A vulnerability has been discovered in net-p2p/transmission-daemon. https://github.com/transmission/transmission/pull/468 There are a few activities required for this: 1. Get initial VuXML vulnerability added to alert users 2. Get patch into ports tree that fixes this issue 3. Update VuXML vulnerability with further details once discovered (e.g. once CVE is assigned and new version of transmission is released encompassing the fix).
A commit references this bug: Author: woodsb02 Date: Sun Jan 14 02:19:47 UTC 2018 New revision: 458952 URL: https://svnweb.freebsd.org/changeset/ports/458952 Log: Document DNS rebinding vulnerabilities in net-p2p/transmission-daemon PR: 225150 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Changes: head/security/vuxml/vuln.xml
Created attachment 189696 [details] Patch to fix transmission-daemon DNS rebinding vulnerability This patch is taken from here and adapted to work with FreeBSD ports system: https://github.com/transmission/transmission/pull/468#issuecomment-357098126 One thing that is not included with this patch, is bumping the PORTREVISION of all affected transmission components. At a minimum, this would be net-p2p/transmission-daemon, but could include others given a number of the transmission ports are SLAVE PORTS of net-p2p/transmission-cli and use the same DISTFILE.
(In reply to Ben Woods from comment #2) Thanks a lot! If you've got it open, yes please commit. You'll only need to bump -daemon as that's the only one with the issue.
A commit references this bug: Author: woodsb02 Date: Sun Jan 14 22:35:00 UTC 2018 New revision: 459011 URL: https://svnweb.freebsd.org/changeset/ports/459011 Log: net-p2p/transmission-daemon: Mitigate DNS rebinding attack Incorporate upstream pull request 468, proposed by Tavis Ormandy from Google Project Zero, which mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. PR: 225150 Submitted by: Tavis Ormandy Approved by: crees (maintainer) Obtained from: https://github.com/transmission/transmission/pull/468#issuecomment-357098126 MFH: 2018Q1 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Changes: head/net-p2p/transmission-cli/files/patch-fix_dns_rebinding_vuln head/net-p2p/transmission-daemon/Makefile
A commit references this bug: Author: woodsb02 Date: Sun Jan 14 23:29:04 UTC 2018 New revision: 459013 URL: https://svnweb.freebsd.org/changeset/ports/459013 Log: Add note to UPDATING for net-p2p/transmission-daemon explaining how to allow client access with the new DNS rebinding mitigations. PR: 225150 MFH: 2018Q1 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Changes: head/UPDATING
Committed to ports head. Awaiting ports-secteam approval to merge to 2018Q1.
A commit references this bug: Author: woodsb02 Date: Sat Jan 20 01:20:20 UTC 2018 New revision: 459492 URL: https://svnweb.freebsd.org/changeset/ports/459492 Log: net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message This will ensure users who do not read UPDATING are still presented with the message about how to allow clients to connect to the daemon using DNS when they upgrade the package. PR: 225150 Reported by: swills Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Changes: head/UPDATING head/net-p2p/transmission-daemon/Makefile head/net-p2p/transmission-daemon/pkg-message
A commit references this bug: Author: woodsb02 Date: Sat Jan 20 01:28:57 UTC 2018 New revision: 459493 URL: https://svnweb.freebsd.org/changeset/ports/459493 Log: MFH: r459011 r459013 r459492 net-p2p/transmission-daemon: Mitigate DNS rebinding attack Incorporate upstream pull request 468, proposed by Tavis Ormandy from Google Project Zero, which mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. PR: 225150 Submitted by: Tavis Ormandy Approved by: crees (maintainer) Obtained from: https://github.com/transmission/transmission/pull/468#issuecomment-357098126 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Add note to UPDATING for net-p2p/transmission-daemon explaining how to allow client access with the new DNS rebinding mitigations. PR: 225150 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message This will ensure users who do not read UPDATING are still presented with the message about how to allow clients to connect to the daemon using DNS when they upgrade the package. PR: 225150 Reported by: swills Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Approved by: ports-secteam (swills) Changes: _U branches/2018Q1/ branches/2018Q1/UPDATING branches/2018Q1/net-p2p/transmission-cli/files/patch-fix_dns_rebinding_vuln branches/2018Q1/net-p2p/transmission-daemon/Makefile branches/2018Q1/net-p2p/transmission-daemon/pkg-message
This has now been merged to 2018Q1 now also. Thanks crees for your fast approval, and to swills for a heads up about using pkg-message to notify pkg users.