Debian Bug report logs -
#683380
CVE-2012-4037
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Tue, 31 Jul 2012 09:45:04 UTC
Severity: grave
Tags: confirmed, help, security, squeeze, wheezy
Found in versions transmission/2.03-1, transmission/2.03-2
Fixed in versions transmission/2.52-3, transmission/2.61-1
Done: Leo Costela <costela@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Leo Costela <costela@debian.org>:
Bug#683380; Package transmission.
(Tue, 31 Jul 2012 09:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Leo Costela <costela@debian.org>.
(Tue, 31 Jul 2012 09:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: transmission
Severity: grave
Tags: security
Please see http://seclists.org/fulldisclosure/2012/Jul/348
This was assigned CVE-2012-4037
Since we're in freeze, please contact upstream for an isolated fix
(or grab it from the 2.60-2.61) and fix this using an backported
patch instead of updating to 2.61.
Can you please also check, whether stable is affected?
Cheers,
Moritz
Added tag(s) squeeze, wheezy, confirmed, and help.
Request was from Leo 'costela' Antunes <costela@debian.org>
to control@bugs.debian.org.
(Tue, 31 Jul 2012 11:21:06 GMT) (full text, mbox, link).
Marked as found in versions transmission/2.03-2.
Request was from Leo 'costela' Antunes <costela@debian.org>
to control@bugs.debian.org.
(Tue, 31 Jul 2012 11:21:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>:
Bug#683380; Package transmission.
(Tue, 31 Jul 2012 11:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Leo 'costela' Antunes <costela@debian.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>.
(Tue, 31 Jul 2012 11:30:05 GMT) (full text, mbox, link).
Message #14 received at 683380@bugs.debian.org (full text, mbox, reply):
Hi,
On 31/07/12 11:40, Moritz Muehlenhoff wrote:
> Please see http://seclists.org/fulldisclosure/2012/Jul/348
>
> This was assigned CVE-2012-4037
>
> Since we're in freeze, please contact upstream for an isolated fix
> (or grab it from the 2.60-2.61) and fix this using an backported
> patch instead of updating to 2.61.
Thanks for the heads-up. Working on it.
> Can you please also check, whether stable is affected?
It seems to be affected, but backporting the fix is less trivial. I may
need some help for that (especially with the testing).
Cheers
--
Leo "costela" Antunes
[insert a witty retort here]
Reply sent
to Leo Costela <costela@debian.org>:
You have taken responsibility.
(Tue, 31 Jul 2012 11:51:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Tue, 31 Jul 2012 11:51:03 GMT) (full text, mbox, link).
Message #19 received at 683380-close@bugs.debian.org (full text, mbox, reply):
Source: transmission
Source-Version: 2.52-3
We believe that the bug you reported is fixed in the latest version of
transmission, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683380@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Leo Costela <costela@debian.org> (supplier of updated transmission package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 31 Jul 2012 13:26:16 +0200
Source: transmission
Binary: transmission transmission-common transmission-dbg transmission-cli transmission-gtk transmission-qt transmission-daemon
Architecture: source all amd64
Version: 2.52-3
Distribution: unstable
Urgency: high
Maintainer: Leo Costela <costela@debian.org>
Changed-By: Leo Costela <costela@debian.org>
Description:
transmission - lightweight BitTorrent client
transmission-cli - lightweight BitTorrent client (command line programs)
transmission-common - lightweight BitTorrent client (common files)
transmission-daemon - lightweight BitTorrent client (daemon)
transmission-dbg - lightweight BitTorrent client (debug symbols)
transmission-gtk - lightweight BitTorrent client (GTK interface)
transmission-qt - lightweight BitTorrent client (Qt interface)
Closes: 683380
Changes:
transmission (2.52-3) unstable; urgency=high (fixes CVE-2012-4037)
.
