svn commit: r459492 - in head: . net-p2p/transmission-daemon

Ben Woods woodsb02 at FreeBSD.org
Sat Jan 20 01:20:21 UTC 2018 

Author: woodsb02
Date: Sat Jan 20 01:20:19 2018
New Revision: 459492
URL: https://svnweb.freebsd.org/changeset/ports/459492

Log:
  net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message
  
  This will ensure users who do not read UPDATING are still presented with
  the message about how to allow clients to connect to the daemon using
  DNS when they upgrade the package.
  
  PR:		225150
  Reported by:	swills
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

Added:
  head/net-p2p/transmission-daemon/pkg-message   (contents, props changed)
Modified:
  head/UPDATING
  head/net-p2p/transmission-daemon/Makefile

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Sat Jan 20 00:51:39 2018	(r459491)
+++ head/UPDATING	Sat Jan 20 01:20:19 2018	(r459492)
@@ -19,17 +19,24 @@ you update your ports collection, before attempting an
   AUTHOR: woodsb02 at FreeBSD.org
 
   The transmission-daemon port has been updated to 2.92_4 to incorporate
-  a patch which mitigates DNS rebinding attacks. This will prevent users
-  from being able to connect to the transmission daemon (via the CLI,
-  web or GUI interfaces) unless one of the following is done:
+  a patch which mitigates DNS rebinding attacks. This will prevent
+  clients from being able to connect to the transmission daemon using
+  DNS with any hostname other than localhost, unless one of the
+  following is done:
     - Enable password authentication, then any hostname is allowed.
-      This can be achieved by add either editing settings.json to set
-      rpc-authentication-required, rpc-username and rpc-password or by
-      running transmission-daemon with the following arguments (can be
-      set with transmission_flags in /etc/rc.conf):
-      -t -u USERNAME -v PASSWORD
+      This can be achieved by either:
+        - setting rpc-authentication-required to true, and adding
+          credentials to the rpc-username and rpc-password fields in
+          settings.json (must be done whilst the transmission service is
+          stopped); or
+        - running transmission-daemon with the following arguments
+          (these can be set with transmission_flags in /etc/rc.conf):
+          -t -u USERNAME -v PASSWORD
     OR
-    - Add the allowed client hostnames to the rpc-host-whitelist setting
+    - Add the allowed server hostnames to the rpc-host-whitelist setting
+      in settings.json (must be done whilst the transmission service is
+      stopped). Note that this value is NOT a list of allowed CLIENTS,
+      but instead a list of allowed SERVER hostnames.
 
 20180111
   AFFECTS: users of editors/vim-lite

Modified: head/net-p2p/transmission-daemon/Makefile
==============================================================================
--- head/net-p2p/transmission-daemon/Makefile	Sat Jan 20 00:51:39 2018	(r459491)
+++ head/net-p2p/transmission-daemon/Makefile	Sat Jan 20 01:20:19 2018	(r459492)
@@ -12,6 +12,7 @@ DESCR=		${.CURDIR}/pkg-descr
 MASTERDIR=	${.CURDIR}/../transmission-cli
 PLIST=		${.CURDIR}/pkg-plist
 SLAVEPORT=	daemon
+PKGMESSAGE=	${.CURDIR}/pkg-message
 
 USE_RC_SUBR=	transmission
 USERS=		transmission

Added: head/net-p2p/transmission-daemon/pkg-message
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net-p2p/transmission-daemon/pkg-message	Sat Jan 20 01:20:19 2018	(r459492)
@@ -0,0 +1,18 @@
+------------------------------------------------------------------------
+To allow clients to connect to the transmission daemon using DNS with
+any hostname other than localhost, do one of the following:
+  - Enable password authentication, then any hostname is allowed.
+    This can be achieved by either:
+      - setting rpc-authentication-required to true, and adding
+        credentials to the rpc-username and rpc-password fields in
+        settings.json (must be done whilst the transmission service is
+        stopped); or
+      - running transmission-daemon with the following arguments
+        (these can be set with transmission_flags in /etc/rc.conf):
+        -t -u USERNAME -v PASSWORD
+  OR
+  - Add the allowed server hostnames to the rpc-host-whitelist setting
+    in settings.json (must be done whilst the transmission service is
+    stopped). Note that this value is NOT a list of allowed CLIENTS,
+    but instead a list of allowed SERVER hostnames.
+------------------------------------------------------------------------

More information about the svn-ports-head mailing list