Mailinglist Archive: opensuse-bugs (4284 mails)

< Previous Next >
[Bug 1039815] New: VUL-1: CVE-2017-9031: deluge: webUI: directory traversal vulnerability
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 18 May 2017 21:23:00 +0000
  • Message-id: <bug-1039815-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1039815


Bug ID: 1039815
Summary: VUL-1: CVE-2017-9031: deluge: webUI: directory
traversal vulnerability
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q2/296
=============================================
CVE-2017-9031 was assigned for the following directory traversal issue
in Deluge's WebUI:

http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15

Quoting upstream announce:

Highly recommended to upgrade to this release as it contains a
directory traversal security fix that once again has the real
potential to compromise your machine.


The related commit is:

http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd

which gives more information about the issue:

[WebUI] Check render template files exist and raise 404 if not
- Check render/* requests match to .html files in the 'render' dir
- Protects against directory (path) traversal


Additional reference:
https://bugs.debian.org/862611
=============================================

Hyperlink

[1] http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15

[2] https://security-tracker.debian.org/tracker/CVE-2017-9031

[3] https://bugs.debian.org/862611

[4]
http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd


(open-)SUSE: https://software.opensuse.org/package/deluge

1.3.13 (42.2, official repo)
1.3.14 (42.3, TW, official repo)

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups