Summary: | <net-p2p/deluge-1.3.14: RCE via CSRF in web UI (CVE-2017-7178) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Diogo Pereira <sir.suriv> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | k_f, paolo.pedroni, proxy-maint |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/fulldisclosure/2017/Mar/6 | ||
Whiteboard: | C1 [glsa cve] | ||
Package list: |
net-p2p/deluge-1.3.14 amd64 x86
|
Runtime testing required: | --- |
Description
Diogo Pereira
2017-03-09 18:13:53 UTC
CC'ing security as per: "WebUI users: Highly recommended to upgrade to this release as it contains a fix for CSRF vulnerability that has the real potential to compromise your machine." C instead of B due to the need of "webinterface" USE flag which isn't set by default. @ Maintainer(s): Please bump to >=net-p2p/deluge-1.3.14 and tell us if the new ebuild is already for for stabilization. Working on it at this time. Renaming current ebuild seems to work fine. As for quick stabilization the changelog is quite short, so for me it would be fine, but I defer to my proxy mantainer, Kristian Fiskerstrand, for this decision. I'll make patches for the gentoo tree as soon as he decides. (In reply to Paolo Pedroni from comment #4) > Renaming current ebuild seems to work fine. Confirmed, installed updated version on my own system without other modification. See bump info below > As for quick stabilization the > changelog is quite short, so for me it would be fine, but I defer to my > proxy mantainer, Kristian Fiskerstrand, for this decision. Quick stabilization for security vuln fixing is OK in that case. > > I'll make patches for the gentoo tree as soon as he decides. commit 36fa021d53729b7a9f6883729d5255e71f092544 Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Tue Mar 14 13:37:55 2017 +0100 net-p2p/deluge: Version bump to 1.3.14 Straight version bump for security vulns Proxied-Maintainer: Paolo Pedroni Gentoo-Bug: 612144 Package-Manager: Portage-2.3.3, Repoman-2.3.1 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. New GLSA request filed. CVE-2017-7178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7178): CSRF was discovered in the web UI in Deluge 1.3.13. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin. commit d78e7d6198a91cfe59b41d7aca6f673db321957d Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Tue Mar 21 20:19:23 2017 +0100 net-p2p/deluge: Cleanup old versions Gentoo-Bug: 612144 Package-Manager: Portage-2.3.3, Repoman-2.3.1 This issue was resolved and addressed in GLSA 201703-06 at https://security.gentoo.org/glsa/201703-06 by GLSA coordinator Yury German (BlueKnight). |