Debian Bug report logs -
#862611
deluge: CVE-2017-9031: directory traversal attack vulnerability
Reported by: Jonatan Nyberg <jonatan@autistici.org>
Date: Mon, 15 May 2017 06:36:02 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in version deluge/1.3.3-2
Fixed in versions deluge/1.3.13+git20161130.48cedf63-3, 1.3.3-2+nmu1+deb7u2
Done: Andrew Starr-Bochicchio <asb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Cristian Greco <cristian@debian.org>:
Bug#862611; Package deluge-webui.
(Mon, 15 May 2017 06:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonatan Nyberg <jonatan@autistici.org>:
New Bug report received and forwarded. Copy sent to Cristian Greco <cristian@debian.org>.
(Mon, 15 May 2017 06:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: deluge-webui
severity: important
Dear Maintainer,
Deluge 1.3.15 have an important fix a directory traversal security
vulnerability that has the potential to compromise your machine. It is
important to update to this version as soon as possible.
Kind regards,
Jonatan
Added tag(s) security.
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org.
(Mon, 15 May 2017 07:03:04 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org.
(Mon, 15 May 2017 07:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cristian Greco <cristian@debian.org>:
Bug#862611; Package deluge-webui.
(Mon, 15 May 2017 17:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Cristian Greco <cristian@debian.org>.
(Mon, 15 May 2017 17:24:03 GMT) (full text, mbox, link).
Message #14 received at 862611@bugs.debian.org (full text, mbox, reply):
Hi,
> deluge-webui: directory traversal attack vulnerability
I think this is fixed in:
http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Cristian Greco <cristian@debian.org>:
Bug#862611; Package deluge-webui.
(Mon, 15 May 2017 19:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Cristian Greco <cristian@debian.org>.
(Mon, 15 May 2017 19:54:05 GMT) (full text, mbox, link).
Message #19 received at 862611@bugs.debian.org (full text, mbox, reply):
CVE requested via https://cveform.mitre.org/
Regards,
Salvatore
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 15 May 2017 20:27:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cristian Greco <cristian@debian.org>:
Bug#862611; Package deluge-webui.
(Tue, 16 May 2017 00:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrew Starr-Bochicchio <a.starr.b@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cristian Greco <cristian@debian.org>.
(Tue, 16 May 2017 00:15:03 GMT) (full text, mbox, link).
Message #26 received at 862611@bugs.debian.org (full text, mbox, reply):
tag 862611 pending
thanks
Date: Mon May 15 20:09:36 2017 -0400
Author: Andrew Starr-Bochicchio <a.starr.b@gmail.com>
Commit ID: 3d1b3b4500f155a25bc2e5e92ae56437fa728041
Commit URL: https://anonscm.debian.org/cgit/collab-maint/deluge.git;a=commitdiff;h=3d1b3b4500f155a25bc2e5e92ae56437fa728041
Patch URL: https://anonscm.debian.org/cgit/collab-maint/deluge.git;a=commitdiff_plain;h=3d1b3b4500f155a25bc2e5e92ae56437fa728041
Check if template files exist and raise 404 if not in order to protect webui against directory traversal (Closes: #862611).
Added tag(s) pending.
Request was from Andrew Starr-Bochicchio <a.starr.b@gmail.com>
to control@bugs.debian.org.
(Tue, 16 May 2017 00:15:04 GMT) (full text, mbox, link).
Reply sent
to Andrew Starr-Bochicchio <asb@debian.org>:
You have taken responsibility.
(Tue, 16 May 2017 00:36:03 GMT) (full text, mbox, link).
Notification sent
to Jonatan Nyberg <jonatan@autistici.org>:
Bug acknowledged by developer.
(Tue, 16 May 2017 00:36:03 GMT) (full text, mbox, link).
Message #33 received at 862611-close@bugs.debian.org (full text, mbox, reply):
Source: deluge
Source-Version: 1.3.13+git20161130.48cedf63-3
We believe that the bug you reported is fixed in the latest version of
deluge, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862611@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Starr-Bochicchio <asb@debian.org> (supplier of updated deluge package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 15 May 2017 20:09:48 -0400
Source: deluge
Binary: deluge-common deluged deluge-console deluge-web deluge-gtk deluge deluge-webui deluge-torrent
Architecture: source all
Version: 1.3.13+git20161130.48cedf63-3
Distribution: unstable
Urgency: high
Maintainer: Cristian Greco <cristian@debian.org>
Changed-By: Andrew Starr-Bochicchio <asb@debian.org>
Description:
deluge - bittorrent client written in Python/PyGTK
deluge-common - bittorrent client written in Python/PyGTK (common files)
deluge-console - bittorrent client written in Python/PyGTK (console ui)
deluge-gtk - bittorrent client written in Python/PyGTK (GTK+ ui)
deluge-torrent - bittorrent client (gtk ui transitional package)
deluge-web - bittorrent client written in Python/PyGTK (web ui)
deluge-webui - bittorrent client (web ui transitional package)
deluged - bittorrent client written in Python/PyGTK (daemon)
Closes: 862611
Changes:
deluge (1.3.13+git20161130.48cedf63-3) unstable; urgency=high
.
