Fedora has issued an advisory today (March 14):
The issue is fixed upstream in 1.3.14. Mageia 5 is also affected.
Thank you very much David. I have committed deluge-1.3.14 to svn and asked for freeze push for Cauldron.
I have updated deluge in Mageia 5 with the security fix included. Package is deluge-1.3.11-1.1.mga5 in core/updates_testing repository.
Updated deluge package fixes a CSRF (Cross-site request forgery) vulnerability using upstream patch. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.[*]
Updated packages in core/updates_testing:
MGA5TOO advisory =>
Testing M5_64 deluge-1.3.11-1.1.mga5
Deluge was already installed; it updated cleanly.
Running it to download our XFCE Live 64-bit from
Will leave it going a long time to see what happens. It is downloading OK, but not seeding. The various information tabs show nothing!
Testing M5_6' continued from previous comment.
Deluge after completing the download in one long session, no getting chunks from here & there. The end result .iso was indentical to the latest testing sta2 one. Then it sat there all day in 'seeding' mode, but with no activity. In the absence of anything obviously wrong, OKing this update.
You're likely just missing some open ports or routing Lewis. Perhaps uPnP.
Validating the update
An update for this issue has been pushed to the Mageia Updates repository.
This is CVE-2017-7178, according to openSUSE:
deluge new CSRF security issue =>
deluge new CSRF security issue (CVE-2017-7178)