http://bugzilla.opensuse.org/show_bug.cgi?id=1039815 Bug ID: 1039815 Summary: VUL-1: CVE-2017-9031: deluge: webUI: directory traversal vulnerability Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q2/296 ============================================= CVE-2017-9031 was assigned for the following directory traversal issue in Deluge's WebUI: http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 Quoting upstream announce: Highly recommended to upgrade to this release as it contains a directory traversal security fix that once again has the real potential to compromise your machine. The related commit is: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd which gives more information about the issue: [WebUI] Check render template files exist and raise 404 if not - Check render/* requests match to .html files in the 'render' dir - Protects against directory (path) traversal Additional reference: https://bugs.debian.org/862611 ============================================= Hyperlink [1] http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 [2] https://security-tracker.debian.org/tracker/CVE-2017-9031 [3] https://bugs.debian.org/862611 [4] http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd (open-)SUSE: https://software.opensuse.org/package/deluge 1.3.13 (42.2, official repo) 1.3.14 (42.3, TW, official repo) -- You are receiving this mail because: You are on the CC list for the bug.