Summary: | <net-p2p/transmission-1.61 potential CSRF security hole for Web Client users (CVE-2009-1757) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Samuli Suominen (RETIRED) <ssuominen> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.transmissionbt.com/ | ||
Whiteboard: | C3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Samuli Suominen (RETIRED)
2009-05-12 18:11:47 UTC
+*transmission-1.61 (12 May 2009) + + 12 May 2009; Samuli Suominen <ssuominen@gentoo.org> + +transmission-1.61.ebuild: + Version bump wrt security #269605. Please test and mark stable. I did something wrong: Using Torrent -> New -> Entering a torrent URI as source -> New leads to a segmentation fault in all transmission versions (no regression, just for your information). And that's wrong anyway. :) (In reply to comment #2) > I did something wrong: Using Torrent -> New -> Entering a torrent URI as source > -> New leads to a segmentation fault in all transmission versions (no > regression, just for your information). And that's wrong anyway. :) > Thanks, I will try to reproduce this and will report it to transmissionbt's trac (which I'm registered in) x86 stable amd64 stable Marked ppc stable. And vuln. versions removed from tree. Ready for vote, I vote YES. CVE-2009-1757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1757): Cross-site request forgery (CSRF) vulnerability in Transmission 1.5 before 1.53 and 1.6 before 1.61 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. I vote NO. CSRF in a client application that comes with a web interface? ... (In reply to comment #10) > I vote NO. CSRF in a client application that comes with a web interface? ... > Yes, it is. No, too. Reopen, if you feel to. |