-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512



- -------------------------------------------------------------------------

Debian Security Advisory DSA-3977-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 18, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : newsbeuter

CVE ID : CVE-2017-14500

Debian Bug : 876004



It was discovered that podbeuter, the podcast fetcher in newsbeuter, a

text-mode RSS feed reader, did not properly escape the name of the media

enclosure (the podcast file), allowing a remote attacker to run an

arbitrary shell command on the client machine. This is only exploitable

if the file is also played in podbeuter.



For the oldstable distribution (jessie), this problem has been fixed

in version 2.8-2+deb8u2.



For the stable distribution (stretch), this problem has been fixed in

version 2.9-5+deb9u2.



For the unstable distribution (sid), this problem has been fixed in

version 2.9-7.



We recommend that you upgrade your newsbeuter packages.



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----



iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnADsJfFIAAAAAALgAo

aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2

NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND

z0S0FhAAnP699PdVTsMlDXFkbIkZjh8P+MYDuOHB2WUWqTEtXl5y4XATOyMt0J6L

FcFQvFFaQ07uqGH23KqJu9mIAoeNa8S6QRc+THvnsMNqF3GiqJuqJlswRcpEH1/j

/Kz8K5+MlQBiBMWfBvg8YmavMdC8O4OHYIo0AheJAgrJYlBpB8kNkMljSUoXNlxf

l6CfkXecS63nB7iY5OIERrUARU5J24aiMnbFNDrqBS5DyBc7O5H20I7SuMiWuN71

7TKFKPaAxJ/sm+81BNWPzCf0WwMIYvyG0oc+NidNfm+wcAZh73fDqpHT9hyPkroZ

B7yjBwn7gCjWEJ5lQ/yWTMbdGR8PvgiwthzOBO1agTRF5Spb2VHPSvhpTs/f1o02

zuKDoSlNWcfAfI+EaMYHJQjS+Lc/EHBoT7PNJLQUXmkLhE7dved1V5Trr2J0d+vg

FhazAb3bzMOVOLFKBum9vq+yyaAD1px2EnbCJdLUvvxvBCilFrSW6snqOOUbSSAm

HX4Z9t6TZCgV8xuKT8Vy4ryQnQ0NusqweWu5i9X8g8ko16O1p8zjNglpaM4/G8PI

uhp1cWZmJ1RsQlkTrYeMmJ4sbvCE9MorI76gRDjKHZq8khZ0z6tQH6rc62GDy6Ar

vMRvdz/uotHcTPo+RdfyRu8IP9/o+3dpt0Zk4X8hB1g9GByrDI4=

=cnx6

-----END PGP SIGNATURE-----

