[SECURITY] [DLA 1246-1] transmission security update

2018-01-1822:51:45

lists.debian.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.017

Percentile

87.7%

JSON

Package : transmission
Version : 2.52-3+nmu3
CVE ID : CVE-2018-5702
Debian Bug : 886990

Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent
client; insecure RPC handling between the Transmission daemon and the
client interface(s) may result in the execution of arbitrary code if a
user visits a malicious website while Transmission is running.

For Debian 7 "Wheezy", these problems have been fixed in version
2.52-3+nmu3.

We recommend that you upgrade your transmission packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8mipstransmission-dbg< 2.84-0.2+deb8u1transmission-dbg_2.84-0.2+deb8u1_mips.deb
Debian9i386transmission-qt< 2.92-2+deb9u1transmission-qt_2.92-2+deb9u1_i386.deb
Debian8powerpctransmission-gtk< 2.84-0.2+deb8u1transmission-gtk_2.84-0.2+deb8u1_powerpc.deb
Debian9arm64transmission-qt< 2.92-2+deb9u1transmission-qt_2.92-2+deb9u1_arm64.deb
Debian7i386transmission-dbg< 2.52-3+nmu3transmission-dbg_2.52-3+nmu3_i386.deb
Debian8armeltransmission-qt< 2.84-0.2+deb8u1transmission-qt_2.84-0.2+deb8u1_armel.deb
Debian9alltransmission-common< 2.92-2+deb9u1transmission-common_2.92-2+deb9u1_all.deb
Debian8arm64transmission-daemon< 2.84-0.2+deb8u1transmission-daemon_2.84-0.2+deb8u1_arm64.deb
Debian9s390xtransmission-qt-dbgsym< 2.92-2+deb9u1transmission-qt-dbgsym_2.92-2+deb9u1_s390x.deb
Debian9amd64transmission-daemon-dbgsym< 2.92-2+deb9u1transmission-daemon-dbgsym_2.92-2+deb9u1_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	mips	transmission-dbg	< 2.84-0.2+deb8u1	transmission-dbg_2.84-0.2+deb8u1_mips.deb
Debian	9	i386	transmission-qt	< 2.92-2+deb9u1	transmission-qt_2.92-2+deb9u1_i386.deb
Debian	8	powerpc	transmission-gtk	< 2.84-0.2+deb8u1	transmission-gtk_2.84-0.2+deb8u1_powerpc.deb
Debian	9	arm64	transmission-qt	< 2.92-2+deb9u1	transmission-qt_2.92-2+deb9u1_arm64.deb
Debian	7	i386	transmission-dbg	< 2.52-3+nmu3	transmission-dbg_2.52-3+nmu3_i386.deb
Debian	8	armel	transmission-qt	< 2.84-0.2+deb8u1	transmission-qt_2.84-0.2+deb8u1_armel.deb
Debian	9	all	transmission-common	< 2.92-2+deb9u1	transmission-common_2.92-2+deb9u1_all.deb
Debian	8	arm64	transmission-daemon	< 2.84-0.2+deb8u1	transmission-daemon_2.84-0.2+deb8u1_arm64.deb
Debian	9	s390x	transmission-qt-dbgsym	< 2.92-2+deb9u1	transmission-qt-dbgsym_2.92-2+deb9u1_s390x.deb
Debian	9	amd64	transmission-daemon-dbgsym	< 2.92-2+deb9u1	transmission-daemon-dbgsym_2.92-2+deb9u1_amd64.deb