ApexDC right now.

On April 7th, 2014 OpenSSL released a security advisory concerning CVE-2014-0160 also known as Heartbleed.

This is a serious security vulnerability in the SSL/TLS library that can result in your private data being compromised without leaving any trace whatsoever. You can check for more specific details from the above links. Most commonly used DC clients are affected by this issue, including ApexDC. Earlier today (April 10th) DC++ released a fixed version but all versions of DC++ from 0.799 to 0.841 and their derivatives are vulnerable. The specific ApexDC versions affected are at least 1.5.3 through 1.5.10.

It is important to note that even if the DC++ base version differs from those listed above a client may still be vulnerable as long as it uses one of affected versions of OpenSSL. There is currently, however, no easy way for users to tell what specific version of OpenSSL is used by a particular client.

Reading this you may be thinking: But, I am not using SSL/TLS at all right, because I am only on NMDC hubs. This is actually not necessarily true because a select set of clients, such as StrongDC and its derivatives, including ApexDC implement an unnamed NMDC extension that allows TLS to be used for client to client connections between supporting clients. Thus making these clients also affected by this issue outside of ADC and ADCS..

Two hours ago, version 1.5.11 of ApexDC was uploaded to SourceForge and is listed as the latest download there. Likewise the download links on this site now also point to those files. Release announcement including full changelog and all that important information will be made available sometime on the 11th, but for now suffice to say 1.5.11 will fix the issue discussed here as well as a set of other issues found in 1.5.10.

Lee and Crise like this

Share this post


Link to post
Share on other sites

I have got a small issue with an updated 1.5.11 version. After making a clean install I was left with this message window '>. Now, after putting my old settings back in, opening the Download Queue window and right-clicking over the download queue folder gives me the mouse menu view without the header as here '>.

 

Otherwise everything seems to be working fine. If it helps, my OS is Win XP Pro Sp3.

Share this post


Link to post
Share on other sites

I have got a small issue with an updated 1.5.11 version. After making a clean install I was left with this message window '>. Now, after putting my old settings back in, opening the Download Queue window and right-clicking over the download queue folder gives me the mouse menu view without the header as here '>.

 

Otherwise everything seems to be working fine. If it helps, my OS is Win XP Pro Sp3.

The first message seems to be an an installer issue, will attempt to replicate this on my end. As for the second one that is an issue caused by a code change that seems to have been left in accidentally looks like there will be yet another .11 build sadly (because unfortunately it's not just a visual problem).

Share this post


Link to post
Share on other sites

Can SSL be disabled by not forwarding the particular port or setting it to 0?

Share this post


Link to post
Share on other sites

I had apexDC++ version 1.5.5 and got the mandatory message. So I got the last version (1.5.11) and successfully installed it. But I could not run the application because I got the following error:

 

ApexDC.exe - Entry Point Not Found

The procedure entry point GetLogicalProcessorInformation could not be located in the dynamic link library KERNEL32.dll.

 

So I decided to try the previous version (1.5.10), same error with that one too. I managed to put back my old version (1.5.5), no error here, but I'm not able to runt the program because of the "mandatory upgrade". So, what advice do you have for me? :)

Share this post


Link to post
Share on other sites

I had apexDC++ version 1.5.5 and got the mandatory message. So I got the last version (1.5.11) and successfully installed it. But I could not run the application because I got the following error:

 

ApexDC.exe - Entry Point Not Found

The procedure entry point GetLogicalProcessorInformation could not be located in the dynamic link library KERNEL32.dll.

 

So I decided to try the previous version (1.5.10), same error with that one too. I managed to put back my old version (1.5.5), no error here, but I'm not able to runt the program because of the "mandatory upgrade". So, what advice do you have for me? :)

 

What OS are you running? 

Share this post


Link to post
Share on other sites

What OS are you running?

He is running XP, that is not SP3. Because that function is present on all versions of windows we support. What I am curious is whether he can run 1.5.9 without getting that error message.

Edit: that said, after some investigation unfortunately it seems likely that Microsoft has updated their SDK's in a way that basically disregards compatibility with versions of XP prior to SP3.

Share this post


Link to post
Share on other sites

Can SSL be disabled by not forwarding the particular port or setting it to 0?

SSL can be disabled through a setting, the exact name of it escapes me right now though, but you can find it on the same settings page as all the other options related to it.

Share this post


Link to post
Share on other sites

I see it. Settings -> Security -> Use TLS when remote client supports it. This option will work fine until I migrate to NT 6.

The menu headers were slightly broken since a few versions ago. If I go to Download queue they are indeed invisible.

1.5.11 appears to start and function normally under XP SP3, aside from the graphical glitch there.

Share this post


Link to post
Share on other sites

Hi... I did the update to 1.5.11 and since that my file share is 0 bytes. I did uncheck all shared folders, restart ApexDC and add the share again... There is no hashing and the the share amount is still 0bytes.

Im using Wine 1.7.16_x64 - the version 1.5.9 was running fine on that version! Does anybody have the same issue?

Share this post


Link to post
Share on other sites

Hi... I did the update to 1.5.11 and since that my file share is 0 bytes. I did uncheck all shared folders, restart ApexDC and add the share again... There is no hashing and the the share amount is still 0bytes.

Im using Wine 1.7.16_x64 - the version 1.5.9 was running fine on that version! Does anybody have the same issue?

