Debian alert DLA-1104-1 (newsbeuter)
| From: | Emilio Pozuelo Monfort <pochu@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1104-1] newsbeuter security update | |
| Date: | Thu, 21 Sep 2017 23:21:38 +0200 | |
| Message-ID: | <df9fb3d9-8e66-ee35-a325-7856f9d6a670@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : newsbeuter Version : 2.5-2+deb7u3 CVE ID : CVE-2017-14500 Debian Bug : 876004 It was discovered that podbeuter, the podcast fetcher in newsbeuter, a text-mode RSS feed reader, did not properly escape the name of the media enclosure (the podcast file), allowing a remote attacker to run an arbitrary shell command on the client machine. This is only exploitable if the file is also played in podbeuter. For Debian 7 "Wheezy", these problems have been fixed in version 2.5-2+deb7u3. We recommend that you upgrade your newsbeuter packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlnELV0ACgkQnUbEiOQ2 gwIb/Q//e9awOV/s8hv1r0L2mbJNABLVK++En0MNfv1UOeZH6lTZmJAhePha0C5w UEUD4NyKUHXg33BacADD3vE7rJMKAAa1RAnkPFx4ELE7sOOSylZBxfIV8xF0uQE9 A727h1NsscSvi/m2PLKkCdVmJSQ/z4HeNxEusTImYWR5gJQDgn0NOKYyQAYZRo1g hUdo5sTy0a4aBLyazRn3/KJF189lwcGNyuqbyK0wBnU8vGmiKy6Qye30jJwYx2YG te52YrYayEtDCOeffJO3001llgUZ77YVPkhX2BpdXSJWl3AaK6tlVxYuiSKvlQQq ICLPR9FvWPgoBNRFKRfEveReoPNmDHLJm4IYl1IaWBRuYVpa6m2Uj/hZ8+ZVmiSN 0Sp1aqfKkX584G7aV/QgJ3vteDPmNAdqA4OOv3YUdsAM2mX0y1eZRRagtwXcfG5d 9Nv/3a+UUAX4v0CLYM1zvAWuOxLaxL+QrflEVur4XPtAXMh9RyddMS+N8lrgYmju oOWAKs/N889Cn0F0D/OgFNjQFw/DTdnk/yGwmaAcd0E2DU5GVqf+jXtBm8mRSf06 +4Oc9bS9P28FR9vP7S6ltlSWG92+q/DHWhYjIxjAi8sVik8bKVr8YjVG7Hm0Z9b2 Eb8Cxz7ScIlcvQ/wnykZRGr2Z+n5Rj/eNdxHmVL/f/t/5qKsS4U= =t4XQ -----END PGP SIGNATURE-----