I wanted to make you all aware of a recent vulnerability in Transmission: transmission: rpc session-id mechanism design flaw discovered by Taviso Ormandy. He created a patch and wrote about it on the GitHub repo for Transmission: CVE-2018-5702: Mitigate dns rebinding attacks against daemon.
I've released Transmission 2.92.2 with Tavisos patches applied.
PLEASE NOTE: I'm not the official maintainer of Transmission, so I can't release my update on App Central. My version is also not backwards-compatible with the App Central version (you can upgrade to my app, but not revert back). I've written about how my app differs from the App Central version here.
CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
- mafredri
- Posts: 371
- youtube meble na wymiar Warszawa
- Joined: Sat Mar 22, 2014 8:41 am
CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
Hi, I'm new here. Looking to be active in the community and help with development .
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
-
- Posts: 1
- Joined: Sat Mar 31, 2018 11:35 pm
Re: CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
HI Mafedri,
Your link doesn't seem to work for downloading the APK you've built.
May I suggest uploading it to Github or somwhere else?
Your link doesn't seem to work for downloading the APK you've built.
May I suggest uploading it to Github or somwhere else?
-
- Posts: 20
- Joined: Sun Apr 09, 2017 2:45 pm
Re: CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
Asustor seem to have removed Transmission from the App Central, maybe now you can push the last Transmission release to Asustor Mafredi?
- mafredri
- Posts: 371
- Joined: Sat Mar 22, 2014 8:41 am
Re: CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
Hey Mr.Crowley, I won't be pushing Transmission to App Central since I'm not the official maintainer and I'm not sure how much longer I'll be maintaining apps for ADM.
That said, you can find Transmission 2.93 here: https://app.box.com/s/2nkeh82trip2ppsplk12ddt6yfq1er9c
That said, you can find Transmission 2.93 here: https://app.box.com/s/2nkeh82trip2ppsplk12ddt6yfq1er9c
Hi, I'm new here. Looking to be active in the community and help with development .
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
-
- Posts: 154
- Joined: Sat Aug 02, 2014 2:02 am
Re: CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
Well, sorry to be late to the party (and knowing that mafredi may not be here anymore).
both 2.92-2 and 2.93 (i386 for AS304T):
File is in bin folder.
even modifying start-stop.sh with:
gives the same result
Any hint anyone? I'm quite f***ed without (and yes, even kosyak release isn't (officially) downloadable anymore, and it's still unfixed).
both 2.92-2 and 2.93 (i386 for AS304T):
Code: Select all
root@asustor:/volume1/.@plugins/AppCentral/transmission # /usr/local/AppCentral/transmission/CONTROL/start-stop.sh start
Starting transmission-daemon...
start-stop-daemon: can't execute 'transmission-daemon': No such file or directory
even modifying start-stop.sh with:
Code: Select all
DAEMON=$APKG_PKG_DIR/bin/transmission-daemon
Any hint anyone? I'm quite f***ed without (and yes, even kosyak release isn't (officially) downloadable anymore, and it's still unfixed).
AS-304T
If you own a series 2/3/6 Asustor it's very likely you won't get XBMC 13.x/Kodi.
But easily you'll end buying a kitchen from UK.
If you own a series 2/3/6 Asustor it's very likely you won't get XBMC 13.x/Kodi.
But easily you'll end buying a kitchen from UK.
- mafredri
- Posts: 371
- Joined: Sat Mar 22, 2014 8:41 am
Re: CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
You need to use $PKG_DIR instead of $APKG_PKG_DIR, the latter is only defined during installation. But you shouldn't need to change the script at all, the binary should be linked to /usr/local/bin if the transmission app is activated in App Central.dhstsw wrote:Well, sorry to be late to the party (and knowing that mafredi may not be here anymore).
both 2.92-2 and 2.93 (i386 for AS304T):
File is in bin folder.Code: Select all
root@asustor:/volume1/.@plugins/AppCentral/transmission # /usr/local/AppCentral/transmission/CONTROL/start-stop.sh start Starting transmission-daemon... start-stop-daemon: can't execute 'transmission-daemon': No such file or directory
even modifying start-stop.sh with:
gives the same resultCode: Select all
DAEMON=$APKG_PKG_DIR/bin/transmission-daemon
Any hint anyone? I'm quite f***ed without (and yes, even kosyak release isn't (officially) downloadable anymore, and it's still unfixed).
Hi, I'm new here. Looking to be active in the community and help with development .
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
-
- Posts: 154
- Joined: Sat Aug 02, 2014 2:02 am
Re: CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
Then that must be the reason: i don't keep transmission activated in App Central (i launch it *after* a VPN connection has been set up, via a separate script).You need to use $PKG_DIR instead of $APKG_PKG_DIR, the latter is only defined during installation. But you shouldn't need to change the script at all, the binary should be linked to /usr/local/bin if the transmission app is activated in App Central.
But i guess i could just LN it from /transmision/bin to /usr/local/bin then.
I'll try.
Thanks for the answer!
AS-304T
If you own a series 2/3/6 Asustor it's very likely you won't get XBMC 13.x/Kodi.
But easily you'll end buying a kitchen from UK.
If you own a series 2/3/6 Asustor it's very likely you won't get XBMC 13.x/Kodi.
But easily you'll end buying a kitchen from UK.
-
- Posts: 154
- Joined: Sat Aug 02, 2014 2:02 am
Re: CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon
Or course the LN i made don't survive reboot.
Solved with:
in start-stop.sh
thx.
Solved with:
Code: Select all
DAEMON=$PKG_DIR/bin/transmission-daemon
thx.
AS-304T
If you own a series 2/3/6 Asustor it's very likely you won't get XBMC 13.x/Kodi.
But easily you'll end buying a kitchen from UK.
If you own a series 2/3/6 Asustor it's very likely you won't get XBMC 13.x/Kodi.
But easily you'll end buying a kitchen from UK.