[USN-885-1] Transmission vulnerabilities
Jamie Strandboge
jamie at canonical.com
Thu Jan 14 18:44:22 UTC 2010
===========================================================
Ubuntu Security Notice USN-885-1 January 14, 2010
transmission vulnerabilities
CVE-2009-1757, CVE-2010-0012
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
transmission-cli 1.06-0ubuntu6.1
transmission-gtk 1.06-0ubuntu6.1
Ubuntu 8.10:
transmission-cli 1.34-0ubuntu2.3
transmission-gtk 1.34-0ubuntu2.3
Ubuntu 9.04:
transmission-cli 1.51-0ubuntu3.1
transmission-gtk 1.51-0ubuntu3.1
Ubuntu 9.10:
transmission-cli 1.75-0ubuntu2.2
transmission-gtk 1.75-0ubuntu2.2
transmission-qt 1.75-0ubuntu2.2
After a standard system upgrade you need to restart Transmission to effect
the necessary changes.
Details follow:
It was discovered that the Transmission web interface was vulnerable to
cross-site request forgery (CSRF) attacks. If a user were tricked into
opening a specially crafted web page in a browser while Transmission was
running, an attacker could trigger commands in Transmission. This issue
affected Ubuntu 9.04. (CVE-2009-1757)
Dan Rosenberg discovered that Transmission did not properly perform input
validation when processing torrent files. If a user were tricked into
opening a crafted torrent file, an attacker could overwrite files via
directory traversal. (CVE-2010-0012)
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06-0ubuntu6.1.diff.gz
Size/MD5: 11532 d00f5ae62fa91ab4ddb3cd1c26856666
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06-0ubuntu6.1.dsc
Size/MD5: 1116 3b62b133deca8b2e70635f3f90aef7ac
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06.orig.tar.gz
Size/MD5: 5059106 0073841635cc1e61ec725160b8a7a358
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.06-0ubuntu6.1_all.deb
Size/MD5: 14272 d94c612943dce26b75a79fade345cfe6
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.06-0ubuntu6.1_all.deb
Size/MD5: 918 61e1dc579d951a4680698706a17bd3ea
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_amd64.deb
Size/MD5: 265288 722018b52a0420470d22628a34cd3d16
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_amd64.deb
Size/MD5: 394298 9a6c437e1368a5af80c7374f3376f1c0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_i386.deb
Size/MD5: 250598 047794218f9ff6891077d2501cf30113
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_i386.deb
Size/MD5: 361264 e9ac5569928691ca26007f4a6b6b703b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_lpia.deb
Size/MD5: 247834 5253a82b3394d4a69f2eb5160718fcdd
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_lpia.deb
Size/MD5: 358348 40f4c4e498669042187b0ef9be1b863e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_powerpc.deb
Size/MD5: 290390 47cfd7d7950cf77f584e913247c1b54d
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_powerpc.deb
Size/MD5: 441040 74f777dca45370cf200008f21c1bf449
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_sparc.deb
Size/MD5: 251970 c4fb56ea87efd5136ce72d9fda54b4a0
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_sparc.deb
Size/MD5: 363224 8f930290cda469fe08367bf7596a8534
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34-0ubuntu2.3.diff.gz
Size/MD5: 17297 a339c2d7a5d13c396ce8471214f5ac88
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34-0ubuntu2.3.dsc
Size/MD5: 1553 18165c72efbb3697cc103db601240411
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34.orig.tar.gz
Size/MD5: 6576998 18973d58ef3e9936fc854f4e88cf4a1c
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.34-0ubuntu2.3_all.deb
Size/MD5: 143450 e73d3b5c2f7d5b4ffa8b42a31f3967cf
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.34-0ubuntu2.3_all.deb
Size/MD5: 922 a212710fd05212893e051066ee7e268c
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_amd64.deb
Size/MD5: 338196 75da571c8e09fa448415b5ee96e88052
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_amd64.deb
Size/MD5: 644464 5cef27ba35fda1680525296dad6de416
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_i386.deb
Size/MD5: 314384 a7b996a4eaff1cd6ea36ee18698c7b9a
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_i386.deb
Size/MD5: 591144 a940a8a5f787060fca4ae8c2794cc22b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_lpia.deb
Size/MD5: 310472 266e132eef131a23d6caa74e8dfabb81
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_lpia.deb
Size/MD5: 582392 0b4eb7c3562acdd352587d3e78703ed2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_powerpc.deb
Size/MD5: 360310 0165994b599a430f7e7ae41fab25cd66
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_powerpc.deb
Size/MD5: 704174 df350e777eaf7bdf87673fd71494a35d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_sparc.deb
Size/MD5: 311594 dabe39e1da4d693c7189f02d5422a04c
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_sparc.deb
Size/MD5: 579250 f142cd566f075a71e693668b48c8f711
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51-0ubuntu3.1.diff.gz
Size/MD5: 24490 0baa3ef499573c1e89cce6d6cb848328
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51-0ubuntu3.1.dsc
Size/MD5: 1598 f693615ed24d4f4e5b8886325e0d123d
