Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636052 (CVE-2017-6504) - <net-p2p/qbittorrent-3.3.16: WebUI Clickjacing vulnerability
Summary: <net-p2p/qbittorrent-3.3.16: WebUI Clickjacing vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-6504
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-31 14:54 UTC by GLSAMaker/CVETool Bot
Modified: 2018-07-28 19:02 UTC (History)
2 users (show)

See Also:
Package list:
net-p2p/qbittorrent-3.3.16
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-31 14:54:50 UTC 
CVE-2017-6504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6504):
  WebUI in qBittorrent before 3.3.11 did not set the X-Frame-Options header,
  which could potentially lead to clickjacking.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 14:56:04 UTC 
@Maintainers 3.3.12 is already in tree, and should contain the fix, please call for stabilization when ready.

Thank you
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-05 21:29:35 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-08 13:39:13 UTC 
amd64 stable
Comment 4 Andreas Sturmlechner gentoo-dev 2017-11-25 13:33:59 UTC 
arm ping
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-01-19 20:43:15 UTC 
@arm, ping.
Comment 6 Larry the Git Cow gentoo-dev 2018-02-04 17:41:00 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cb500889429515d376449b7a7be7f7f2c695a1f

commit 4cb500889429515d376449b7a7be7f7f2c695a1f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-02-04 16:49:09 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-02-04 17:38:53 +0000

    net-p2p/qbittorrent: Drop vulnerable <3.3.16
    
    Stabilisation timeout.
    
    Closes: https://bugs.gentoo.org/636052
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 net-p2p/qbittorrent/Manifest                  |  3 --
 net-p2p/qbittorrent/qbittorrent-3.3.10.ebuild | 55 -------------------------
 net-p2p/qbittorrent/qbittorrent-3.3.12.ebuild | 58 ---------------------------
 3 files changed, 116 deletions(-)
Comment 7 Andreas Sturmlechner gentoo-dev 2018-02-04 21:57:06 UTC 
Cleanup done, I guess security can do their thing now.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-02-04 22:41:52 UTC 
(In reply to Andreas Sturmlechner from comment #7)
> Cleanup done, I guess security can do their thing now.

Thanks, Andreas!

GLSA Vote: No