Debian Bug report logs -
#886990
transmission: rpc session-id mechanism design flaw results in RCE
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sandro Tosi <morph@debian.org>
:
Bug#886990
; Package src:transmission
.
(Fri, 12 Jan 2018 10:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sandro Tosi <morph@debian.org>
.
(Fri, 12 Jan 2018 10:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: transmission
Version: 2.92-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/transmission/transmission/pull/468
Hi
See the post on oss-security for details:
http://www.openwall.com/lists/oss-security/2018/01/11/1
Upstream: https://github.com/transmission/transmission/pull/468
Proposed patch: https://patch-diff.githubusercontent.com/raw/transmission/transmission/pull/468.diff
Regards,
Salvatore
Marked as found in versions transmission/2.84-0.2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 12 Jan 2018 19:27:03 GMT) (full text, mbox, link).
Marked as fixed in versions transmission/2.92-2+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 13 Jan 2018 10:09:03 GMT) (full text, mbox, link).
Marked as fixed in versions transmission/2.84-0.2+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 13 Jan 2018 12:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sandro Tosi <morph@debian.org>
:
Bug#886990
; Package src:transmission
.
(Sun, 14 Jan 2018 18:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Abhijith PA <abhijith@openmailbox.org>
:
Extra info received and forwarded to list. Copy sent to Sandro Tosi <morph@debian.org>
.
(Sun, 14 Jan 2018 18:03:06 GMT) (full text, mbox, link).
Message #16 received at 886990@bugs.debian.org (full text, mbox, reply):
Hello.
Why isn't this vulnerability have CVE id ?. The security-tracker[1]
shows a temporary id.
--
Abhijith
Information forwarded
to debian-bugs-dist@lists.debian.org, Sandro Tosi <morph@debian.org>
:
Bug#886990
; Package src:transmission
.
(Wed, 17 Jan 2018 13:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>
:
Extra info received and forwarded to list. Copy sent to Sandro Tosi <morph@debian.org>
.
(Wed, 17 Jan 2018 13:21:03 GMT) (full text, mbox, link).
Message #21 received at 886990@bugs.debian.org (full text, mbox, reply):
On 2018-01-14 23:20:39 +0530, Abhijith PA wrote:
> Why isn't this vulnerability have CVE id ?. The security-tracker[1]
> shows a temporary id.
This is CVE-2018-5702:
https://security-tracker.debian.org/tracker/CVE-2018-5702
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply sent
to Sandro Tosi <morph@debian.org>
:
You have taken responsibility.
(Fri, 19 Jan 2018 05:09:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 19 Jan 2018 05:09:13 GMT) (full text, mbox, link).
Message #26 received at 886990-close@bugs.debian.org (full text, mbox, reply):
Source: transmission
Source-Version: 2.92-3
We believe that the bug you reported is fixed in the latest version of
transmission, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 886990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Tosi <morph@debian.org> (supplier of updated transmission package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 18 Jan 2018 23:34:22 -0500
Source: transmission
Binary: transmission transmission-common transmission-cli transmission-gtk transmission-qt transmission-daemon
Architecture: source amd64 all
Version: 2.92-3
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi <morph@debian.org>
Changed-By: Sandro Tosi <morph@debian.org>
Description:
transmission - lightweight BitTorrent client
transmission-cli - lightweight BitTorrent client (command line programs)
transmission-common - lightweight BitTorrent client (common files)
transmission-daemon - lightweight BitTorrent client (daemon)
transmission-gtk - lightweight BitTorrent client (GTK+ interface)
transmission-qt - lightweight BitTorrent client (Qt interface)
Closes: 771164 885151 886990
Changes:
transmission (2.92-3) unstable; urgency=medium
.
