USN-885-1: Transmission vulnerabilities

18 January 2010

transmission vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS

Software Description

  • transmission

Details

It was discovered that the Transmission web interface was vulnerable to cross-site request forgery (CSRF) attacks. If a user were tricked into opening a specially crafted web page in a browser while Transmission was running, an attacker could trigger commands in Transmission. This issue affected Ubuntu 9.04. (CVE-2009-1757)

Dan Rosenberg discovered that Transmission did not properly perform input validation when processing torrent files. If a user were tricked into opening a crafted torrent file, an attacker could overwrite files via directory traversal. (CVE-2010-0012)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
transmission-cli - 1.75-0ubuntu2.2
transmission-gtk - 1.75-0ubuntu2.2
transmission-qt - 1.75-0ubuntu2.2
Ubuntu 9.04
transmission-cli - 1.51-0ubuntu3.1
transmission-gtk - 1.51-0ubuntu3.1
Ubuntu 8.10
transmission-cli - 1.34-0ubuntu2.3
transmission-gtk - 1.34-0ubuntu2.3
Ubuntu 8.04 LTS
transmission-cli - 1.06-0ubuntu6.1
transmission-gtk - 1.06-0ubuntu6.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart Transmission to effect the necessary changes.

References