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51.orig.tar.gz
Size/MD5: 5957327 3ab369ba9027e19ffdd1de66df05ba4f
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.51-0ubuntu3.1_all.deb
Size/MD5: 145980 fe4b2f64b5f286ab5d39d7ab73d5b98f
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.51-0ubuntu3.1_all.deb
Size/MD5: 920 953f2d2201648c1fa094a90115cf415b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_amd64.deb
Size/MD5: 357900 3514ead45152bbf76036903e47be0a1c
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_amd64.deb
Size/MD5: 476168 6d3680a980ee1b592980b0b10722ef3b
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_amd64.deb
Size/MD5: 232404 5a1338bed463c1a78fdc53ec931dbc1c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_i386.deb
Size/MD5: 335040 39b83444267dda6ec1c0e8e5da8f73c6
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_i386.deb
Size/MD5: 441532 4645ced62475f99387a19fe48b84b685
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_i386.deb
Size/MD5: 214318 7aba6cac5ac750c6b9dff52b43b2d3cb
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_lpia.deb
Size/MD5: 329340 ae96622495e47e51b89b4f658d5457c4
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_lpia.deb
Size/MD5: 432932 496dfaf1f49d854295318d04b6fab554
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_lpia.deb
Size/MD5: 210720 4844d827b922a952155584c0e77d793f
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_powerpc.deb
Size/MD5: 380206 6888a1c04fe31018b6e2862e7166a0fd
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_powerpc.deb
Size/MD5: 514886 533cadf1855c8a1f2a2e370e64587455
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_powerpc.deb
Size/MD5: 250180 eec5961a7101039ad266a95079af97ca
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_sparc.deb
Size/MD5: 331716 ea4a56b65f845af3e1f0b81aeeb1df02
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_sparc.deb
Size/MD5: 431488 4693c3c826f95943b153b7025d09ad84
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_sparc.deb
Size/MD5: 209510 de01528b01ebff556aec2102162586a1
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75-0ubuntu2.2.diff.gz
Size/MD5: 162354 615f470d226802b77c1d711945f2e2d3
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75-0ubuntu2.2.dsc
Size/MD5: 1612 1d15228514d73e475f6fd0b14d87be23
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75.orig.tar.gz
Size/MD5: 6681496 c0dc27e7b2b115fc6e6fc5fc24e49091
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.75-0ubuntu2.2_all.deb
Size/MD5: 176072 8f1c73238021806cd7efc4bde1f28d46
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.75-0ubuntu2.2_all.deb
Size/MD5: 922 c3e2851cbb5fa7677f267437c49c2537
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_amd64.deb
Size/MD5: 317704 6374651cb303bb4e5828834645c61990
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_amd64.deb
Size/MD5: 395338 a29a8a45791d0b0a2b933bd353f662a9
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_amd64.deb
Size/MD5: 193326 99894adc21a2b180648e35c26b84a489
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_amd64.deb
Size/MD5: 466460 d4961ed6131494db9b8b88bb0abceb07
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_i386.deb
Size/MD5: 296916 f1aca01266c554afcaf5326d5c794fdb
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_i386.deb
Size/MD5: 365018 4d9d974fe9827d8ef27d23b8a8c77a79
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_i386.deb
Size/MD5: 177554 bdbee974b9b2f0991ae50fe7ef41a272
http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_i386.deb
Size/MD5: 442314 a5ad4c269bab8e18a8a3d94d5fecf885
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_lpia.deb
Size/MD5: 296494 a83907ed3f3d40d14c3cba28c1633b68
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_lpia.deb
Size/MD5: 365946 fa65ff7adb23a470498ea8af761eddf0
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_lpia.deb
Size/MD5: 177378 1f963b664a4698953bd3fc812222437b
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_lpia.deb
Size/MD5: 449438 bea029d30f55d7923a9806aa142c7a62
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_powerpc.deb
Size/MD5: 316620 2181995c3049e92b0ca1a81cd2ad27b2
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_powerpc.deb
Size/MD5: 397630 10bc710de5c9d49445b703f91152981b
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_powerpc.deb
Size/MD5: 192460 2fadcc159f0d3f3df08ec3845ec50f30
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_powerpc.deb
Size/MD5: 468876 bdaf4da901683771db1a450e385fa4b8
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_sparc.deb
Size/MD5: 293898 6892dd2c4fcd781d233604f5a0a4443c
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_sparc.deb
Size/MD5: 358756 d94bf198cc880e78d33d5a68493376ee
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_sparc.deb
Size/MD5: 173830 038a09f38e3a280bc70f8608013442d3
http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_sparc.deb
Size/MD5: 484760 5ddea92faf999e6e5d38ed803e61baba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20100114/fba48ebb/attachment.sig>
More information about the ubuntu-security-announce
mailing list