| Bug ID | 1039815 |
|---|---|
| Summary | VUL-1: CVE-2017-9031: deluge: webUI: directory traversal vulnerability |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 42.2 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | mikhail.kasimov@gmail.com |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
Ref: http://seclists.org/oss-sec/2017/q2/296 ============================================= CVE-2017-9031 was assigned for the following directory traversal issue in Deluge's WebUI: http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 Quoting upstream announce: Highly recommended to upgrade to this release as it contains a directory traversal security fix that once again has the real potential to compromise your machine. The related commit is: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd which gives more information about the issue: [WebUI] Check render template files exist and raise 404 if not - Check render/* requests match to .html files in the 'render' dir - Protects against directory (path) traversal Additional reference: https://bugs.debian.org/862611 ============================================= Hyperlink [1] http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 [2] https://security-tracker.debian.org/tracker/CVE-2017-9031 [3] https://bugs.debian.org/862611 [4] http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd (open-)SUSE: https://software.opensuse.org/package/deluge 1.3.13 (42.2, official repo) 1.3.14 (42.3, TW, official repo)