Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 9: 2009-6682 Moderate: Deluge Directory Traversal Threat

fedora
Calendar Grey June 26, 2009
Dist Fedora Esm H88
This patch fixes a security vulnerability in libtorrent by preventing directory traversal risks, increasing the safety for Fedora 9 users.
This release adds a backported upstream patch to fix a directory traversal vulnerability in the included copy of libtorrent which would allow a remote attacker to create or overwr...

Summary

Deluge is a new BitTorrent client, created using Python and GTK+. It is

intended to bring a native, full-featured client to Linux GTK+ desktop

environments such as GNOME and XFCE. It supports features such as DHT

(Distributed Hash Tables), PEX (µTorrent-compatible Peer Exchange), and UPnP

(Universal Plug-n-Play) that allow one to more easily share BitTorrent data

even from behind a router with virtually zero configuration of port-forwarding.

Update Information:

This release adds a backported upstream patch to fix a directory traversal vulnerability in the included copy of libtorrent which would allow a remote attacker to create or overwrite arbitrary files via a ".." (dot dot) and partial relative pathname in a specially-crafted torrent.

Topics%20covered

Topics Covered

security advisory moderate fedora update directory traversal deluge libtorrent

Change Log

* Thu Jun 18 2009 Peter Gordon - 0.5.9.3-2 - Revert CVS files to to 0.9.5.3 - Add backported patch for the included copy of rb_libtorrent to fix CVE-2009-1760 (#505523): + 0.5.9.3-CVE-2009-1760.diff * Thu Nov 13 2008 Peter Gordon - 1.0.5-1 - Update to new upstream release (1.0.5) - Drop desktop file icon name hack (fixed upstream). - Add setuptools runtime dependency, to fix "No module named pkg_resources" error messages. * Tue Jun 24 2008 Peter Gordon - 0.5.9.3-1 - Update to new upstream release (0.5.9.3) * Fri May 23 2008 Peter Gordon - 0.5.9.1-1 - Update to new upstream release (0.5.9.1) * Fri May 2 2008 Peter Gordon - 0.5.9.0-1 - Update to new upstream release (0.5.9.0) - Drop upstreamed default-preferences patch for disabling new version notifications: - default-prefs-no-release-notifications.patch * Tue Apr 15 2008 Peter Gordon - 0.5.8.9-1 - Update to new upstream release (0.5.8.9) * Wed Mar 26 2008 Peter Gordon - 0.5.8.7-1 - Update to new upstream release (0.5.8.7)

References


[ 1 ] Bug #505523 - CVE-2009-1760 rb_libtorrent: arbitrary file overwrite vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=505523

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update deluge' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
important
Lowest
Low
Medium
High
Critical

Name: deluge
Product: Fedora 9
Version: 0.5.9.3
Release: 2.fc9
URL: https://deluge-torrent.org/
Summary: A GTK+ BitTorrent client with support for DHT, UPnP, and PEX

Topics%20covered

Topics Covered

security advisory moderate fedora update directory traversal deluge libtorrent

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here