Transmission: Remote code execution — GLSA 201806-07

A vulnerability in Transmission could allow a remote attacker to execute arbitrary RPC commands.

Affected Packages

net-p2p/transmission on all architectures
Affected versions < 2.93
Unaffected versions >= 2.93

Background

Transmission is a cross-platform BitTorrent client.

Description

A vulnerability was discovered in how Transmission handles access control through the X-Transmission-Session-Id.

Impact

A remote attacker could execute arbitrary RFC commands or consequently conduct a DNS rebinding attack.

Workaround

There is no known workaround at this time.

Resolution

All Transmission users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-p2p/transmission-"
 

References

Release Date
June 20, 2018

Latest Revision
June 20, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries