Ubuntu Security Notice USN-885-1
18th January, 2010
transmission vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 9.10
- Ubuntu 9.04
- Ubuntu 8.10
- Ubuntu 8.04 LTS
Software description
- transmission
Details
It was discovered that the Transmission web interface was vulnerable to
cross-site request forgery (CSRF) attacks. If a user were tricked into
opening a specially crafted web page in a browser while Transmission was
running, an attacker could trigger commands in Transmission. This issue
affected Ubuntu 9.04. (CVE-2009-1757)
Dan Rosenberg discovered that Transmission did not properly perform input
validation when processing torrent files. If a user were tricked into
opening a crafted torrent file, an attacker could overwrite files via
directory traversal. (CVE-2010-0012)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 9.10:
- transmission-gtk 1.75-0ubuntu2.2
- transmission-cli 1.75-0ubuntu2.2
- transmission-qt 1.75-0ubuntu2.2
- Ubuntu 9.04:
- transmission-gtk 1.51-0ubuntu3.1
- transmission-cli 1.51-0ubuntu3.1
- Ubuntu 8.10:
- transmission-gtk 1.34-0ubuntu2.3
- transmission-cli 1.34-0ubuntu2.3
- Ubuntu 8.04 LTS:
- transmission-gtk 1.06-0ubuntu6.1
- transmission-cli 1.06-0ubuntu6.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system upgrade you need to restart Transmission to effect
the necessary changes.