Articles / Ubuntu: New Transmission pa…

Ubuntu: New Transmission packages fix vulnerabilities

It was discovered that the Transmission web interface was vulnerable to cross-site request forgery (CSRF) attacks. If a user were tricked into opening a specially crafted web page in a browser while Transmission was running, an attacker could trigger commands in Transmission. Dan Rosenberg discovered that Transmission did not properly perform input validation when processing torrent files. If a user were tricked into opening a crafted torrent file, an attacker could overwrite files via directory traversal. Updated packages are available from security.ubuntu.com.

===========================================================
Ubuntu Security Notice USN-885-1           January 14, 2010
transmission vulnerabilities
CVE-2009-1757, CVE-2010-0012
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
 transmission-cli                1.06-0ubuntu6.1
 transmission-gtk                1.06-0ubuntu6.1

Ubuntu 8.10:
 transmission-cli                1.34-0ubuntu2.3
 transmission-gtk                1.34-0ubuntu2.3

Ubuntu 9.04:
 transmission-cli                1.51-0ubuntu3.1
 transmission-gtk                1.51-0ubuntu3.1

Ubuntu 9.10:
 transmission-cli                1.75-0ubuntu2.2
 transmission-gtk                1.75-0ubuntu2.2
 transmission-qt                 1.75-0ubuntu2.2

After a standard system upgrade you need to restart Transmission to effect
the necessary changes.

Details follow:

It was discovered that the Transmission web interface was vulnerable to
cross-site request forgery (CSRF) attacks. If a user were tricked into
opening a specially crafted web page in a browser while Transmission was
running, an attacker could trigger commands in Transmission. This issue
affected Ubuntu 9.04. (CVE-2009-1757)

Dan Rosenberg discovered that Transmission did not properly perform input
validation when processing torrent files. If a user were tricked into
opening a crafted torrent file, an attacker could overwrite files via
directory traversal. (CVE-2010-0012)


Updated packages for Ubuntu 8.04 LTS:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06-0ubuntu6.1.diff.gz
     Size/MD5:    11532 d00f5ae62fa91ab4ddb3cd1c26856666
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06-0ubuntu6.1.dsc
     Size/MD5:     1116 3b62b133deca8b2e70635f3f90aef7ac
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06.orig.tar.gz
     Size/MD5:  5059106 0073841635cc1e61ec725160b8a7a358

 Architecture independent packages:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.06-0ubuntu6.1_all.deb
     Size/MD5:    14272 d94c612943dce26b75a79fade345cfe6
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.06-0ubuntu6.1_all.deb
     Size/MD5:      918 61e1dc579d951a4680698706a17bd3ea

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_amd64.deb
     Size/MD5:   265288 722018b52a0420470d22628a34cd3d16
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_amd64.deb
     Size/MD5:   394298 9a6c437e1368a5af80c7374f3376f1c0

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_i386.deb
     Size/MD5:   250598 047794218f9ff6891077d2501cf30113
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_i386.deb
     Size/MD5:   361264 e9ac5569928691ca26007f4a6b6b703b

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_lpia.deb
     Size/MD5:   247834 5253a82b3394d4a69f2eb5160718fcdd
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_lpia.deb
     Size/MD5:   358348 40f4c4e498669042187b0ef9be1b863e

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_powerpc.deb
     Size/MD5:   290390 47cfd7d7950cf77f584e913247c1b54d
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_powerpc.deb
     Size/MD5:   441040 74f777dca45370cf200008f21c1bf449

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_sparc.deb
     Size/MD5:   251970 c4fb56ea87efd5136ce72d9fda54b4a0
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_sparc.deb
     Size/MD5:   363224 8f930290cda469fe08367bf7596a8534

Updated packages for Ubuntu 8.10:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34-0ubuntu2.3.diff.gz
     Size/MD5:    17297 a339c2d7a5d13c396ce8471214f5ac88
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34-0ubuntu2.3.dsc
     Size/MD5:     1553 18165c72efbb3697cc103db601240411
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34.orig.tar.gz
     Size/MD5:  6576998 18973d58ef3e9936fc854f4e88cf4a1c

 Architecture independent packages:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.34-0ubuntu2.3_all.deb
     Size/MD5:   143450 e73d3b5c2f7d5b4ffa8b42a31f3967cf
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.34-0ubuntu2.3_all.deb
     Size/MD5:      922 a212710fd05212893e051066ee7e268c

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_amd64.deb
     Size/MD5:   338196 75da571c8e09fa448415b5ee96e88052
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_amd64.deb
     Size/MD5:   644464 5cef27ba35fda1680525296dad6de416

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_i386.deb
     Size/MD5:   314384 a7b996a4eaff1cd6ea36ee18698c7b9a
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_i386.deb
     Size/MD5:   591144 a940a8a5f787060fca4ae8c2794cc22b

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_lpia.deb
     Size/MD5:   310472 266e132eef131a23d6caa74e8dfabb81
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_lpia.deb
     Size/MD5:   582392 0b4eb7c3562acdd352587d3e78703ed2

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_powerpc.deb
     Size/MD5:   360310 0165994b599a430f7e7ae41fab25cd66
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_powerpc.deb
     Size/MD5:   704174 df350e777eaf7bdf87673fd71494a35d

