Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 269605 (CVE-2009-1757) - <net-p2p/transmission-1.61 potential CSRF security hole for Web Client users (CVE-2009-1757)
Summary: <net-p2p/transmission-1.61 potential CSRF security hole for Web Client users ...
Status: RESOLVED FIXED
Alias: CVE-2009-1757
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.transmissionbt.com/
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-12 18:11 UTC by Samuli Suominen (RETIRED)
Modified: 2009-06-12 22:21 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2009-05-12 18:11:47 UTC 
Transmission 1.61 Released!

All Platforms

    * Close potential CSRF security hole for Web Client users

Transmission 1.53 Released!
All Platforms

    * Close potential CSRF security hole for Web Client users
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2009-05-12 18:56:59 UTC 
+*transmission-1.61 (12 May 2009)
+
+  12 May 2009; Samuli Suominen <ssuominen@gentoo.org>
+  +transmission-1.61.ebuild:
+  Version bump wrt security #269605.

Please test and mark stable.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-13 10:03:43 UTC 
I did something wrong: Using Torrent -> New -> Entering a torrent URI as source -> New leads to a segmentation fault in all transmission versions (no regression, just for your information).  And that's wrong anyway. :)
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2009-05-13 10:09:00 UTC 
(In reply to comment #2)
> I did something wrong: Using Torrent -> New -> Entering a torrent URI as source
> -> New leads to a segmentation fault in all transmission versions (no
> regression, just for your information).  And that's wrong anyway. :)
> 

Thanks, I will try to reproduce this and will report it to transmissionbt's trac (which I'm registered in)
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-13 10:15:27 UTC 
x86 stable
Comment 5 Markus Meier gentoo-dev 2009-05-13 18:31:49 UTC 
amd64 stable
Comment 6 Joe Jezak (RETIRED) gentoo-dev 2009-05-14 18:40:50 UTC 
Marked ppc stable.
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2009-05-19 09:24:02 UTC 
And vuln. versions removed from tree.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 17:39:31 UTC 
Ready for vote, I vote YES.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-24 17:05:16 UTC 
CVE-2009-1757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1757):
  Cross-site request forgery (CSRF) vulnerability in Transmission 1.5
  before 1.53 and 1.6 before 1.61 allows remote attackers to hijack the
  authentication of unspecified victims via unknown vectors.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-05-25 19:36:28 UTC 
I vote NO. CSRF in a client application that comes with a web interface? ...
Comment 11 Samuli Suominen (RETIRED) gentoo-dev 2009-05-29 07:24:32 UTC 
(In reply to comment #10)
> I vote NO. CSRF in a client application that comes with a web interface? ...
> 

Yes, it is.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 22:21:36 UTC 
No, too. Reopen, if you feel to.