Date: Sat, 20 Jan 2018 01:20:20 +0000 (UTC) From: Ben Woods <woodsb02@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r459492 - in head: . net-p2p/transmission-daemon Message-ID: <201801200120.w0K1KKHE017963@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: woodsb02 Date: Sat Jan 20 01:20:19 2018 New Revision: 459492 URL: https://svnweb.freebsd.org/changeset/ports/459492 Log: net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message This will ensure users who do not read UPDATING are still presented with the message about how to allow clients to connect to the daemon using DNS when they upgrade the package. PR: 225150 Reported by: swills Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Added: head/net-p2p/transmission-daemon/pkg-message (contents, props changed) Modified: head/UPDATING head/net-p2p/transmission-daemon/Makefile Modified: head/UPDATING ============================================================================== --- head/UPDATING Sat Jan 20 00:51:39 2018 (r459491) +++ head/UPDATING Sat Jan 20 01:20:19 2018 (r459492) @@ -19,17 +19,24 @@ you update your ports collection, before attempting an AUTHOR: woodsb02@FreeBSD.org The transmission-daemon port has been updated to 2.92_4 to incorporate - a patch which mitigates DNS rebinding attacks. This will prevent users - from being able to connect to the transmission daemon (via the CLI, - web or GUI interfaces) unless one of the following is done: + a patch which mitigates DNS rebinding attacks. This will prevent + clients from being able to connect to the transmission daemon using + DNS with any hostname other than localhost, unless one of the + following is done: - Enable password authentication, then any hostname is allowed. - This can be achieved by add either editing settings.json to set - rpc-authentication-required, rpc-username and rpc-password or by - running transmission-daemon with the following arguments (can be - set with transmission_flags in /etc/rc.conf): - -t -u USERNAME -v PASSWORD + This can be achieved by either: + - setting rpc-authentication-required to true, and adding + credentials to the rpc-username and rpc-password fields in + settings.json (must be done whilst the transmission service is + stopped); or + - running transmission-daemon with the following arguments + (these can be set with transmission_flags in /etc/rc.conf): + -t -u USERNAME -v PASSWORD OR - - Add the allowed client hostnames to the rpc-host-whitelist setting + - Add the allowed server hostnames to the rpc-host-whitelist setting + in settings.json (must be done whilst the transmission service is + stopped). Note that this value is NOT a list of allowed CLIENTS, + but instead a list of allowed SERVER hostnames. 20180111 AFFECTS: users of editors/vim-lite Modified: head/net-p2p/transmission-daemon/Makefile ============================================================================== --- head/net-p2p/transmission-daemon/Makefile Sat Jan 20 00:51:39 2018 (r459491) +++ head/net-p2p/transmission-daemon/Makefile Sat Jan 20 01:20:19 2018 (r459492) @@ -12,6 +12,7 @@ DESCR= ${.CURDIR}/pkg-descr MASTERDIR= ${.CURDIR}/../transmission-cli PLIST= ${.CURDIR}/pkg-plist SLAVEPORT= daemon +PKGMESSAGE= ${.CURDIR}/pkg-message USE_RC_SUBR= transmission USERS= transmission Added: head/net-p2p/transmission-daemon/pkg-message ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net-p2p/transmission-daemon/pkg-message Sat Jan 20 01:20:19 2018 (r459492) @@ -0,0 +1,18 @@ +------------------------------------------------------------------------ +To allow clients to connect to the transmission daemon using DNS with +any hostname other than localhost, do one of the following: + - Enable password authentication, then any hostname is allowed. + This can be achieved by either: + - setting rpc-authentication-required to true, and adding + credentials to the rpc-username and rpc-password fields in + settings.json (must be done whilst the transmission service is + stopped); or + - running transmission-daemon with the following arguments + (these can be set with transmission_flags in /etc/rc.conf): + -t -u USERNAME -v PASSWORD + OR + - Add the allowed server hostnames to the rpc-host-whitelist setting + in settings.json (must be done whilst the transmission service is + stopped). Note that this value is NOT a list of allowed CLIENTS, + but instead a list of allowed SERVER hostnames. +------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801200120.w0K1KKHE017963>