From owner-freebsd-ports@freebsd.org Thu Jan 11 21:40:07 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 941BFE7E018 for ; Thu, 11 Jan 2018 21:40:07 +0000 (UTC) (envelope-from crees@bayofrum.net) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 75347632D5 for ; Thu, 11 Jan 2018 21:40:07 +0000 (UTC) (envelope-from crees@bayofrum.net) Received: by mailman.ysv.freebsd.org (Postfix) id 738BDE7E016; Thu, 11 Jan 2018 21:40:07 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7339AE7E015 for ; Thu, 11 Jan 2018 21:40:07 +0000 (UTC) (envelope-from crees@bayofrum.net) Received: from mail70c50.megamailservers.eu (mail169c50.megamailservers.eu [91.136.10.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E544F632D3 for ; Thu, 11 Jan 2018 21:40:06 +0000 (UTC) (envelope-from crees@bayofrum.net) X-Authenticated-User: bayofrum.uwclub.net Received: from pegasus.bayofrum.net (81-178-235-122.dsl.pipex.com [81.178.235.122]) (authenticated bits=0) by mail70c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id w0BLWU9V011594 for ; Thu, 11 Jan 2018 21:32:32 +0000 Received: from android-4497c5999ce4d9aa.bayofrum.net (android-4497c5999ce4d9aa.bayofrum.net [192.168.1.115]) by pegasus.bayofrum.net (Postfix) with ESMTPSA id 3CAB87D5DA for ; Thu, 11 Jan 2018 21:32:25 +0000 (GMT) Date: Thu, 11 Jan 2018 21:32:27 +0000 User-Agent: K-9 Mail for Android In-Reply-To: References: <2b31077a-1450-41f4-8a2c-e44c8b9be06f@email.android.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: net-p2p/transmission-daemon vulnerability To: ports@freebsd.org From: Chris Rees Message-ID: X-bayofrum-MailScanner-Information: Please contact the ISP for more information X-bayofrum-MailScanner-ID: 3CAB87D5DA.A7745 X-bayofrum-MailScanner: Found to be clean X-bayofrum-MailScanner-From: crees@bayofrum.net X-Spam-Status: No X-CTCH-RefID: str=0001.0A0B0204.5A57D7F0.0024, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CSC: 0 X-CHA: v=2.2 cv=bNdmGL2Z c=1 sm=1 tr=0 a=8qEFsxKjw7jpfGB78NZU8w==:117 a=8qEFsxKjw7jpfGB78NZU8w==:17 a=IkcTkHD0fZMA:10 a=RgaUWeydRksA:10 a=NEAV23lmAAAA:8 a=6I5d2MoRAAAA:8 a=sYCsnvbmjo1noPUi1FQA:9 a=QEXdDO2ut3YA:10 a=IjZwj45LgO3ly-622nXo:22 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2018 21:40:07 -0000 Please excuse the earlier blank mail- Android Gmail being moronic again :( Hello all, I've just been alerted to an issue with transmission, but only the daemon. Basically, you can fool it into believing that a remote host is localhost, = and can therefore break in to it. This is an issue if all of the following are true: Port 9091 is accessible from the Internet (or you don't trust your LAN) You have no password set You rely on host authentication for security Unless I'm misunderstanding the issue, you can resolve it by setting a pass= word.=C2=A0 There is a patch at [1] that fixes this, but annoyingly they ha= ve messed with whitespace since 2.92, and the patch doesn't apply.=C2=A0 I = expect a release very soon incorporating this fix anyway.=C2=A0 It also app= ears to break on all but Mac OS. tl;dr set a password for transmission-daemon Chris [1]=C2=A0https://github.com/transmission/transmission/pull/468 On 11 January 2018 21:15:26 GMT+00:00, "Janky Jay, III" wr= ote: >Uhh... Chris? :) > >On 01/11/2018 02:08 PM, Chris Rees wrote: >> _______________________________________________ >> freebsd-ports@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to >"freebsd-ports-unsubscribe@freebsd.org" --=20 Sent from my Android device with K-9 Mail. Please excuse my brevity. --=20 This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.