* Check if template files exist and raise 404 if not
in order to protect webui against directory traversal
(Closes: #862611).
Checksums-Sha1:
ce9edc5b9a4456fc676c66fe88ff9849069b2ac3 2448 deluge_1.3.13+git20161130.48cedf63-3.dsc
bf160b89db919e0d07435429246cd47d140ceb5b 567828 deluge_1.3.13+git20161130.48cedf63-3.debian.tar.xz
4ac33b59e88dad7d2ad003cb365ea0bf23923b84 768500 deluge-common_1.3.13+git20161130.48cedf63-3_all.deb
9f727aedabda3f6b0fc1d7833ca631d0ad6f5af5 52920 deluge-console_1.3.13+git20161130.48cedf63-3_all.deb
a4fe3d14c6b57439c54d7f6c4e12cb799e1892a6 246386 deluge-gtk_1.3.13+git20161130.48cedf63-3_all.deb
361bb95406d079bf5b8c226f28178133b0ec4c8f 34716 deluge-torrent_1.3.13+git20161130.48cedf63-3_all.deb
6e7837bdce5e27ac55d99c32bab90227d5469fa9 496658 deluge-web_1.3.13+git20161130.48cedf63-3_all.deb
a559ec8a799e5ee5ec8ec73672ae1781ef8c41be 34730 deluge-webui_1.3.13+git20161130.48cedf63-3_all.deb
52f1c1a8f452881531981592db8f8e189fcb5f5d 42584 deluge_1.3.13+git20161130.48cedf63-3_all.deb
06357f826dee5f33211f35cdba581c1ecde8a85b 8086 deluge_1.3.13+git20161130.48cedf63-3_amd64.buildinfo
8669faca0d36abcc4029e5cb5430927e8a3b2b4f 38442 deluged_1.3.13+git20161130.48cedf63-3_all.deb
Checksums-Sha256:
aa7a6704e407cf0ce1d9eac96ae38b9744a8e9397a5b9bf0fb869d43d435e422 2448 deluge_1.3.13+git20161130.48cedf63-3.dsc
22f4d35ca513838e79e2eec06e826c55ea27d3279672b525f31de2be7feed5bd 567828 deluge_1.3.13+git20161130.48cedf63-3.debian.tar.xz
c5337e809fd0c1cda577cc7976033b9f6ec0badcc2f14aa7337ffcae4a6b8c2f 768500 deluge-common_1.3.13+git20161130.48cedf63-3_all.deb
cfd05de909eac7848731e070a955d11eb108e41de3f23365745fefe2bbd9b2f1 52920 deluge-console_1.3.13+git20161130.48cedf63-3_all.deb
da5a7a88fe19ff81e8f08af88c846ed03675ed338ee7d4be2485d46fe61b241e 246386 deluge-gtk_1.3.13+git20161130.48cedf63-3_all.deb
247fbe97ac96d3b99bb466fb2b91342931ab1119b9251bc3741da6574a385e8f 34716 deluge-torrent_1.3.13+git20161130.48cedf63-3_all.deb
95b44be3c19d39ba0329287e0d651529ca1164c413bb7e99a817058381e29a14 496658 deluge-web_1.3.13+git20161130.48cedf63-3_all.deb
7a0b5e88e937964ac741a78756e27c8baf833b913698e6ad9591911bf8268c6a 34730 deluge-webui_1.3.13+git20161130.48cedf63-3_all.deb
a98ba94ac9579845966729a1ec206141e4fd728902cd91f69b3017c232c64005 42584 deluge_1.3.13+git20161130.48cedf63-3_all.deb
e14a848328592cbc47e2f583eca57e26fe43ab24abc1f8161afffb31a2ea0edf 8086 deluge_1.3.13+git20161130.48cedf63-3_amd64.buildinfo
d6a82e0684f4e9dbf76ae2ef86afe811dc918318b40f9fe60eda74f7aeeb7e73 38442 deluged_1.3.13+git20161130.48cedf63-3_all.deb
Files:
c770364a04d413b0488814adf67281f9 2448 net optional deluge_1.3.13+git20161130.48cedf63-3.dsc
bdb466d8d683857104c6ab39d25bf105 567828 net optional deluge_1.3.13+git20161130.48cedf63-3.debian.tar.xz
7658a84e29f02d2f4a7ce3f4bc9f967f 768500 net optional deluge-common_1.3.13+git20161130.48cedf63-3_all.deb