* debian/patches/transmission-fix-dns-rebinding-vuln.patch
- fix RCE execution via dns rebinding attach; fixes CVE-2018-5702;
Closes: #886990
* debian/patches/bts885151_fix_ftcbfs_ac_run_ifelse.patch
- fix a FTCBFS due to use of AC_RUN_IFELSE; Closes: #885151
* debian/{rules, transmission-qt.install}
- fix translation load in Qt frontend; patch by Rohan Garg; Closes: #771164
* debian/control
- bump Standards-Version t0 4.1.3 (no changes needed)
- update versioned b-d on debhelper, so that we can drop dh-systemd
* debian/copyright
- extend packaging copyright years
Checksums-Sha1:
940b92e25f6153352bb3396277885c2038728295 2598 transmission_2.92-3.dsc
299aef23d76c974b3c742c988cebd9ad614573ec 25316 transmission_2.92-3.debian.tar.xz
15c866fc94ddfc35b239aa9f0e26b77da3cd71ed 4899832 transmission-cli-dbgsym_2.92-3_amd64.deb
6e294b4fb776a79cd3dd7a648ab520655e764d25 403752 transmission-cli_2.92-3_amd64.deb
c290b1c1fcc1780defedcfff3e68650d2a0a4042 287512 transmission-common_2.92-3_all.deb
135d86270f24fa71cb1c681f2cca6ac20e181c32 1016784 transmission-daemon-dbgsym_2.92-3_amd64.deb
ba1ac416c9e69d85be829ccbb70c3b2a60f6ec94 219840 transmission-daemon_2.92-3_amd64.deb
dadfbceaf548029159b91b0c1744437c8913cc23 1599260 transmission-gtk-dbgsym_2.92-3_amd64.deb
e9180038e481c55437c6704a47d8ae364e3e9cd1 704076 transmission-gtk_2.92-3_amd64.deb
6a979c48018e73949822792d3a7195da2fa2c789 10489616 transmission-qt-dbgsym_2.92-3_amd64.deb
b786530ff48e9d0ef0e9a7a2a0abc66fa53833d9 665348 transmission-qt_2.92-3_amd64.deb
3ac94ba355fe9b205642e89a16a8134acdf79270 1236 transmission_2.92-3_all.deb
6080f3794ace0f3467c9b40ad5f9e7a34e2c7166 20292 transmission_2.92-3_amd64.buildinfo
Checksums-Sha256:
2f2383b883774f0b593562badac753b5756410027afa509505f659d39ccc22f9 2598 transmission_2.92-3.dsc
d653eb13d8436afaf5e333f0c93d5e7a3f6ca9fed43870c1ccd79302ffe994df 25316 transmission_2.92-3.debian.tar.xz
b7337d1a52f75c52d024b661fdafa5268a6d922d9dba603c96de76db0f93b9c7 4899832 transmission-cli-dbgsym_2.92-3_amd64.deb
35def10e3c82ebfacac58a7b2be5ae54d21864b64ca4ff72e77e70eb66553028 403752 transmission-cli_2.92-3_amd64.deb
db0be1d3bc102833037adacf62ba2957207742a84b71d4924b95668402eb5052 287512 transmission-common_2.92-3_all.deb
71af76acfcc22bdb7fa87559896ca20b6f5293e721b9fae8d1c1046e5fe567a4 1016784 transmission-daemon-dbgsym_2.92-3_amd64.deb
5394cb70eb07de1b62348cc0336cc35ba7be04f6e10b22714c2289c5c4c78c22 219840 transmission-daemon_2.92-3_amd64.deb
d738fa7b7a58dfca05de95a2c9c38c85347576784be8d512fb9bf8f83de8e4dd 1599260 transmission-gtk-dbgsym_2.92-3_amd64.deb
91487a44feee2101c9de89fb6548763de9b403d0ef6e40501afa4ac7498f5185 704076 transmission-gtk_2.92-3_amd64.deb
