drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in newsbeuter
Name: |
Ausführen beliebiger Kommandos in newsbeuter |
|
ID: |
DSA-3977-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian sid, Debian jessie, Debian stretch |
|
Datum: |
Mo, 18. September 2017, 22:41 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 |
|
Applikationen: |
Newsbeuter |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
- ------------------------------------------------------------------------- Debian Security Advisory DSA-3977-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 18, 2017 https://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : newsbeuter CVE ID : CVE-2017-14500 Debian Bug : 876004
It was discovered that podbeuter, the podcast fetcher in newsbeuter, a text-mode RSS feed reader, did not properly escape the name of the media enclosure (the podcast file), allowing a remote attacker to run an arbitrary shell command on the client machine. This is only exploitable if the file is also played in podbeuter.
For the oldstable distribution (jessie), this problem has been fixed in version 2.8-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in version 2.9-5+deb9u2.
For the unstable distribution (sid), this problem has been fixed in version 2.9-7.
We recommend that you upgrade your newsbeuter packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnADsJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S0FhAAnP699PdVTsMlDXFkbIkZjh8P+MYDuOHB2WUWqTEtXl5y4XATOyMt0J6L FcFQvFFaQ07uqGH23KqJu9mIAoeNa8S6QRc+THvnsMNqF3GiqJuqJlswRcpEH1/j /Kz8K5+MlQBiBMWfBvg8YmavMdC8O4OHYIo0AheJAgrJYlBpB8kNkMljSUoXNlxf l6CfkXecS63nB7iY5OIERrUARU5J24aiMnbFNDrqBS5DyBc7O5H20I7SuMiWuN71 7TKFKPaAxJ/sm+81BNWPzCf0WwMIYvyG0oc+NidNfm+wcAZh73fDqpHT9hyPkroZ B7yjBwn7gCjWEJ5lQ/yWTMbdGR8PvgiwthzOBO1agTRF5Spb2VHPSvhpTs/f1o02 zuKDoSlNWcfAfI+EaMYHJQjS+Lc/EHBoT7PNJLQUXmkLhE7dved1V5Trr2J0d+vg FhazAb3bzMOVOLFKBum9vq+yyaAD1px2EnbCJdLUvvxvBCilFrSW6snqOOUbSSAm HX4Z9t6TZCgV8xuKT8Vy4ryQnQ0NusqweWu5i9X8g8ko16O1p8zjNglpaM4/G8PI uhp1cWZmJ1RsQlkTrYeMmJ4sbvCE9MorI76gRDjKHZq8khZ0z6tQH6rc62GDy6Ar vMRvdz/uotHcTPo+RdfyRu8IP9/o+3dpt0Zk4X8hB1g9GByrDI4= =cnx6 -----END PGP SIGNATURE-----
|
|
|
|