Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 574527 - (CVE-2010-0748, CVE-2010-0749) CVE-2010-0748 CVE-2010-0749 Transmission: Two security fixes in upstream v1.92 version
CVE-2010-0748 CVE-2010-0749 Transmission: Two security fixes in upstream v1.9...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://trac.transmissionbt.com/wiki/C...
impact=low,source=gentoo,reported=201...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-17 14:09 EDT by Jan Lieskovsky
Modified: 2010-04-02 06:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-22 15:27:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2010-03-17 14:09:10 EDT 
Transmission upstream has recently released latest,
v.1.92 version:
  [1] http://trac.transmissionbt.com/wiki/Changes

addressing two security issues:
  A, Fix potential buffer overflow when adding
     maliciously-crafted magnet links 
  References:
    [2] http://trac.transmissionbt.com/ticket/2965
    [3] http://trac.transmissionbt.com/wiki/Changes
    [4] http://bugs.gentoo.org/show_bug.cgi?id=309831

  Upstream patch:
    [5] http://trac.transmissionbt.com/changeset/10279

  B, Fix possible data corruption issue caused by data
     sent by bad peers during endgame
  References:
    [6] http://trac.transmissionbt.com/ticket/1242
    [7] http://trac.transmissionbt.com/ticket/1242#comment:1
    [8] http://trac.transmissionbt.com/wiki/Changes

  Upstream patch:
    [9] http://trac.transmissionbt.com/changeset/10325

CVE Request:
  [10] http://www.openwall.com/lists/oss-security/2010/03/17/12
Comment 1 Jan Lieskovsky 2010-03-17 14:15:58 EDT 
These issues does NOT affect the current versions
of the transmission package, as shipped with Fedora
release of 11 and 12 (both issues has been already
addressed within transmission-1.92-1.fc12 and 
transmission-1.92-1.fc11 version).

Issue A, does NOT affect the version of the transmission
package, as shipped within EPEL5 repository (transmission-1.34
does NOT provide magnet links functionality / support yet).

Issue B, affects the version of the transmission package,
as shipped within EPEL5 repository (transmission-1.34-1.el5).
Though not complete sure this is a security issue (see [10]
for further details), filed this BZ just not to omit
potential security flaw.

Please fix.
Comment 2 Rahul Sundaram 2010-03-18 10:04:48 EDT 
I don't maintain the EPEL branches. I am not sure anybody is.  Fedora branches have already been updated. Should I close this?
Comment 3 Josh Bressers 2010-03-22 15:27:08 EDT 
I'm closing this, the EPEL branch doesn't seem to be well maintained, we don't plan on chasing it.
Comment 4 Jan Lieskovsky 2010-04-02 06:17:53 EDT 
The CVE identifier of CVE-2010-0748 has been assigned for:
  [1] http://trac.transmissionbt.com/ticket/2965

Transmission issue.

The CVE identifier of CVE-2010-0749 has been assigned for:
  [2] http://trac.transmissionbt.com/ticket/1242
  [3] http://trac.transmissionbt.com/ticket/1242#comment:1

Transmission issue.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.