|
Sicherheit: Ausführen beliebiger Kommandos in sbeuter
|Name:
|Ausführen beliebiger Kommandos in sbeuter
|ID:
|DSA-3977-1
|Distribution:
|Debian
|Plattformen:
|Debian sid, Debian jessie, Debian stretch
|Datum:
|Mo, 18. September 2017, 22:41
|Referenzen:
|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500
|
Originalnachricht
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3977-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 18, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : newsbeuter
CVE ID : CVE-2017-14500
Debian Bug : 876004
It was discovered that podbeuter, the podcast fetcher in newsbeuter, a
text-mode RSS feed reader, did not properly escape the name of the media
enclosure (the podcast file), allowing a remote attacker to run an
arbitrary shell command on the client machine. This is only exploitable
if the file is also played in podbeuter.
For the oldstable distribution (jessie), this problem has been fixed
in version 2.8-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in
version 2.9-5+deb9u2.
For the unstable distribution (sid), this problem has been fixed in
version 2.9-7.
We recommend that you upgrade your newsbeuter packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnADsJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S0FhAAnP699PdVTsMlDXFkbIkZjh8P+MYDuOHB2WUWqTEtXl5y4XATOyMt0J6L
FcFQvFFaQ07uqGH23KqJu9mIAoeNa8S6QRc+THvnsMNqF3GiqJuqJlswRcpEH1/j
/Kz8K5+MlQBiBMWfBvg8YmavMdC8O4OHYIo0AheJAgrJYlBpB8kNkMljSUoXNlxf
l6CfkXecS63nB7iY5OIERrUARU5J24aiMnbFNDrqBS5DyBc7O5H20I7SuMiWuN71
7TKFKPaAxJ/sm+81BNWPzCf0WwMIYvyG0oc+NidNfm+wcAZh73fDqpHT9hyPkroZ
B7yjBwn7gCjWEJ5lQ/yWTMbdGR8PvgiwthzOBO1agTRF5Spb2VHPSvhpTs/f1o02
zuKDoSlNWcfAfI+EaMYHJQjS+Lc/EHBoT7PNJLQUXmkLhE7dved1V5Trr2J0d+vg
FhazAb3bzMOVOLFKBum9vq+yyaAD1px2EnbCJdLUvvxvBCilFrSW6snqOOUbSSAm
HX4Z9t6TZCgV8xuKT8Vy4ryQnQ0NusqweWu5i9X8g8ko16O1p8zjNglpaM4/G8PI
uhp1cWZmJ1RsQlkTrYeMmJ4sbvCE9MorI76gRDjKHZq8khZ0z6tQH6rc62GDy6Ar
vMRvdz/uotHcTPo+RdfyRu8IP9/o+3dpt0Zk4X8hB1g9GByrDI4=
=cnx6
-----END PGP SIGNATURE-----
|
|