Bug 225915 - net-p2p/transmission 2.92 vulnerable to CVE-2018-5702
Summary: net-p2p/transmission 2.92 vulnerable to CVE-2018-5702
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Chris Rees
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-15 12:51 UTC by sara.and.zuka+freebsd
Modified: 2018-02-28 21:11 UTC (History)
2 users (show)

See Also:
crees: maintainer-feedback+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sara.and.zuka+freebsd 2018-02-15 12:51:30 UTC
https://www.cvedetails.com/cve/CVE-2018-5702/

The exploit is patched in 2.93, and by a patch by Tavis Ormandy here:  https://github.com/transmission/transmission/pull/468
Comment 1 Rob 2018-02-28 13:51:52 UTC
Lots of trackers are banning this version of transmission, please update to latest version.
Comment 2 commit-hook freebsd_committer 2018-02-28 21:09:53 UTC
A commit references this bug:

Author: crees
Date: Wed Feb 28 21:09:37 UTC 2018
New revision: 463262
URL: https://svnweb.freebsd.org/changeset/ports/463262

Log:
  net-p2p/transmission-cli: Update to 2.93

   - Includes DNS rebinding fix
   - Fixes OpenSSL 1.1 compat

  Note that the previous version was no longer vulnerable as FreeBSD had
  patches, but this reports the correct version to trackers as some were
  banned.

  PR:		ports/225917
  PR:		ports/225915

Changes:
  head/net-p2p/transmission/Makefile
  head/net-p2p/transmission-cli/Makefile
  head/net-p2p/transmission-cli/distinfo
  head/net-p2p/transmission-cli/files/patch-fix_dns_rebinding_vuln
  head/net-p2p/transmission-daemon/Makefile
  head/net-p2p/transmission-gtk/Makefile
  head/net-p2p/transmission-qt4/Makefile
  head/net-p2p/transmission-qt5/Makefile
  head/www/transmission-web/Makefile
Comment 3 Chris Rees freebsd_committer 2018-02-28 21:11:37 UTC
Committed.

Bernard, sorry I forgot to credit you; I had actually done this work myself and was testing, but you still deserve credit.  I'll follow up to the commit email.