55fd376e63d8a35a27730a40d0835c6a3290af60317c69ed5adb6db3a7a65da8 10489616 transmission-qt-dbgsym_2.92-3_amd64.deb
eafc4fb7e2805b45e9dae612832ea49de2057a4224831f8e8ce033580bfb50e5 665348 transmission-qt_2.92-3_amd64.deb
451c809a4ec626bb62d6ef9b6f8752d82a985029183d7fe04fd3a49b90338ce4 1236 transmission_2.92-3_all.deb
7317054350f240d52aeedf2f0cbe8b3776ecd4d37911f8b98a5b52b3b3521a8b 20292 transmission_2.92-3_amd64.buildinfo
Files:
659eeec14bfee826406eac4d5347c21a 2598 net optional transmission_2.92-3.dsc
84db1bb56133bddb40e1e29947d9a984 25316 net optional transmission_2.92-3.debian.tar.xz
894842deb7bba25a2c647e9ef02f8c33 4899832 debug optional transmission-cli-dbgsym_2.92-3_amd64.deb
9f94ae118f20ac9dc1b61ce9fb478b4f 403752 net optional transmission-cli_2.92-3_amd64.deb
e6a6120814b1da80219176ab9a8f4141 287512 net optional transmission-common_2.92-3_all.deb
64847608d08c98c0b5f43cee6553023d 1016784 debug optional transmission-daemon-dbgsym_2.92-3_amd64.deb
248396170de55df0db685a1bcb57e2b6 219840 net optional transmission-daemon_2.92-3_amd64.deb
ba41d0c738640a57287ce77c42107e3b 1599260 debug optional transmission-gtk-dbgsym_2.92-3_amd64.deb
b776fc2cf66b1a60d75b3761582e8fba 704076 net optional transmission-gtk_2.92-3_amd64.deb
8999af473de79152be96bafe30d9eac7 10489616 debug optional transmission-qt-dbgsym_2.92-3_amd64.deb
660cd6809f11d5ec3c17dc496edd40e3 665348 net optional transmission-qt_2.92-3_amd64.deb
10ab3d99205cf42d100c6545876478c5 1236 net optional transmission_2.92-3_all.deb
0c6bf6259722c2c3200fce06d2c768e2 20292 net optional transmission_2.92-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEufrTGSrz5KUwnZ05h588mTgBqU8FAlphdtMACgkQh588mTgB
qU8ayxAApZJzGlf24Omm89MSrBjLQK2NOIx8wfZl7dSiwfRCchpVmydwSAd9k+7C
UdAQ0q1C5ALgrsuGgdOve/SJnf8Wh+/t7qOBGaCnCnOXH5OGmZRj2tqfZ+V2iBKG
IQGJXI7yU3zc1WwmpvUh7iFnwl0S+lKI2zNgSN+QDp0t9rQuzmpgOIBthGLHu7b5
22RBJ8WT+9GWp4d5aO2x++BT6qfD0C8Q9RZp10GtF6OrwQwiwRWkCn9iD5c1x8IU
zCsUj/hd5+E32xNOq1s0yUEgw39+Qakt29CNh4pLGmIaeDtBKpnuwrKRCvBOZ9VY
w/KFdfyuin1IAhDmaPtRtNzrtaT7defcvAqfRE0JXJJj57yhjDxM6qvkxPQXERcE
RqbjDSFG7aczUqHkY45olHH2MLJ9qLJL+Ve9WzmRPL69JRwsF0I2m2BuIo6bmTVO
mFGRXviA2WM7b4hOT43WCXPHlc3zovClRF07AqhZeKVUoXxiYeIvobdXDS+6z+Me
90NbZka4kuw2f4Uc4a6oWQkJZS4MkhkHzrsfSmfvobtxE+OB+vrCclGl9oprqj1W
EeQPZ0LjQN+KfwvP5Ss4vDZXiBmPPBFFprQG1Ivti7oWPbLpL/BMfLLd9IeRKwRr
k2xCk9wcNVXhZtVwLvXfIi7ziUCFqmvlxWWtWsVTJjjG1L1OEN0=
=hxda
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 11 Mar 2018 07:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:04:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.