Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Deluge: Remote execution of arbitrary code — GLSA 201703-06

A vulnerability in Deluge might allow remote attackers to execute arbitrary code.

Affected packages

Package net-p2p/deluge on all architectures
Affected versions < 1.3.14
Unaffected versions >= 1.3.14

Background

Deluge is a BitTorrent client.

Description

A CSRF vulnerability was discovered in the web UI of Deluge.

Impact

A remote attacker could entice a user currently logged in into Deluge web UI to visit a malicious web page which uses forged requests to make Deluge download and install a Deluge plug-in provided by the attacker. The plug-in can then execute arbitrary code as the user running Deluge.

Workaround

There is no known workaround at this time.

Resolution

All Deluge users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-p2p/deluge-1.3.14"

References

Release date
March 28, 2017

Latest revision
March 28, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries