Debian Bug report logs - #857903
deluge: CVE-2017-7178: WebUI CSRF vulnerability

version graph

Package: deluge-webui; Maintainer for deluge-webui is Cristian Greco <cristian@debian.org>; Source for deluge-webui is src:deluge (PTS, buildd, popcon).

Reported by: Jonatan Nyberg <jonatan@autistici.org>

Date: Thu, 16 Mar 2017 09:27:05 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions deluge/1.3.10-1, deluge/1.3.13+git20161130.48cedf63-1

Fixed in version deluge/1.3.13+git20161130.48cedf63-2

Done: Andrew Starr-Bochicchio <asb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Cristian Greco <cristian@debian.org>:
Bug#857903; Package deluge-webui. (Thu, 16 Mar 2017 09:27:07 GMT) (full text, mbox, link).

Acknowledgement sent to Jonatan Nyberg <jonatan@autistici.org>:
New Bug report received and forwarded. Copy sent to Cristian Greco <cristian@debian.org>. (Thu, 16 Mar 2017 09:27:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonatan Nyberg <jonatan@autistici.org>
To: submit@bugs.debian.org
Subject: deluge-webui: WebUI CSRF vulnerability
Date: Thu, 16 Mar 2017 10:20:41 +0100
Package: deluge-webui
severity: important

Dear Maintainer,

Deluge 1.3.14 have an important fix for the WebUI CSRF vulnerability
that has the real potential to compromise your machine. It is important
to update to this version as soon as possible.

Kind regards,
Jonatan

Added tag(s) security. Request was from Andrew Starr-Bochicchio <asb@debian.org> to control@bugs.debian.org. (Sun, 19 Mar 2017 17:51:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Cristian Greco <cristian@debian.org>:
Bug#857903; Package deluge-webui. (Sun, 19 Mar 2017 18:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andrew Starr-Bochicchio <a.starr.b@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cristian Greco <cristian@debian.org>. (Sun, 19 Mar 2017 18:03:05 GMT) (full text, mbox, link).

Message #12 received at 857903@bugs.debian.org (full text, mbox, reply):

From: Andrew Starr-Bochicchio <a.starr.b@gmail.com>
To: 857903@bugs.debian.org
Cc: ,control@bugs.debian.org
Subject: [/master] webui-csfr.patch: Only accept application/json content-type requests (Closes: #857903). Protects against CSRF.
Date: Sun, 19 Mar 2017 18:00:53 +0000
tag 857903 pending
thanks

Date: Sun Mar 19 13:35:50 2017 -0400
Author: Andrew Starr-Bochicchio <a.starr.b@gmail.com>
Commit ID: a1fb989476545c0e7c7887d0f4d717447deba202
Commit URL: https://anonscm.debian.org/cgit/collab-maint/deluge.git;a=commitdiff;h=a1fb989476545c0e7c7887d0f4d717447deba202
Patch URL: https://anonscm.debian.org/cgit/collab-maint/deluge.git;a=commitdiff_plain;h=a1fb989476545c0e7c7887d0f4d717447deba202

    webui-csfr.patch: Only accept application/json content-type requests (Closes: #857903). Protects against CSRF.

Marked as found in versions deluge/1.3.13+git20161130.48cedf63-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 19 Mar 2017 18:03:07 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 19 Mar 2017 18:03:09 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Andrew Starr-Bochicchio <a.starr.b@gmail.com> to control@bugs.debian.org. (Sun, 19 Mar 2017 18:03:11 GMT) (full text, mbox, link).

Reply sent to Andrew Starr-Bochicchio <asb@debian.org>:
You have taken responsibility. (Sun, 19 Mar 2017 18:21:09 GMT) (full text, mbox, link).

Notification sent to Jonatan Nyberg <jonatan@autistici.org>:
Bug acknowledged by developer. (Sun, 19 Mar 2017 18:21:09 GMT) (full text, mbox, link).

Message #23 received at 857903-close@bugs.debian.org (full text, mbox, reply):

From: Andrew Starr-Bochicchio <asb@debian.org>
To: 857903-close@bugs.debian.org
Subject: Bug#857903: fixed in deluge 1.3.13+git20161130.48cedf63-2
Date: Sun, 19 Mar 2017 18:19:01 +0000
Source: deluge
Source-Version: 1.3.13+git20161130.48cedf63-2

We believe that the bug you reported is fixed in the latest version of
deluge, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857903@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Starr-Bochicchio <asb@debian.org> (supplier of updated deluge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 19 Mar 2017 13:37:10 -0400
Source: deluge
Binary: deluge-common deluged deluge-console deluge-web deluge-gtk deluge deluge-webui deluge-torrent
Architecture: source all
Version: 1.3.13+git20161130.48cedf63-2
Distribution: unstable
Urgency: high
Maintainer: Cristian Greco <cristian@debian.org>
Changed-By: Andrew Starr-Bochicchio <asb@debian.org>
Description:
 deluge     - bittorrent client written in Python/PyGTK
 deluge-common - bittorrent client written in Python/PyGTK (common files)
 deluge-console - bittorrent client written in Python/PyGTK (console ui)
 deluge-gtk - bittorrent client written in Python/PyGTK (GTK+ ui)
 deluge-torrent - bittorrent client (gtk ui transitional package)
 deluge-web - bittorrent client written in Python/PyGTK (web ui)
 deluge-webui - bittorrent client (web ui transitional package)
 deluged    - bittorrent client written in Python/PyGTK (daemon)
Closes: 857903
Changes:
 deluge (1.3.13+git20161130.48cedf63-2) unstable; urgency=high
 .
   * webui-csrf.patch: Only accept application/json content-type
     requests (Closes: #857903). Protects against CSRF.
Checksums-Sha1:
 f4737d1cea141cef0f3bc2d3e6af832072b96d66 2448 deluge_1.3.13+git20161130.48cedf63-2.dsc
 06dd25b4cccb086619a72b1a97f6797413bf072b 567312 deluge_1.3.13+git20161130.48cedf63-2.debian.tar.xz
 0a4edea37daf4c9c4a94ce244d11dde0f7a6d704 768650 deluge-common_1.3.13+git20161130.48cedf63-2_all.deb
 055a5c5aab48d74adf73f40cb8c79af7d87ad5d9 52854 deluge-console_1.3.13+git20161130.48cedf63-2_all.deb
 252b33009f074bba758276190238967ff62e0d0c 246328 deluge-gtk_1.3.13+git20161130.48cedf63-2_all.deb
 996e082d44f9377d1a3531dfbd921d37be704d6a 34656 deluge-torrent_1.3.13+git20161130.48cedf63-2_all.deb
 f512a63aa28ace4e846d55569336927e49f11852 496538 deluge-web_1.3.13+git20161130.48cedf63-2_all.deb
 d278bcfa6b6cda1ba9de3e53b3393816dfe22eef 34666 deluge-webui_1.3.13+git20161130.48cedf63-2_all.deb
 1b2c7bfedf1e75591d7a4e365857085a87a0d159 42520 deluge_1.3.13+git20161130.48cedf63-2_all.deb
 50c8f119f6888240cd8f789628d80af060c38b1f 8394 deluge_1.3.13+git20161130.48cedf63-2_amd64.buildinfo
 13df1527953456c547d5a0f395413b30d3aae4d9 38382 deluged_1.3.13+git20161130.48cedf63-2_all.deb
Checksums-Sha256:
 88c31c41088eb3ef7ca04c396b865da5ba01161d3a6c40dc494e1ef7caf82b36 2448 deluge_1.3.13+git20161130.48cedf63-2.dsc
 626237e299dda439bdb24bb12f990af9e2f2b6c957319ca77a053e355098a025 567312 deluge_1.3.13+git20161130.48cedf63-2.debian.tar.xz
 790a7bff4a4e0047d7de13d65e5ef5a25336f4b25a385b7ae7b7e68b5ecacbee 768650 deluge-common_1.3.13+git20161130.48cedf63-2_all.deb
 c0c40fc8342148db6572498c529db83e8b0fe514b282fbf00ef4c94e32e03e7b 52854 deluge-console_1.3.13+git20161130.48cedf63-2_all.deb
