From owner-svn-ports-all@freebsd.org  Sat Jan 20 01:20:21 2018
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C0B0ED4404;
 Sat, 20 Jan 2018 01:20:21 +0000 (UTC)
 (envelope-from woodsb02@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4650F80763;
 Sat, 20 Jan 2018 01:20:21 +0000 (UTC)
 (envelope-from woodsb02@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 95D4015484;
 Sat, 20 Jan 2018 01:20:20 +0000 (UTC)
 (envelope-from woodsb02@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0K1KKGh017966;
 Sat, 20 Jan 2018 01:20:20 GMT (envelope-from woodsb02@FreeBSD.org)
Received: (from woodsb02@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0K1KKHE017963;
 Sat, 20 Jan 2018 01:20:20 GMT (envelope-from woodsb02@FreeBSD.org)
Message-Id: <201801200120.w0K1KKHE017963@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: woodsb02 set sender to
 woodsb02@FreeBSD.org using -f
From: Ben Woods <woodsb02@FreeBSD.org>
Date: Sat, 20 Jan 2018 01:20:20 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r459492 - in head: . net-p2p/transmission-daemon
X-SVN-Group: ports-head
X-SVN-Commit-Author: woodsb02
X-SVN-Commit-Paths: in head: . net-p2p/transmission-daemon
X-SVN-Commit-Revision: 459492
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jan 2018 01:20:21 -0000

Author: woodsb02
Date: Sat Jan 20 01:20:19 2018
New Revision: 459492
URL: https://svnweb.freebsd.org/changeset/ports/459492

Log:
  net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message
  
  This will ensure users who do not read UPDATING are still presented with
  the message about how to allow clients to connect to the daemon using
  DNS when they upgrade the package.
  
  PR:		225150
  Reported by:	swills
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

Added:
  head/net-p2p/transmission-daemon/pkg-message   (contents, props changed)
Modified:
  head/UPDATING
  head/net-p2p/transmission-daemon/Makefile

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Sat Jan 20 00:51:39 2018	(r459491)
+++ head/UPDATING	Sat Jan 20 01:20:19 2018	(r459492)
@@ -19,17 +19,24 @@ you update your ports collection, before attempting an
   AUTHOR: woodsb02@FreeBSD.org
 
   The transmission-daemon port has been updated to 2.92_4 to incorporate
-  a patch which mitigates DNS rebinding attacks. This will prevent users
-  from being able to connect to the transmission daemon (via the CLI,
-  web or GUI interfaces) unless one of the following is done:
+  a patch which mitigates DNS rebinding attacks. This will prevent
+  clients from being able to connect to the transmission daemon using
+  DNS with any hostname other than localhost, unless one of the
+  following is done:
     - Enable password authentication, then any hostname is allowed.
-      This can be achieved by add either editing settings.json to set
-      rpc-authentication-required, rpc-username and rpc-password or by
-      running transmission-daemon with the following arguments (can be
-      set with transmission_flags in /etc/rc.conf):
-      -t -u USERNAME -v PASSWORD
+      This can be achieved by either:
+        - setting rpc-authentication-required to true, and adding
+          credentials to the rpc-username and rpc-password fields in
+          settings.json (must be done whilst the transmission service is
+          stopped); or
+        - running transmission-daemon with the following arguments
+          (these can be set with transmission_flags in /etc/rc.conf):
+          -t -u USERNAME -v PASSWORD
     OR
-    - Add the allowed client hostnames to the rpc-host-whitelist setting
+    - Add the allowed server hostnames to the rpc-host-whitelist setting
+      in settings.json (must be done whilst the transmission service is
+      stopped). Note that this value is NOT a list of allowed CLIENTS,
+      but instead a list of allowed SERVER hostnames.
 
 20180111
   AFFECTS: users of editors/vim-lite

Modified: head/net-p2p/transmission-daemon/Makefile
==============================================================================
--- head/net-p2p/transmission-daemon/Makefile	Sat Jan 20 00:51:39 2018	(r459491)
+++ head/net-p2p/transmission-daemon/Makefile	Sat Jan 20 01:20:19 2018	(r459492)
@@ -12,6 +12,7 @@ DESCR=		${.CURDIR}/pkg-descr
 MASTERDIR=	${.CURDIR}/../transmission-cli
 PLIST=		${.CURDIR}/pkg-plist
 SLAVEPORT=	daemon
+PKGMESSAGE=	${.CURDIR}/pkg-message
 
 USE_RC_SUBR=	transmission
 USERS=		transmission

Added: head/net-p2p/transmission-daemon/pkg-message
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net-p2p/transmission-daemon/pkg-message	Sat Jan 20 01:20:19 2018	(r459492)
@@ -0,0 +1,18 @@
+------------------------------------------------------------------------
+To allow clients to connect to the transmission daemon using DNS with
+any hostname other than localhost, do one of the following:
+  - Enable password authentication, then any hostname is allowed.
+    This can be achieved by either:
+      - setting rpc-authentication-required to true, and adding
+        credentials to the rpc-username and rpc-password fields in
+        settings.json (must be done whilst the transmission service is
+        stopped); or
+      - running transmission-daemon with the following arguments
+        (these can be set with transmission_flags in /etc/rc.conf):
+        -t -u USERNAME -v PASSWORD
+  OR
+  - Add the allowed server hostnames to the rpc-host-whitelist setting
+    in settings.json (must be done whilst the transmission service is
+    stopped). Note that this value is NOT a list of allowed CLIENTS,
+    but instead a list of allowed SERVER hostnames.
+------------------------------------------------------------------------