Add note to UPDATING for net-p2p/transmission-daemon explaining how to

allow client access with the new DNS rebinding mitigations.

PR:		225150
MFH:		2018Q1
Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

1 files changed, 17 insertions, 0 deletions

diff --git a/UPDATING b/UPDATING
index 9c29c2023a2a..06ded67a724b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,23 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20180115
+  AFFECTS: users of net-p2p/transmission-daemon
+  AUTHOR: woodsb02@FreeBSD.org
+
+  The transmission-daemon port has been updated to 2.92_4 to incorporate
+  a patch which mitigates DNS rebinding attacks. This will prevent users
+  from being able to connect to the transmission daemon (via the CLI,
+  web or GUI interfaces) unless one of the following is done:
+    - Enable password authentication, then any hostname is allowed.
+      This can be achieved by add either editing settings.json to set
+      rpc-authentication-required, rpc-username and rpc-password or by
+      running transmission-daemon with the following arguments (can be
+      set with transmission_flags in /etc/rc.conf):
+      -t -u USERNAME -v PASSWORD
+    OR
+    - Add the allowed client hostnames to the rpc-host-whitelist setting
+
 20180111
   AFFECTS: users of editors/vim-lite
   AUTHOR: adamw@FreeBSD.org