 ab4334cab646e8f36108057db8fd3ef53acf58a476c76143f34bd77ce2fbc98f 246328 deluge-gtk_1.3.13+git20161130.48cedf63-2_all.deb
 d6e93fcbed326bad837f096b0bab68f2bec59aef0689794a0912fa0ef9fe569a 34656 deluge-torrent_1.3.13+git20161130.48cedf63-2_all.deb
 f2bee9a2d4554bc91d93f2849d2455af6e38c846794d5f97e8d45307c488a831 496538 deluge-web_1.3.13+git20161130.48cedf63-2_all.deb
 2f80890f989d8be4f143c578fed9aad22d570911a90fd830a52fc622217bbd42 34666 deluge-webui_1.3.13+git20161130.48cedf63-2_all.deb
 083749d768af2cda5f9740a96dee587478fba58e9c213f531ba5ed6b6b5bf9e2 42520 deluge_1.3.13+git20161130.48cedf63-2_all.deb
 f7136b49f2ac2224f1ad8dade41da0a0bd767209fd417026a77bae2a8b337090 8394 deluge_1.3.13+git20161130.48cedf63-2_amd64.buildinfo
 b3cd8b603a54538919b34e88af5e6c144e1c9c167abf7332b2b64f6b4a8ef378 38382 deluged_1.3.13+git20161130.48cedf63-2_all.deb
Files:
 4f891ef1d8d9437058c482ee34268631 2448 net optional deluge_1.3.13+git20161130.48cedf63-2.dsc
 c7a435f4d3b33353f17febb344f21c29 567312 net optional deluge_1.3.13+git20161130.48cedf63-2.debian.tar.xz
 bf5b0026de02b0081d09b7d78c7224a3 768650 net optional deluge-common_1.3.13+git20161130.48cedf63-2_all.deb
 61e5fa0085cafa1814f03ac0e0054382 52854 net optional deluge-console_1.3.13+git20161130.48cedf63-2_all.deb
 6ef7a6a42e5085ebb4129fd6033b0a48 246328 net optional deluge-gtk_1.3.13+git20161130.48cedf63-2_all.deb
 8ee57bb9151e1eb8e6cada00f7387a2f 34656 oldlibs extra deluge-torrent_1.3.13+git20161130.48cedf63-2_all.deb
 cedf664c5a9b7a3af1d057671cdb5b94 496538 net optional deluge-web_1.3.13+git20161130.48cedf63-2_all.deb
 3017e68b69fc9f617b8f41eb28ad736d 34666 oldlibs extra deluge-webui_1.3.13+git20161130.48cedf63-2_all.deb
 a0929a66473aae69cdd324934acdcde3 42520 net optional deluge_1.3.13+git20161130.48cedf63-2_all.deb
 bb74e609eefb8ec87f1c16a79d2eb451 8394 net optional deluge_1.3.13+git20161130.48cedf63-2_amd64.buildinfo
 50867f7991e39d6f17a8acc7dbb5416f 38382 net optional deluged_1.3.13+git20161130.48cedf63-2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYzsaJAAoJEDtW4rvVP9yx9roP/R34JHifTR5nYbMgzedjMPHn
9ZYBc7pLFtOHRXm229nHM3IEIsfn5dpoicr38F3rUU0Xw7exmTZUJ6PZxZofOTWE
H0MtsEOEoGIahFQcSBgdwH/ZBLVNI3VBCAEEHOEEliwDbts4d7A6WYETSCTN9Dp6
dsIrgo8DiKEZtjioY3EtEbtxK54ByAPVa+SCWFrxWudAvHZIArxHUQtfmc7n2ABP
CcP74qD5OAedRIME7Aehu8F0GiiITAYh8Vaq35iBk6RRilmvK7lO2Jg9mq8vGZSl
jxAtlYZAftLqMHmZWeZXrqAx9f21+Em8uRryV7mKFmZzYLV7xjkapGJ4gFaWslAv
O+gl+2BmdqIjYzIbDkR4HdOsyT4+NP4kg0SZ0Xke2rCccXaVEpg/K82G1HcNMFVh
Du7AMYDVzrS6AnFMPOQmYAFXPMWSoTwZk5QvMC7d3Xe2y+8sUQpcAvnFAZspfw8v
BPRPDdykcPH5IJ6qHI/RE2e+/z87flzhCh8WmmhhpZsoWwo51LYwPHGhFSJPypxA
QJ6lMHIdvhRC4v/j99yhZFgBZQ+0Moefq2VB72LBkDsMGW0OsL2yF81mMcQrLYqH
VvMLklejhd0wU0QFU07skNgTiUghNo5qqKRHC0jB1AVsZilfgYAris8PDJQZwCun
yjmPyCKFeZXgI+njmhK6
=fuEs
-----END PGP SIGNATURE-----

Marked as found in versions deluge/1.3.10-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 19 Mar 2017 18:42:02 GMT) (full text, mbox, link).

Changed Bug title to 'deluge: CVE-2017-7178: WebUI CSRF vulnerability' from 'deluge-webui: WebUI CSRF vulnerability'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 19 Mar 2017 19:36:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 19 Apr 2017 07:24:55 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jan 9 23:44:22 2018; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.