It seems to be a Wine bug, unfortunately fixing it without breaking the build for actual Windows is probably not viable. Also we would need to know more than simply that it doesn't hash. The changes to hashing in 1.5.10 are substantial enough to make playing a guessing game an unattractive proposition.

Share this post


Link to post
Share on other sites

It seems to be a Wine bug, unfortunately fixing it without breaking the build for actual Windows is probably not viable. Also we would need to know more than simply that it doesn't hash. The changes to hashing in 1.5.10 are substantial enough to make playing a guessing game an unattractive proposition.

 

What information do you need?

When I add a folder for sharing,the system.log shows no entries the "indexing progress" dialog shows no activity.

Share this post


Link to post
Share on other sites

What information do you need?

When I add a folder for sharing,the system.log shows no entries the "indexing progress" dialog shows no activity.

I would need some kind of Wine diagnostics to see what the problematic code is, and if it can be rewritten within reason without problems for the Windows build.

Basically I already know that it isn't doing what it should be doing, but I need some idea as to why before I can even consider looking into it. I am not familiar with Wine's implementation of WinAPI so to go in blind would be a fools errand.

Share this post


Link to post
Share on other sites

I would need some kind of Wine diagnostics to see what the problematic code is, and if it can be rewritten within reason without problems for the Windows build.

Basically I already know that it isn't doing what it should be doing, but I need some idea as to why before I can even consider looking into it. I am not familiar with Wine's implementation of WinAPI so to go in blind would be a fools errand.

 

I did a debug on wine...

[04/14/14 22:20:51] - Running wine-1.7.16 ApexDC-x64.exe (Working directory : /home/acidstew/.PlayOnLinux/wineprefix/ApexDC/drive_c/Program Files/ApexDC++)

fixme:wincodecs:PngDecoder_Block_GetCount stub

fixme:module:load_library unsupported flag(s) used (flags: 0x00000800)

fixme:advapi:RegisterTraceGuidsW (0x14031a0d8, (nil), {f7b697a3-4db5-4d3b-be71-c4d284e6592f}, 7, 0x14047e4d0, (null), (null), 0x1404b1548): stub

fixme:process:GetNumaHighestNodeNumber (0x22f5c0): semi-stub

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot

fixme:toolhelp:Heap32ListFirst : stub

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:ver:GetCurrentPackageId (0x8ada60 (nil)): stub

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:netapi32:NetShareEnum Stub ((null) 502 0x1e57d28 -1 0x22e820 0x1e57d40 (nil))

fixme:propsheet:PROPSHEET_UnImplementedFlags PSH_RTLREADING

fixme:netapi32:NetShareEnum Stub ((null) 502 0x1e57d28 -1 0x22b8d0 0x1e57d40 (nil))

err:shell:SHGetFileInfoW pidl is null!

err:shell:SHGetFileInfoW pidl is null!

err:shell:SHGetFileInfoW pidl is null!

err:shell:SHGetFileInfoW pidl is null!

err:shell:SHGetFileInfoW pidl is null!

err:shell:SHGetFileInfoW pidl is null!

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

fixme:file:FindFirstFileExW options not implemented 0x00000000 0x00000001

 

Share this post


Link to post
Share on other sites

What OS are you running? 

 

He is running XP, that is not SP3. Because that function is present on all versions of windows we support. What I am curious is whether he can run 1.5.9 without getting that error message.

Edit: that said, after some investigation unfortunately it seems likely that Microsoft has updated their SDK's in a way that basically disregards compatibility with versions of XP prior to SP3.

 

 

Yes, I'm using XP SP2. Any chance I will be able to run apex on this OS again?

Share this post


Link to post
Share on other sites

Unfortunately it is not really up to us as much as it is up to Microsoft the 2013 edition of msvc basically disregards compatibility with any version of XP apart from SP3.

And if I had to guess the next major version of msvc will not support XP in any meaningful capacity. While we can hold out on upgrading to said version in the future going back a compiler version to retain compatibility with SP2 seems like overkill. Especially when SP3 is a free upgrade.

So with SP2 it is unlikely that the situation will change, but we have no plans to stop supoorting XP SP3 as long as it remains feasible. If you wish to keep using older versions with SP2 you can do so but we do not support this and you will have to make any neccessary changes on your own.

Share this post


Link to post
Share on other sites

What information do you need?

When I add a folder for sharing,the system.log shows no entries the "indexing progress" dialog shows no activity.

 

FYI

So i did install ApexDC 1.5.9 on same Wine version and the hashing here works. So it seems to be an issue of ApexDC 1.5.10-12

Share this post


Link to post
Share on other sites

FYI

So i did install ApexDC 1.5.9 on same Wine version and the hashing here works. So it seems to be an issue of ApexDC 1.5.10-12

 

Well technically it is an issue in Wine. Also doesn't seem like it is a quick and easy one to solve on our end either, the changes in hash management done in .10 certainly work just fine on an actual windows :).

Share this post


Link to post
Share on other sites

FYI

So i did install ApexDC 1.5.9 on same Wine version and the hashing here works. So it seems to be an issue of ApexDC 1.5.10-12

 

PM me and I will grant you access to native 2.0 Ubuntu builds. That goes for anyone wanting to run ApexDC++ through Linux.

Share this post


Link to post
Share on other sites