Bug 20475 - deluge new CSRF security issue
: deluge new CSRF security issue
Status: NEW
Product: Mageia
Classification: Unclassified
Component: Security
: 5
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: advisory MGA5-64-OK
:
:
:
  Show dependency treegraph
 
Reported: 2017-03-14 11:15 CET by David Walser
Modified: 2017-03-21 08:43 CET (History)
3 users (show)

See Also:
Source RPM: deluge-1.3.13-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-03-14 11:15:18 CET
Fedora has issued an advisory today (March 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65E4GRWYHCRFDLFYJYSZJKVYDBZUHVFN/

The issue is fixed upstream in 1.3.14.  Mageia 5 is also affected.
Comment 1 Atilla ÖNTAŞ 2017-03-14 18:34:03 CET
Thank you very much David. I have committed deluge-1.3.14 to svn and asked for freeze push for Cauldron.

I have updated deluge in Mageia 5 with the security fix included. Package is deluge-1.3.11-1.1.mga5 in core/updates_testing repository.

Suggested advisory:
========================
Updated deluge package fixes a CSRF (Cross-site request forgery) vulnerability using upstream patch. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.[*]

[*] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

========================

Updated packages in core/updates_testing:
========================
deluge-1.3.11-1.1.mga5

SRPMS:
========================
deluge-1.3.11-1.1.mga5.src.rpm
Comment 2 Lewis Smith 2017-03-20 10:18:33 CET
Testing M5_64 deluge-1.3.11-1.1.mga5
Deluge was already installed; it updated cleanly.

Running it to download our XFCE Live 64-bit from 
http://srv4.tuxinator.org/mageia/iso/cauldron/torrents/Mageia-6-sta2-LiveDVD-xfce4-x86_64-DVD.torrent

Will leave it going a long time to see what happens. It is downloading OK, but not seeding. The various information tabs show nothing!
Comment 3 Lewis Smith 2017-03-20 22:28:51 CET
Testing M5_6' continued from previous comment.

Deluge after completing the download in one long session, no getting chunks from here & there. The end result .iso was indentical to the latest testing sta2 one. Then it sat there all day in 'seeding' mode, but with no activity. In the absence of anything obviously wrong, OKing this update.
Comment 4 claire robinson 2017-03-21 08:43:09 CET
You're likely just missing some open ports or routing Lewis. Perhaps uPnP.

Note You need to log in before you can comment on or make changes to this bug.