Bug 20475 - deluge new CSRF security issue (CVE-2017-7178)
Summary: deluge new CSRF security issue (CVE-2017-7178)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Reported: 2017-03-14 11:15 CET by David Walser
Modified: 2017-06-07 12:24 CEST (History)
4 users (show)

See Also:
Source RPM: deluge-1.3.13-1.mga6.src.rpm
Status comment:


Description David Walser 2017-03-14 11:15:18 CET
Fedora has issued an advisory today (March 14):

The issue is fixed upstream in 1.3.14.  Mageia 5 is also affected.
Comment 1 Atilla ÖNTAŞ 2017-03-14 18:34:03 CET
Thank you very much David. I have committed deluge-1.3.14 to svn and asked for freeze push for Cauldron.

I have updated deluge in Mageia 5 with the security fix included. Package is deluge-1.3.11-1.1.mga5 in core/updates_testing repository.

Suggested advisory:
Updated deluge package fixes a CSRF (Cross-site request forgery) vulnerability using upstream patch. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.[*]

[*] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)


Updated packages in core/updates_testing:

Comment 2 Lewis Smith 2017-03-20 10:18:33 CET
Testing M5_64 deluge-1.3.11-1.1.mga5
Deluge was already installed; it updated cleanly.

Running it to download our XFCE Live 64-bit from 

Will leave it going a long time to see what happens. It is downloading OK, but not seeding. The various information tabs show nothing!
Comment 3 Lewis Smith 2017-03-20 22:28:51 CET
Testing M5_6' continued from previous comment.

Deluge after completing the download in one long session, no getting chunks from here & there. The end result .iso was indentical to the latest testing sta2 one. Then it sat there all day in 'seeding' mode, but with no activity. In the absence of anything obviously wrong, OKing this update.
Comment 4 claire robinson 2017-03-21 08:43:09 CET
You're likely just missing some open ports or routing Lewis. Perhaps uPnP.
Comment 5 Dave Hodgins 2017-03-31 06:43:08 CEST
Validating the update
Comment 6 Mageia Robot 2017-03-31 08:15:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.

Comment 7 David Walser 2017-06-07 12:24:41 CEST
This is CVE-2017-7178, according to openSUSE:

Note You need to log in before you can comment on or make changes to this bug.