net-p2p/transmission-daemon vulnerability
Chris Rees
crees at bayofrum.net
Thu Jan 11 21:40:07 UTC 2018
Please excuse the earlier blank mail- Android Gmail being moronic again :(
Hello all,
I've just been alerted to an issue with transmission, but only the daemon.
Basically, you can fool it into believing that a remote host is localhost, and can therefore break in to it.
This is an issue if all of the following are true:
Port 9091 is accessible from the Internet (or you don't trust your LAN)
You have no password set
You rely on host authentication for security
Unless I'm misunderstanding the issue, you can resolve it by setting a password. There is a patch at [1] that fixes this, but annoyingly they have messed with whitespace since 2.92, and the patch doesn't apply. I expect a release very soon incorporating this fix anyway. It also appears to break on all but Mac OS.
tl;dr set a password for transmission-daemon
Chris
[1] https://github.com/transmission/transmission/pull/468
On 11 January 2018 21:15:26 GMT+00:00, "Janky Jay, III" <jankyj at unfs.us> wrote:
>Uhh... Chris? :)
>
>On 01/11/2018 02:08 PM, Chris Rees wrote:
>> _______________________________________________
>> freebsd-ports at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to
>"freebsd-ports-unsubscribe at freebsd.org"
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the freebsd-ports
mailing list