ALT-BU-2017-3388-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2017-7178
CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.14
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.14
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
- http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
- http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
- http://seclists.org/fulldisclosure/2017/Mar/6
- http://seclists.org/fulldisclosure/2017/Mar/6
- DSA-3856
- DSA-3856
- 97041
- 97041
- https://bugs.debian.org/857903
- https://bugs.debian.org/857903
- GLSA-201703-06
- GLSA-201703-06
Modified: 2024-11-21
CVE-2017-9031
The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file.
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd
- DSA-3856
- DSA-3856
- 99099
- 99099
- https://bugs.debian.org/862611
- https://bugs.debian.org/862611
Closed vulnerabilities
BDU:2017-02409
Уязвимость функции decode_digit (puny_decode.c) библиотеки Libidn2, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие
BDU:2017-02410
Уязвимость функции _isBidi в (bidi.c) библиотеки Libidn2, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие
Modified: 2024-11-21
CVE-2017-14061
Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
Modified: 2024-11-21
CVE-2017-14062
Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
- DSA-3988
- DSA-3988
- https://gitlab.com/libidn/libidn2/blob/master/NEWS
- https://gitlab.com/libidn/libidn2/blob/master/NEWS
- https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
- https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
- [debian-lts-announce] 20180727 [SECURITY] [DLA 1447-1] libidn security update
- [debian-lts-announce] 20180727 [SECURITY] [DLA 1447-1] libidn security update