* [5b2ca219] backport fix to XSS in web client from 2.61 (CVE-2012-4037)
(Closes: 683380)
Checksums-Sha1:
6182ba051cb08368a89aa5254dc8241ff088b320 1849 transmission_2.52-3.dsc
753e9841fcf74d675c51f3e9acce4d6fe771c18a 19905 transmission_2.52-3.debian.tar.bz2
1aa18d9b2f73b5d570a982e82c788f5d7dd7ea21 1084 transmission_2.52-3_all.deb
fde899976f71235fab2ea7029c0ecdea629e07d0 291270 transmission-common_2.52-3_all.deb
4173d7c71302e6f488a8f3f29c160111b650abe3 12811010 transmission-dbg_2.52-3_amd64.deb
44608b127cd53039dbf5783e7101e1933a9bf397 1152146 transmission-cli_2.52-3_amd64.deb
10e85b3483a875f44225025c561f9ee75eca0154 1153362 transmission-gtk_2.52-3_amd64.deb
af1e5dd9d911ee4d5b85e5b73b2cade03aebf10a 615794 transmission-qt_2.52-3_amd64.deb
9112d45c7a687786fc2082bf0434732ac8d17a2e 234366 transmission-daemon_2.52-3_amd64.deb
Checksums-Sha256:
0c516195443d0fb5eeff168521cbd4aae2c2d2aff6389fe38fba1f000897392d 1849 transmission_2.52-3.dsc
fbffb5b2ebc769afca6796cb6ddd6a9e80fc17d2f3f91eee00e7c99b29595c11 19905 transmission_2.52-3.debian.tar.bz2
4f5d43236f3bc7eda000dffcc97a286c2a86a580550682580552c1dea0059c6b 1084 transmission_2.52-3_all.deb
d72e39c375aaa1efc690b29173663f8f924af1cf87466a2e39bed24972afe697 291270 transmission-common_2.52-3_all.deb
3c796e486003945eb34bc1d8fabfe37f3a2ae92501c4fa9d84d6c4974c635a35 12811010 transmission-dbg_2.52-3_amd64.deb
5998a86c55561f8093a8eecbc04ca55adba0480de8865560484fc9e03d41f67d 1152146 transmission-cli_2.52-3_amd64.deb
7262a09ae5d10de0eb70b935ff7d2e8be036d502d8edb71e7356490faeb6f788 1153362 transmission-gtk_2.52-3_amd64.deb
e386d445ffa401dd80f77f3343360551823f3c2d734487cae5fe1f6fa13021ed 615794 transmission-qt_2.52-3_amd64.deb
6df7b5ed0115a165e0e3ff2f948418435f7b8b95cce85ccb90d995bad38ae8ee 234366 transmission-daemon_2.52-3_amd64.deb
Files:
651d48776ea464f14f738c7240c14df1 1849 net optional transmission_2.52-3.dsc
46f37ce1fe398a52f68d7cd9d130889c 19905 net optional transmission_2.52-3.debian.tar.bz2
37856d38de17548cd77eb9061adac537 1084 net optional transmission_2.52-3_all.deb
e208f154b63338fc881d5eb4e6692424 291270 net optional transmission-common_2.52-3_all.deb
8927bfe0e841c296e4aeef959773dca6 12811010 debug extra transmission-dbg_2.52-3_amd64.deb
b67393a7b60102648ad997ce3e69cc84 1152146 net optional transmission-cli_2.52-3_amd64.deb
1d30b8af052eb1511f6eede1de5e944e 1153362 net optional transmission-gtk_2.52-3_amd64.deb
009b90ff0ff55f31d994c6fecdf1b869 615794 net optional transmission-qt_2.52-3_amd64.deb
45e031ca520b30c853d99ec8aaf45eb6 234366 net optional transmission-daemon_2.52-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEUEARECAAYFAlAXwyIACgkQImLTb3rflGYRKQCYipX1U6EjGruXLc2Lg3fYIca2
4gCcDWx+FuEgg14MGTYIgKAmoAbLlaA=
=+av1
-----END PGP SIGNATURE-----
Reply sent
to Leo Costela <costela@debian.org>:
You have taken responsibility.
(Tue, 31 Jul 2012 12:03:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Tue, 31 Jul 2012 12:03:03 GMT) (full text, mbox, link).
Message #24 received at 683380-close@bugs.debian.org (full text, mbox, reply):
Source: transmission
Source-Version: 2.61-1
We believe that the bug you reported is fixed in the latest version of
transmission, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683380@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Leo Costela <costela@debian.org> (supplier of updated transmission package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 31 Jul 2012 13:42:43 +0200
Source: transmission
Binary: transmission transmission-common transmission-dbg transmission-cli transmission-gtk transmission-qt transmission-daemon
Architecture: source all amd64
Version: 2.61-1
Distribution: experimental
Urgency: low
Maintainer: Leo Costela <costela@debian.org>
Changed-By: Leo Costela <costela@debian.org>
Description:
transmission - lightweight BitTorrent client
transmission-cli - lightweight BitTorrent client (command line programs)
transmission-common - lightweight BitTorrent client (common files)
transmission-daemon - lightweight BitTorrent client (daemon)
transmission-dbg - lightweight BitTorrent client (debug symbols)
transmission-gtk - lightweight BitTorrent client (GTK interface)
transmission-qt - lightweight BitTorrent client (Qt interface)
Closes: 683380
Changes:
transmission (2.61-1) experimental; urgency=low
.
