transmission-3.00-2.8 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11474-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z transmission-3.00-2.8 on GA media These are all security issues fixed in the transmission-3.00-2.8 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11474 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-5072/ SUSE CVE CVE-2018-5072 page https://www.suse.com/security/cve/CVE-2018-5702/ SUSE CVE CVE-2018-5702 page openSUSE Tumbleweed transmission-3.00-2.8 transmission-common-3.00-2.8 transmission-daemon-3.00-2.8 transmission-gtk-3.00-2.8 transmission-gtk-lang-3.00-2.8 transmission-qt-3.00-2.8 transmission-qt-lang-3.00-2.8 transmission-3.00-2.8 as a component of openSUSE Tumbleweed transmission-common-3.00-2.8 as a component of openSUSE Tumbleweed transmission-daemon-3.00-2.8 as a component of openSUSE Tumbleweed transmission-gtk-3.00-2.8 as a component of openSUSE Tumbleweed transmission-gtk-lang-3.00-2.8 as a component of openSUSE Tumbleweed transmission-qt-3.00-2.8 as a component of openSUSE Tumbleweed transmission-qt-lang-3.00-2.8 as a component of openSUSE Tumbleweed Online Ticket Booking has XSS via the admin/sitesettings.php keyword parameter. CVE-2018-5072 openSUSE Tumbleweed:transmission-3.00-2.8 openSUSE Tumbleweed:transmission-common-3.00-2.8 openSUSE Tumbleweed:transmission-daemon-3.00-2.8 openSUSE Tumbleweed:transmission-gtk-3.00-2.8 openSUSE Tumbleweed:transmission-gtk-lang-3.00-2.8 openSUSE Tumbleweed:transmission-qt-3.00-2.8 openSUSE Tumbleweed:transmission-qt-lang-3.00-2.8 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5072.html CVE-2018-5072 Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack. CVE-2018-5702 openSUSE Tumbleweed:transmission-3.00-2.8 openSUSE Tumbleweed:transmission-common-3.00-2.8 openSUSE Tumbleweed:transmission-daemon-3.00-2.8 openSUSE Tumbleweed:transmission-gtk-3.00-2.8 openSUSE Tumbleweed:transmission-gtk-lang-3.00-2.8 openSUSE Tumbleweed:transmission-qt-3.00-2.8 openSUSE Tumbleweed:transmission-qt-lang-3.00-2.8 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5702.html CVE-2018-5702 https://bugzilla.suse.com/1075921 SUSE Bug 1075921