Source: mgetty Version: 1.1.36-1 Severity: grave Tags: patch security upstream Control: fixed -1 1.1.36-3+deb9u1
Hi, The following vulnerability was published for mgetty. CVE-2018-16741[0]: | An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c, | the function do_activate() does not properly sanitize shell | metacharacters to prevent command injection. It is possible to use the | ||, &&, or > characters within a file created by the "faxq-helper | activate <jobid>" command. The issue was fixed in DSA-4291-1 with 1.1.36-3+deb9u1 but not yet in unstable and for buster, thus filling an RC bug to avoid the regression for buster. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16741 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16741 Regards, Salvatore
