Bugzilla – Bug 1039815
VUL-0: CVE-2017-9031: deluge: webUI: directory traversal vulnerability
Last modified: 2017-06-06 22:40:06 UTC
Ref: http://seclists.org/oss-sec/2017/q2/296 ============================================= CVE-2017-9031 was assigned for the following directory traversal issue in Deluge's WebUI: http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 Quoting upstream announce: Highly recommended to upgrade to this release as it contains a directory traversal security fix that once again has the real potential to compromise your machine. The related commit is: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd which gives more information about the issue: [WebUI] Check render template files exist and raise 404 if not - Check render/* requests match to .html files in the 'render' dir - Protects against directory (path) traversal Additional reference: https://bugs.debian.org/862611 ============================================= Hyperlink [1] http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 [2] https://security-tracker.debian.org/tracker/CVE-2017-9031 [3] https://bugs.debian.org/862611 [4] http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd (open-)SUSE: https://software.opensuse.org/package/deluge 1.3.13 (42.2, official repo) 1.3.14 (42.3, TW, official repo)
openSUSE only. Assign to maintainer.
This is an autogenerated message for OBS integration: This bug (1039815) was mentioned in https://build.opensuse.org/request/show/496786 42.2 / deluge
update running
done
openSUSE-SU-2017:1497-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1039815,1039958 CVE References: CVE-2017-7178,CVE-2017-9031 Sources used: openSUSE Leap 42.2 (src): deluge-1.3.15-3.3.1