Soulseek maintainer Nir Arbel did release a new Soulseek version (157 Ns 13e) who plug the security hole in previous clients.
He also did limit the search query length on the server, to avoid any kind of mass random attacks.
Contacting the Soulseek team was hard, but i need to mention that it wasn't because they was under-considering this security bug, they was just not reachable, because of some circonstances that can happens.
I want to thanks Nir Arbel for his very professional way to handle this security bug, after a contact can be done.
The Soulseek server as been patched in a matter of hours after he acknowledged the security advisory, and he did release a patched Soulseek client yesterday, after the bug was triggered locally.
Another advisory regarding another way to exploit this security hole will be responsibly disclosed when every clients on the Slsk network will be upgraded.
Ma contribution au mois de la cybersécurité
4 months ago