A CVE has been issued for a security issue in Transmission 2.84, released July 1: http://openwall.com/lists/oss-security/2014/07/11/5 Cauldron has already been updated to 2.84. Mageia 3 and Mageia 4 are affected. Reproducible: Steps to Reproduce:
CC: (none) => fundawang, mageia, oe, olav
Whiteboard: (none) => MGA3TOO
Debian has issued an advisory for this today (July 16): http://www.ubuntu.com/usn/usn-2279-1/
URL: (none) => http://lwn.net/Vulnerabilities/605629/
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated transmission packages fix security vulnerability: Ben Hawkes discovered that Transmission incorrectly handled certain peer messages. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-4909). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4909 http://www.ubuntu.com/usn/usn-2279-1/ ======================== Updated packages in core/updates_testing: ======================== Wrote: /home/iurt/rpmbuild/RPMS/noarch/transmission-common-2.77-1.1.mga3.noarch.rpm transmission-cli-2.77-1.1.mga3 transmission-gtk-2.77-1.1.mga3 transmission-qt4-2.77-1.1.mga3 transmission-daemon-2.77-1.1.mga3 transmission-common-2.82-2.1.mga4 transmission-cli-2.82-2.1.mga4 transmission-gtk3-2.82-2.1.mga4 transmission-qt5-2.82-2.1.mga4 transmission-daemon-2.82-2.1.mga4 from SRPMS: transmission-2.77-1.1.mga3.src.rpm transmission-2.82-2.1.mga4.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugsSeverity: normal => major
Oops, fixing cosmetic issue in package list. Advisory: ======================== Updated transmission packages fix security vulnerability: Ben Hawkes discovered that Transmission incorrectly handled certain peer messages. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-4909). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4909 http://www.ubuntu.com/usn/usn-2279-1/ ======================== Updated packages in core/updates_testing: ======================== transmission-common-2.77-1.1.mga3 transmission-cli-2.77-1.1.mga3 transmission-gtk-2.77-1.1.mga3 transmission-qt4-2.77-1.1.mga3 transmission-daemon-2.77-1.1.mga3 transmission-common-2.82-2.1.mga4 transmission-cli-2.82-2.1.mga4 transmission-gtk3-2.82-2.1.mga4 transmission-qt5-2.82-2.1.mga4 transmission-daemon-2.82-2.1.mga4 from SRPMS: transmission-2.77-1.1.mga3.src.rpm transmission-2.82-2.1.mga4.src.rpm
I start to testing this.
CC: (none) => ozkyster
Tested on mga4-64. Installed transmission-gtk3-2.82-2.mga4.x86_64 and started downloading torrent. Then installed transmission-gtk3-2.82-2.1.mga4.x86_64 and started the torrent back up. Things seem to be working, no issues found, couldn't reproduce security issues, marking ok.
CC: (none) => dpremyWhiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Same test on mga4-32, started mageia-4.1-i586.iso download via torrent on transmission-gtk3-2.82-2.mga4 and then upgraded to transmission-gtk3-2.82-2.1.mga4 and started the torrent back up. Browsed around in settings and the properties of the torrent without issue. Marking ok.
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok
I have finished my testing it's ok mageia 4 and mageia 3 64 and 32bit.
Thanks Otto. This is ready for validation when the advisory is uploaded.
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok mga3-64-ok
I can validate but i cant do advisory so can claire or remi sen advisory for me ?.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update validated can sysadmin push this to mageia 4 and 3 updates ? and add advisory.
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok mga3-64-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok mga3-64-ok advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0298.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED