1
PublicDateAtUSN: 2018-01-15
2
Candidate: CVE-2018-5702
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5702
6
http://www.openwall.com/lists/oss-security/2018/01/12/1
7
https://github.com/transmission/transmission/pull/468
8
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
9
https://twitter.com/taviso/status/951526615145566208
10
https://usn.ubuntu.com/usn/usn-3533-1
12
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not
13
a forbidden header for Fetch) for access control, which allows remote
14
attackers to execute arbitrary RPC commands, and consequently write to
15
arbitrary files, via POST requests to /transmission/rpc in conjunction with
16
a DNS rebinding attack.
20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886990
27
upstream_transmission: needs-triage
28
precise/esm_transmission: DNE
29
trusty_transmission: released (2.82-1.1ubuntu3.2)
30
xenial_transmission: released (2.84-3ubuntu3.1)
31
artful_transmission: released (2.92-2ubuntu3.1)
32
devel_transmission: released (2.92-3ubuntu1)