Fedora has issued an advisory today (May 20): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OVAG2HNKNRLWOACFN5F2ANJD2SQ53WI7/ The issue is fixed upstream in 3.00. Fedora backported a patch to 2.94: https://src.fedoraproject.org/rpms/transmission/c/ec98cd4071cee2c6e984387f0066f2f8c73f7bd1?branch=master Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patch available from Fedora
Done for both Cauldron and mga7!
Advisory: ======================== Updated transmission packages fix security vulnerability: Use-after-free in libtransmission/variant.c in Transmission before 3.00 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted torrent file (CVE-2018-10756). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10756 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OVAG2HNKNRLWOACFN5F2ANJD2SQ53WI7/ ======================== Updated packages in core/updates_testing: ======================== transmission-common-2.94-4.1.mga7 transmission-cli-2.94-4.1.mga7 transmission-gtk3-2.94-4.1.mga7 transmission-qt5-2.94-4.1.mga7 transmission-daemon-2.94-4.1.mga7 from transmission-2.94-4.1.mga7.src.rpm
Status comment: Patch available from Fedora => (none)Assignee: geiger.david68210 => qa-bugsVersion: Cauldron => 7CC: (none) => geiger.david68210Whiteboard: MGA7TOO => (none)
CheeseEBoi reports that the update worked for him on mageia 7 x64: <CheeseEBoi> rindolf: hey so I'm trying to see about doing some QA for the rcent transmission updates but I don't have access to the whiteboard of the bug. Am I missing something here? <rindolf> CheeseEBoi: hi <rindolf> CheeseEBoi: it may require bugzilla privileges <CheeseEBoi> rindolf: yeah that's what I thought <CheeseEBoi> rindolf: but it is still a requirement for graduation, so how do I get them? <rindolf> CheeseEBoi: we can do it for you <CheeseEBoi> rindolf: oh okay. So what should I do for that? To give some info, the update installed correctly and I did a test torrent and everything seemed fine. <rindolf> CheeseEBoi: ah <rindolf> CheeseEBoi: what is the bug url? <CheeseEBoi> rindolf: https://bugs.mageia.org/show_bug.cgi?id=26656 <CheeseEBoi> rindolf: I can comment all that info too, I guess <CheeseEBoi> rindolf: but I cannot add MGA7-64-OK to the whiteboard
CC: (none) => shlomifWhiteboard: (none) => MGA7-64-OK
CC: (none) => CheeseEBoi
Validating. Advisory in Comment 2. CheesEBoi, we'll see if we can get you those editing privileges. QA needs all the help we can get!
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Editing privileges granted for Elliot. Thanks for helping out.
CC: (none) => davidwhodgins
Thank you both!
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0235.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED