Fedora alert FEDORA-2009-6682 (deluge)

From:
    	     
 
updates@fedoraproject.org 
To:
    	     
 
fedora-package-announce@redhat.com 
Subject:
    	     
 
[SECURITY] Fedora 9 Update: deluge-0.5.9.3-2.fc9 
Date:
    	     
 
Sat, 27 Jun 2009 02:57:43 +0000
Message-ID:
    	     
 
<20090627025743.7053610F8A3@bastion2.fedora.phx.redhat.com>
Archive‑link:
 
        	
Article
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-6682
2009-06-19 12:31:30
--------------------------------------------------------------------------------

Name        : deluge
Product     : Fedora 9
Version     : 0.5.9.3
Release     : 2.fc9
URL         : http://deluge-torrent.org/
Summary     : A GTK+ BitTorrent client with support for DHT, UPnP, and PEX
Description :
Deluge is a new BitTorrent client, created using Python and GTK+. It is
intended to bring a native, full-featured client to Linux GTK+ desktop
environments such as GNOME and XFCE. It supports features such as DHT
(Distributed Hash Tables), PEX (µTorrent-compatible Peer Exchange), and UPnP
(Universal Plug-n-Play) that allow one to more easily share BitTorrent data
even from behind a router with virtually zero configuration of port-forwarding.

--------------------------------------------------------------------------------
Update Information:

This release adds a backported upstream patch to fix a directory traversal
vulnerability in the included copy of libtorrent which would allow a remote
attacker to create or overwrite arbitrary files via a ".." (dot dot) and partial
relative pathname in a specially-crafted torrent.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jun 18 2009 Peter Gordon <peter@thecodergeek.com> - 0.5.9.3-2
- Revert CVS files to to 0.9.5.3
- Add backported patch for the included copy of rb_libtorrent to fix
  CVE-2009-1760 (#505523):
  + 0.5.9.3-CVE-2009-1760.diff
* Thu Nov 13 2008 Peter Gordon <peter@thecodergeek.com> - 1.0.5-1
- Update to new upstream release (1.0.5)
- Drop desktop file icon name hack (fixed upstream).
- Add setuptools runtime dependency, to fix "No module named pkg_resources"
  error messages.
* Tue Jun 24 2008 Peter Gordon <peter@thecodergeek.com> - 0.5.9.3-1
- Update to new upstream release (0.5.9.3)
* Fri May 23 2008 Peter Gordon <peter@thecodergeek.com> - 0.5.9.1-1
- Update to new upstream release (0.5.9.1)
* Fri May  2 2008 Peter Gordon <peter@thecodergeek.com> - 0.5.9.0-1
- Update to new upstream release (0.5.9.0)
- Drop upstreamed default-preferences patch for disabling new version
  notifications:
  - default-prefs-no-release-notifications.patch
* Tue Apr 15 2008 Peter Gordon <peter@thecodergeek.com> - 0.5.8.9-1
- Update to new upstream release (0.5.8.9)
* Wed Mar 26 2008 Peter Gordon <peter@thecodergeek.com> - 0.5.8.7-1
- Update to new upstream release (0.5.8.7)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #505523 - CVE-2009-1760 rb_libtorrent: arbitrary file overwrite vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=505523
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update deluge' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...