Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Jan 2018 21:32:27 +0000
From:      Chris Rees <crees@bayofrum.net>
To:        ports@freebsd.org
Subject:   Re: net-p2p/transmission-daemon vulnerability
Message-ID:  <F41F3437-16BC-43E3-BEB4-CBC6D38C20D8@bayofrum.net>
In-Reply-To: <f5e0b95c-d22e-52ab-7750-2c4352264f46@unfs.us>
References:  <2b31077a-1450-41f4-8a2c-e44c8b9be06f@email.android.com> <f5e0b95c-d22e-52ab-7750-2c4352264f46@unfs.us>
next in thread | previous in thread | raw e-mail | index | archive | help 
Please excuse the earlier blank mail- Android Gmail being moronic again :(

Hello all,


I've just been alerted to an issue with transmission, but only the daemon.


Basically, you can fool it into believing that a remote host is localhost, =
and can therefore break in to it.


This is an issue if all of the following are true:


Port 9091 is accessible from the Internet (or you don't trust your LAN)

You have no password set

You rely on host authentication for security


Unless I'm misunderstanding the issue, you can resolve it by setting a pass=
word.=C2=A0 There is a patch at [1] that fixes this, but annoyingly they ha=
ve messed with whitespace since 2.92, and the patch doesn't apply.=C2=A0 I =
expect a release very soon incorporating this fix anyway.=C2=A0 It also app=
ears to break on all but Mac OS.


tl;dr set a password for transmission-daemon


Chris


[1]=C2=A0https://github.com/transmission/transmission/pull/468




On 11 January 2018 21:15:26 GMT+00:00, "Janky Jay, III" <jankyj@unfs.us> wr=
ote:
>Uhh... Chris? :)
>
>On 01/11/2018 02:08 PM, Chris Rees wrote:
>> _______________________________________________
>> freebsd-ports@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to
>"freebsd-ports-unsubscribe@freebsd.org"

--=20
Sent from my Android device with K-9 Mail. Please excuse my brevity.

--=20
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F41F3437-16BC-43E3-BEB4-CBC6D38C20D8>