Deluge: CVE-2017-9031: WebUI component: directory traversal vulnerability

[Salvatore Bonaccorso <carnil () debian org>]

Hi

CVE-2017-9031 was assigned for the following directory traversal issue
in Deluge's WebUI:

http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15

Quoting upstream announce:
> Highly recommended to upgrade to this release as it contains a
> directory traversal security fix that once again has the real
> potential to compromise your machine. 

The related commit is:

http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd

which gives more information about the issue:

> [WebUI] Check render template files exist and raise 404 if not
> - Check render/* requests match to .html files in the 'render' dir
> - Protects against directory (path) traversal

Additional reference:
https://bugs.debian.org/862611

Regards,
Salvatore