[Bug 568228] New: Transmission should be updated to version 1.77
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c0 Summary: Transmission should be updated to version 1.77 Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: charles@transmissionbt.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.43 Safari/532.5 Transmission 1.77 has been released, which includes a bugfix that prevents user files from being overwritten by maliciously-crafted .torrent files. The tarball is available at http://mirrors.m0k.org/transmission/files/transmission-1.77.tar.xz Release notes are at http://trac.transmissionbt.com/wiki/Changes#version-1.77 As with 1.76, this release's diffs are intentionally small to make it easier to use in stable distro cycles. Should you only want the security patch, its diffs can be found at http://trac.transmissionbt.com/changeset/9829/ Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c Charles Kerr <charles@transmissionbt.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |security_vulnerability -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c1 Mingxi Wu <mxwu@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |mxwu@novell.com Info Provider| |vuntz@novell.com --- Comment #1 from Mingxi Wu <mxwu@novell.com> 2010-01-06 02:38:06 UTC --- Done in GNOME:Apps. Vincent, do we need a maintenance update for 11.2? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c2 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@novell.com Info Provider|vuntz@novell.com |security-team@suse.de --- Comment #2 from Vincent Untz <vuntz@novell.com> 2010-01-06 09:39:37 UTC --- Security team: do you think the bug mentioned above should be fixed in old releases? If yes, do you prefer the patch or the new upstream version? Charles: do you know if transmission 1.11 (openSUSE 11.0) and 1.34 (openSUSE 11.1) are also affected by this issue? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c3 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|security-team@suse.de | Summary|Transmission should be |VUL-0: transmission |updated to version 1.77 |directory traversal --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2010-01-07 11:22:25 CET --- CVE-2010-0012 The security implications are nicely described here: https://bugs.launchpad.net/ubuntu/+source/transmission/+bug/500625 So yes, I think we should fix this, preferably with a patch. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c4 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:29940 --- Comment #4 from Swamp Workflow Management <swamp@suse.com> 2010-01-07 10:24:22 UTC --- The SWAMPID for this issue is 29940. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/29940) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c5 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |maintenance@opensuse.org --- Comment #5 from Vincent Untz <vuntz@novell.com> 2010-01-11 14:57:36 UTC --- Update submitted to 11.2 (sr#29147). I have updates ready for 11.0 and 11.1 too, but it's unclear where they should get submitted (since there's no openSUSE:11.0:Update:Test project). This should probably be documented on http://en.opensuse.org/Maintenance too. Note that I based the 11.0 & 11.1 update on the Debian patch for transmission 1.22 (since the upstream commit didn't apply to those old versions). I quickly looked at the Debian patch, and I think it's safe. I also filled the patchinfo. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c6 --- Comment #6 from Thomas Biege <thomas@novell.com> 2010-01-11 15:01:04 UTC --- CVE-2010-0012: CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2010-0012: Path Traversal (CWE-22) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c7 Ruediger Oertel <ro@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ro@novell.com --- Comment #7 from Ruediger Oertel <ro@novell.com> 2010-01-11 16:17:51 UTC --- why do you think there is no "openSUSE:11.0:Update:Test" project ? the project exists and you can use it as target for submitreqs (same for 11.1) it's just that the sr is rerouted later on to the IBS since that is where the 11.0/11.1 updates are built, but you can of course submit for 11.0/11.1 the same way you do for 11.2 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c8 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|maintenance@opensuse.org | Resolution| |FIXED --- Comment #8 from Vincent Untz <vuntz@novell.com> 2010-01-11 16:26:33 UTC --- (In reply to comment #7)
why do you think there is no "openSUSE:11.0:Update:Test" project ?
Hrm, I guess it's the fact that it's empty while openSUSE:11.2:Update:Test isn't :-) Anyway, submitted for 11.0 (sr#29166) and 11.1 (sr#29165). Everything done => closing. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c9 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:29940 |maint:running:29940 | |maint:released:11.0:29941 | |maint:released:11.1:29941 | |maint:released:11.2:29941 --- Comment #9 from Swamp Workflow Management <swamp@suse.com> 2010-01-21 08:13:10 UTC --- Update released for: transmission, transmission-common, transmission-common-lang, transmission-debuginfo, transmission-debugsource, transmission-gtk, transmission-gtk-debuginfo, transmission-lang, transmission-qt, transmission-qt-debuginfo Products: openSUSE 11.0 (debug, i386, ppc, x86_64) openSUSE 11.1 (debug, i586, ppc, x86_64) openSUSE 11.2 (debug, i586, x86_64) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:29940 |. |maint:released:11.0:29941 | |maint:released:11.1:29941 | |maint:released:11.2:29941 | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568228 http://bugzilla.novell.com/show_bug.cgi?id=568228#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (568228) was mentioned in https://build.opensuse.org/request/show/29147 11.2:Test / transmission https://build.opensuse.org/request/show/29165 11.1:Test / transmission https://build.opensuse.org/request/show/29166 11.0:Test / transmission -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com