Transmission 1.61 Released! All Platforms * Close potential CSRF security hole for Web Client users Transmission 1.53 Released! All Platforms * Close potential CSRF security hole for Web Client users
+*transmission-1.61 (12 May 2009) + + 12 May 2009; Samuli Suominen <ssuominen@gentoo.org> + +transmission-1.61.ebuild: + Version bump wrt security #269605. Please test and mark stable.
I did something wrong: Using Torrent -> New -> Entering a torrent URI as source -> New leads to a segmentation fault in all transmission versions (no regression, just for your information). And that's wrong anyway. :)
(In reply to comment #2) > I did something wrong: Using Torrent -> New -> Entering a torrent URI as source > -> New leads to a segmentation fault in all transmission versions (no > regression, just for your information). And that's wrong anyway. :) > Thanks, I will try to reproduce this and will report it to transmissionbt's trac (which I'm registered in)
x86 stable
amd64 stable
Marked ppc stable.
And vuln. versions removed from tree.
Ready for vote, I vote YES.
CVE-2009-1757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1757): Cross-site request forgery (CSRF) vulnerability in Transmission 1.5 before 1.53 and 1.6 before 1.61 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
I vote NO. CSRF in a client application that comes with a web interface? ...
(In reply to comment #10) > I vote NO. CSRF in a client application that comes with a web interface? ... > Yes, it is.
No, too. Reopen, if you feel to.