--- from url --- A bug fix release that resolves a few issues introduced in 1.3.14 along with other minor fixes. *snip* Deluge WebUI: Highly recommended to upgrade to this release as it contains a directory traversal security fix that once again has the real potential to compromise your machine. *snip* Git Entry > [WebUI] Check render template files exist and raise 404 if not > - Check render/* requests match to .html files in the 'render' dir > - Protects against directory (path) traversal ~ eleix (Security Padawan) Reproducible: Didn't try
I've been a bit busy at work this past week. I'll take a look at this starting from next tuesday. Sorry...
I've taken a look at it, and renaming the current ebuild should be enough. The changelog is very short, and as far as I'm concerned the new version can go straight to stable. If my proxy-mantainer can take care of this, I think we're set.
Please consider bug #619812, and apply the ebuild patch there, as well.
commit 41ab815fe8887c360dd98fd3d8dec9cbf0ddb11d (HEAD -> master, origin/master, origin/HEAD) Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Tue Jun 6 20:24:10 2017 +0200 net-p2p/deluge: New version 1.3.15 Proxied commit Thanks-To: Paolo Pedroni Gentoo-Bug: 619812 Gentoo-Bug: 618872 Package-Manager: Portage-2.3.5, Repoman-2.3.1
(In reply to Kristian Fiskerstrand from comment #4) > commit 41ab815fe8887c360dd98fd3d8dec9cbf0ddb11d (HEAD -> master, > origin/master, origin/HEAD) > Author: Kristian Fiskerstrand <k_f@gentoo.org> > Date: Tue Jun 6 20:24:10 2017 +0200 > > net-p2p/deluge: New version 1.3.15 > > Proxied commit > Thanks-To: Paolo Pedroni > > Gentoo-Bug: 619812 > Gentoo-Bug: 618872 > > Package-Manager: Portage-2.3.5, Repoman-2.3.1 Thanks. Not straight to stable, tough. Do you prefer to wait for the usual month, before stabilizing it or can we shorten the timeframe a bit, as it's a security bug fix? The changelog is really short: - Core Fix issues with displaying libtorrent single proxy. Fix libtorrent 1.2 trackers crashing Deluge UIs. Fix error in torrent priorities causing file priority mismatch in UIs. - GtkUI Configure gtkrc to use consistent button ordering on Windows. Fix column sort state not saved in Thinclient mode. Fix connection manager error with malformed ip. Rename SystemTray/Indicator? 'Pause/Resume? All' to 'Pause/Resume? Session'. Workaround lt single proxy by greying out unused proxy types. - WebUI Security Fix: Check render template files exist otherwise raise 404. - Notification Plugin Fix webui passing string for int port value. - AutoAdd Plugin Add WebUI preferences page detailing lack of configuration via WebUI. - Label Plugin Add WebUI preferences page detailing how to configure plugin. I'd feel confident enough in it to bump it straight to stable, but, of course, I defer to your judgement.
(In reply to Paolo Pedroni from comment #5) > > Thanks. Not straight to stable, tough. Do you prefer to wait for the usual > month, before stabilizing it or can we shorten the timeframe a bit, as it's > a security bug fix? Its security fix, so we can ignore the month delay before calling for stabilization from the arch teams. So as maintainer; please go ahead with the stabilization :)
(In reply to Paolo Pedroni from comment #5) > I'd feel confident enough in it to bump it straight to stable, but, of > course, I defer to your judgement. So let's do it: @ Arches, please test and mark stable: =net-p2p/deluge-1.3.15
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #9) > x86 stable. > > Maintainer(s), please cleanup. Please, Kristian, remove the 1.3.14 ebuild. Thanks.
commit 581765878084af1a6fabfb7341c7c7c1d4afad30 (HEAD -> master, origin/master, origin/HEAD) Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Tue Jun 13 10:45:00 2017 +0200 net-p2p/deluge: Cleanup of 1.3.14 Security cleanup Gentoo-Proxied-Maintainer: Paolo Pedroni Gentoo-Bug: 618872 Package-Manager: Portage-2.3.5, Repoman-2.3.1
GLSA Vote: No