9a8147c17a46e74eb979025b1b7962fe 52920 net optional deluge-console_1.3.13+git20161130.48cedf63-3_all.deb
c71894147e3897fc9604d39ae782e0b6 246386 net optional deluge-gtk_1.3.13+git20161130.48cedf63-3_all.deb
2e203c97c922976f4eb6901308ded022 34716 oldlibs extra deluge-torrent_1.3.13+git20161130.48cedf63-3_all.deb
197bcdd7f221e950edf56730436122e5 496658 net optional deluge-web_1.3.13+git20161130.48cedf63-3_all.deb
7c2b2fa2d08afef6ee2b08f05b73faa2 34730 oldlibs extra deluge-webui_1.3.13+git20161130.48cedf63-3_all.deb
04fe824d46898013a87041921e4ff36d 42584 net optional deluge_1.3.13+git20161130.48cedf63-3_all.deb
b65cf84afbd860b0dd03b683a270d2c5 8086 net optional deluge_1.3.13+git20161130.48cedf63-3_amd64.buildinfo
011021069b9cbc015513644b71c6ba2a 38442 net optional deluged_1.3.13+git20161130.48cedf63-3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJZGkRCAAoJEDtW4rvVP9yxNtMP/2powIqQFiq6CnzMuUNk2X/U
3J0JNR5YVnYQfbHlffIEXvRZAI7hc135J11Ufc8yRKGowXkmTJ1mZt/nhlCcn7hY
WG77VuYr9x5L6f7dl7qKYFiVI5iWxbLwA8Mn+W0AzBUJziUQSUQd2P4pUeIWcZ9H
wmezNvbBDEKSSY39Yvf/Z+iRIu3WKYHhN0DYlkChHAowK8Zxbu8/U8ngIMgCFape
MH0HmAK8dgYNAP9KiDqwZDkeZKoAe4TZ960poRV2bH2Puqzm5xBSx6qqXVteqMbk
Wc1qtr3KhvLlCUxBlvyGrb8DKvITPYOItmIhFvroFQKZ7h6XgwYsVnUNy9xa9o7n
Vxg+kLd8C4CYxecmdovaVDi18lQU0aRsPvCWU45zEcsKIKBPyBpVXBC0scTrYBdD
JgC4sKhFwMCxyY59PpvJHCpIg857ZBAsyZX+x/YeBG/T024YwX7iorWyc/ej0Ijh
hMHH8xuX27tVmRW+1iZGrUYkGd82Ua6nzJEqLAVmJRjFUJXt9XPY76Jmx8/R3QQc
X3QN75xDbTxmPiIG1wEumlBDLQDqoIXwS1t4JoCGctxDurXeSsXiVwRrDE6crtZA
KoKmfYtye4zFmEYHV3w/8akeEB5fUT6kxRZv1oVNRVdsao9vMAyp7xPJDUIwFu+o
83lDtZLMc96oAfedOAp1
=/ZAr
-----END PGP SIGNATURE-----
Marked as found in versions deluge/1.3.3-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 16 May 2017 12:51:06 GMT) (full text, mbox, link).
Marked as fixed in versions 1.3.3-2+nmu1+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 16 May 2017 12:51:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cristian Greco <cristian@debian.org>:
Bug#862611; Package deluge-webui.
(Wed, 17 May 2017 19:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Cristian Greco <cristian@debian.org>.
(Wed, 17 May 2017 19:12:03 GMT) (full text, mbox, link).
Message #42 received at 862611@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 deluge: CVE-2017-9031: directory traversal attack vulnerability
CVE-2017-9031 got assigned for this issue.
Regards,
Salvatore
Changed Bug title to 'deluge: CVE-2017-9031: directory traversal attack vulnerability' from 'deluge-webui: directory traversal attack vulnerability'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 862611-submit@bugs.debian.org.
(Wed, 17 May 2017 19:12:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:29:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jan 9 23:44:21 2018;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.