Bug 20475 - deluge new CSRF security issue (CVE-2017-7178)
Summary: deluge new CSRF security issue (CVE-2017-7178)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-14 11:15 CET by David Walser
Modified: 2017-06-07 12:24 CEST (History)
4 users (show)

See Also:
Source RPM: deluge-1.3.13-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-03-14 11:15:18 CET 
Fedora has issued an advisory today (March 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65E4GRWYHCRFDLFYJYSZJKVYDBZUHVFN/

The issue is fixed upstream in 1.3.14.  Mageia 5 is also affected.
David Walser 2017-03-14 11:16:14 CET

Whiteboard: (none) => MGA5TOO

Marja Van Waes 2017-03-14 12:31:13 CET

CC: (none) => marja11
Assignee: bugsquad => tarakbumba

Comment 1 Atilla ÖNTAŞ 2017-03-14 18:34:03 CET 
Thank you very much David. I have committed deluge-1.3.14 to svn and asked for freeze push for Cauldron.

I have updated deluge in Mageia 5 with the security fix included. Package is deluge-1.3.11-1.1.mga5 in core/updates_testing repository.

Suggested advisory:
========================
Updated deluge package fixes a CSRF (Cross-site request forgery) vulnerability using upstream patch. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.[*]

[*] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

========================

Updated packages in core/updates_testing:
========================
deluge-1.3.11-1.1.mga5

SRPMS:
========================
deluge-1.3.11-1.1.mga5.src.rpm

Assignee: tarakbumba => qa-bugs

Dave Hodgins 2017-03-16 20:31:35 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5TOO => MGA5TOO advisory

David Walser 2017-03-19 21:53:50 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO advisory => advisory

Comment 2 Lewis Smith 2017-03-20 10:18:33 CET 
Testing M5_64 deluge-1.3.11-1.1.mga5
Deluge was already installed; it updated cleanly.

Running it to download our XFCE Live 64-bit from 
http://srv4.tuxinator.org/mageia/iso/cauldron/torrents/Mageia-6-sta2-LiveDVD-xfce4-x86_64-DVD.torrent

Will leave it going a long time to see what happens. It is downloading OK, but not seeding. The various information tabs show nothing!

CC: (none) => lewyssmith

Comment 3 Lewis Smith 2017-03-20 22:28:51 CET 
Testing M5_6' continued from previous comment.

Deluge after completing the download in one long session, no getting chunks from here & there. The end result .iso was indentical to the latest testing sta2 one. Then it sat there all day in 'seeding' mode, but with no activity. In the absence of anything obviously wrong, OKing this update.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 4 claire robinson 2017-03-21 08:43:09 CET 
You're likely just missing some open ports or routing Lewis. Perhaps uPnP.
Comment 5 Dave Hodgins 2017-03-31 06:43:08 CEST 
Validating the update

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-03-31 08:15:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0095.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2017-06-07 12:24:41 CEST 
This is CVE-2017-7178, according to openSUSE:
https://lists.opensuse.org/opensuse-updates/2017-06/msg00014.html

Summary: deluge new CSRF security issue => deluge new CSRF security issue (CVE-2017-7178)
Note You need to log in before you can comment on or make changes to this bug.