* [76d3715e] Imported Upstream version 2.61
- fixes XSS vulnerability in web client (closes: 683380)
Checksums-Sha1:
a3cc44bd2f8d58c36390b80878069081bba5fdc2 1849 transmission_2.61-1.dsc
7df170ecee6e62766859dca6ae0cf4e89c1ea99f 4199705 transmission_2.61.orig.tar.bz2
11b27f7fcd23b704349900149d36f0c392be0847 16439 transmission_2.61-1.debian.tar.bz2
90a22fc3f928f49c8d09cd68474b5571ea9f9c80 1086 transmission_2.61-1_all.deb
dcb94f93812d5acdff49762fe2729cd243e3068a 292476 transmission-common_2.61-1_all.deb
94b6db45235654f095b1f54638a90ff0f6df7b96 12821304 transmission-dbg_2.61-1_amd64.deb
f22215a6c96dca299b5037baf98295cce270b4b3 1152872 transmission-cli_2.61-1_amd64.deb
9c78ac8ef42e02c8729ab694b69f57029e9069d7 1183918 transmission-gtk_2.61-1_amd64.deb
7893b2bf0ca40e6c7c8e2cb473db1e39f0806218 631884 transmission-qt_2.61-1_amd64.deb
e121df6bd6d01ce4e71d98055a7abfa6409565a4 234798 transmission-daemon_2.61-1_amd64.deb
Checksums-Sha256:
3fe5158c97f9f7b754d6abec7587303fc3a6590cb2207af07976f695707ba091 1849 transmission_2.61-1.dsc
5750d2bcd9bf95bff8f36d01a889a2f0ff8651504ee5f5c05f98e5ad8874e4dc 4199705 transmission_2.61.orig.tar.bz2
edc3e8facc5119db5c6a086f61b45af63c47b68eba82ad5652bb78252bd1cf45 16439 transmission_2.61-1.debian.tar.bz2
64f4eea1ec29dc72d795fc4bc7b473e6fa4807fbdc4d0e3a0c1a815291dc06a7 1086 transmission_2.61-1_all.deb
59627d2cdf7c60d5d96361f685b431a594ed4eceb62571e63167ca725a97e03c 292476 transmission-common_2.61-1_all.deb
abe9efcb92b1d73a01ed26a7db09b8d19887b5e03dfdb0602c80e9903ccebf09 12821304 transmission-dbg_2.61-1_amd64.deb
d0a220b4416073583d4b1fec696e1bbd06af0766c0e2e8899718261d885f8d4c 1152872 transmission-cli_2.61-1_amd64.deb
473eb326b56bc764e7dabc5689ef6bc9029ddc6adf21b5c76eb698c563adf7b1 1183918 transmission-gtk_2.61-1_amd64.deb
8847c28b25c2ba3ad6fab4d26e0e07c96044ae2f224f4524fd6a1472e083a34a 631884 transmission-qt_2.61-1_amd64.deb
ffb78e5d81f44f5a2c42cf6833d384de2ad2bd5d3b27b89f42c07b5bda93cb90 234798 transmission-daemon_2.61-1_amd64.deb
Files:
8cf3ff3a22a21766519de335005c4b63 1849 net optional transmission_2.61-1.dsc
a7849550d82d8a51ddaacd35edc8afe0 4199705 net optional transmission_2.61.orig.tar.bz2
740eef6b5f9fe9b5d57ba54c3896ce0d 16439 net optional transmission_2.61-1.debian.tar.bz2
4bc7f5b168a0edcc4e9056f1e883c015 1086 net optional transmission_2.61-1_all.deb
e4e2513acc25b3d43b260547cd34650e 292476 net optional transmission-common_2.61-1_all.deb
348be774b4f91655aef1c64ceb068ea1 12821304 debug extra transmission-dbg_2.61-1_amd64.deb
ec1c9b2aaffc2df99c4566e70e10e0df 1152872 net optional transmission-cli_2.61-1_amd64.deb
3d401531ea29ea5c5e8ab1fb5e0087bd 1183918 net optional transmission-gtk_2.61-1_amd64.deb
aaf9cf3aa890faa868ded0f47102758e 631884 net optional transmission-qt_2.61-1_amd64.deb
c475061ecfe093ba70f424d685b2fb53 234798 net optional transmission-daemon_2.61-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlAXx4wACgkQImLTb3rflGZ+fgCg3t3HnJVebdPQKB2oyml32EG4
2GMAoIyha/jtUtwJWSHcw0XRHfqsGkU7
=3S46
-----END PGP SIGNATURE-----
Marked as found in versions transmission/2.03-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Fri, 01 Nov 2013 22:32:19 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 08:03:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:08:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon