USN-885-1: Transmission vulnerabilities

Releases

• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04

Packages

• transmission -

Details

It was discovered that the Transmission web interface was vulnerable to
cross-site request forgery (CSRF) attacks. If a user were tricked into
opening a specially crafted web page in a browser while Transmission was
running, an attacker could trigger commands in Transmission. This issue
affected Ubuntu 9.04. (CVE-2009-1757)

Dan Rosenberg discovered that Transmission did not properly perform input
validation when processing torrent files. If a user were tricked into
opening a crafted torrent file, an attacker could overwrite files via
directory traversal. (CVE-2010-0012)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• transmission-gtk - 1.75-0ubuntu2.2
• transmission-cli - 1.75-0ubuntu2.2
• transmission-qt - 1.75-0ubuntu2.2

Ubuntu 9.04

• transmission-gtk - 1.51-0ubuntu3.1
• transmission-cli - 1.51-0ubuntu3.1

Ubuntu 8.10

• transmission-gtk - 1.34-0ubuntu2.3
• transmission-cli - 1.34-0ubuntu2.3

Ubuntu 8.04

• transmission-gtk - 1.06-0ubuntu6.1
• transmission-cli - 1.06-0ubuntu6.1

After a standard system upgrade you need to restart Transmission to effect
the necessary changes.

References

• CVE-2010-0012
• CVE-2009-1757