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_sparc.deb
     Size/MD5:   311594 dabe39e1da4d693c7189f02d5422a04c
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_sparc.deb
     Size/MD5:   579250 f142cd566f075a71e693668b48c8f711

Updated packages for Ubuntu 9.04:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51-0ubuntu3.1.diff.gz
     Size/MD5:    24490 0baa3ef499573c1e89cce6d6cb848328
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51-0ubuntu3.1.dsc
     Size/MD5:     1598 f693615ed24d4f4e5b8886325e0d123d
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51.orig.tar.gz
     Size/MD5:  5957327 3ab369ba9027e19ffdd1de66df05ba4f

 Architecture independent packages:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.51-0ubuntu3.1_all.deb
     Size/MD5:   145980 fe4b2f64b5f286ab5d39d7ab73d5b98f
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.51-0ubuntu3.1_all.deb
     Size/MD5:      920 953f2d2201648c1fa094a90115cf415b

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_amd64.deb
     Size/MD5:   357900 3514ead45152bbf76036903e47be0a1c
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_amd64.deb
     Size/MD5:   476168 6d3680a980ee1b592980b0b10722ef3b
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_amd64.deb
     Size/MD5:   232404 5a1338bed463c1a78fdc53ec931dbc1c

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_i386.deb
     Size/MD5:   335040 39b83444267dda6ec1c0e8e5da8f73c6
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_i386.deb
     Size/MD5:   441532 4645ced62475f99387a19fe48b84b685
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_i386.deb
     Size/MD5:   214318 7aba6cac5ac750c6b9dff52b43b2d3cb

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_lpia.deb
     Size/MD5:   329340 ae96622495e47e51b89b4f658d5457c4
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_lpia.deb
     Size/MD5:   432932 496dfaf1f49d854295318d04b6fab554
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_lpia.deb
     Size/MD5:   210720 4844d827b922a952155584c0e77d793f

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_powerpc.deb
     Size/MD5:   380206 6888a1c04fe31018b6e2862e7166a0fd
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_powerpc.deb
     Size/MD5:   514886 533cadf1855c8a1f2a2e370e64587455
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_powerpc.deb
     Size/MD5:   250180 eec5961a7101039ad266a95079af97ca

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_sparc.deb
     Size/MD5:   331716 ea4a56b65f845af3e1f0b81aeeb1df02
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_sparc.deb
     Size/MD5:   431488 4693c3c826f95943b153b7025d09ad84
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_sparc.deb
     Size/MD5:   209510 de01528b01ebff556aec2102162586a1

Updated packages for Ubuntu 9.10:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75-0ubuntu2.2.diff.gz
     Size/MD5:   162354 615f470d226802b77c1d711945f2e2d3
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75-0ubuntu2.2.dsc
     Size/MD5:     1612 1d15228514d73e475f6fd0b14d87be23
   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75.orig.tar.gz
     Size/MD5:  6681496 c0dc27e7b2b115fc6e6fc5fc24e49091

 Architecture independent packages:

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.75-0ubuntu2.2_all.deb
     Size/MD5:   176072 8f1c73238021806cd7efc4bde1f28d46
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.75-0ubuntu2.2_all.deb
     Size/MD5:      922 c3e2851cbb5fa7677f267437c49c2537

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_amd64.deb
     Size/MD5:   317704 6374651cb303bb4e5828834645c61990
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_amd64.deb
     Size/MD5:   395338 a29a8a45791d0b0a2b933bd353f662a9
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_amd64.deb
     Size/MD5:   193326 99894adc21a2b180648e35c26b84a489
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_amd64.deb
     Size/MD5:   466460 d4961ed6131494db9b8b88bb0abceb07

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_i386.deb
     Size/MD5:   296916 f1aca01266c554afcaf5326d5c794fdb
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_i386.deb
     Size/MD5:   365018 4d9d974fe9827d8ef27d23b8a8c77a79
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_i386.deb
     Size/MD5:   177554 bdbee974b9b2f0991ae50fe7ef41a272
   http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_i386.deb
     Size/MD5:   442314 a5ad4c269bab8e18a8a3d94d5fecf885

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_lpia.deb
     Size/MD5:   296494 a83907ed3f3d40d14c3cba28c1633b68
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_lpia.deb
     Size/MD5:   365946 fa65ff7adb23a470498ea8af761eddf0
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_lpia.deb
     Size/MD5:   177378 1f963b664a4698953bd3fc812222437b
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_lpia.deb
     Size/MD5:   449438 bea029d30f55d7923a9806aa142c7a62

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_powerpc.deb
     Size/MD5:   316620 2181995c3049e92b0ca1a81cd2ad27b2
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_powerpc.deb
     Size/MD5:   397630 10bc710de5c9d49445b703f91152981b
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_powerpc.deb
     Size/MD5:   192460 2fadcc159f0d3f3df08ec3845ec50f30
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_powerpc.deb
     Size/MD5:   468876 bdaf4da901683771db1a450e385fa4b8

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_sparc.deb
     Size/MD5:   293898 6892dd2c4fcd781d233604f5a0a4443c
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_sparc.deb
     Size/MD5:   358756 d94bf198cc880e78d33d5a68493376ee
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_sparc.deb
     Size/MD5:   173830 038a09f38e3a280bc70f8608013442d3
   http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_sparc.deb
     Size/MD5:   484760 5ddea92faf999e6e5d38ed803e61baba
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.