Your message dated Mon, 18 Sep 2017 16:04:28 +0000 with message-id <e1dtyx6-000ix6...@fasolo.debian.org> and subject line Bug#876004: fixed in newsbeuter 2.9-7 has caused the Debian Bug report #876004, regarding newsbeuter: CVE-2017-14500: Podbeuter podcast fetcher: remote code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876004 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: newsbeuter Version: 2.8-2 Severity: grave Tags: upstream patch security Justification: user security hole Forwarded: https://github.com/akrennmair/newsbeuter/issues/598 Hi, the following vulnerability was published for newsbeuter. CVE-2017-14500[0]: | Improper Neutralization of Special Elements used in an OS Command in | the podcast playback function of Podbeuter in Newsbeuter 0.3 through | 2.9 allows remote attackers to perform user-assisted code execution by | crafting an RSS item with a media enclosure (i.e., a podcast file) that | includes shell metacharacters in its filename, related to | pb_controller.cpp and queueloader.cpp, a different vulnerability than | CVE-2017-12904. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 [1] https://github.com/akrennmair/newsbeuter/issues/598 [2] http://openwall.com/lists/oss-security/2017/09/16/1 [3] https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: newsbeuter Source-Version: 2.9-7 We believe that the bug you reported is fixed in the latest version of newsbeuter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nikos Tsipinakis <ni...@tsipinakis.com> (supplier of updated newsbeuter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 17 Sep 2017 22:28:04 +0300 Source: newsbeuter Binary: newsbeuter Architecture: source Version: 2.9-7 Distribution: unstable Urgency: high Maintainer: Nikos Tsipinakis <ni...@tsipinakis.com> Changed-By: Nikos Tsipinakis <ni...@tsipinakis.com> Closes: 876004 Description: newsbeuter - text mode rss feed reader with podcast support Changes: newsbeuter (2.9-7) unstable; urgency=high . * Fix CVE-2017-14500 (Closes: #876004) * Update copyright year * Bump standards to 4.0.1 + Updated copyright-format URL to https as per policy 4.0.0 * Dropped version contraint in libstfl-dev dependency (No older versions in the archive Checksums-Sha1: 86a9ccb115886494c2c3802f594df9f3886358b8 2038 newsbeuter_2.9-7.dsc 09e0039ccaa3d017414b319189f822e5450efda4 27540 newsbeuter_2.9-7.debian.tar.xz Checksums-Sha256: 8657054a88622747404c8ab85897f63905031acebb7392152c99e88d482a500a 2038 newsbeuter_2.9-7.dsc 46c7a13a3cdcf7fc6952704478c29b65f312b930d355fd952b89f49ffd00946f 27540 newsbeuter_2.9-7.debian.tar.xz Files: d9109a2a19bf0c50fa54aea88b219455 2038 net optional newsbeuter_2.9-7.dsc 296609f85de652688f120cc52b3e8025 27540 net optional newsbeuter_2.9-7.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlm/6+xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgZy4BAAqDwpspusrSkn2M9SKqyHqLjydJpfI387gcCVATVfUBvzJHDKEFDbRLqZ ISo6OvBTzX9jEF4/jBARzVh20hxg1EDQKtDSDKmoi3rPDQ/oBaPAWKFSwLnfUX4I PbQDCV4VzOoAwyxxloeCib4KucMYcQS+gxUeWpZ/+1hEb7PEIZt9AT1f3Yt88vuP 2HqMKZWfWbVo6W47xag445uQuiAj5iw0ng3cJ7ztSlEd8uYtNCPTGtR8KoJ1J42E jx7ueMNtfNOOtDXnN0Ka0YkJZ2n08emJz/qARmMJi1O062Phfdg8Ztv5BRFdMBIG gYIScecpHFaqeSCjPBVGPrjiITSQWcQQcFdvapL8+2VYla4+mRqI07CBa2y/ehH3 8DJ95/Mowr4sqA0Ag0g9Er6ZAGOIthGXH7lb9rnv3cCUiDLhW/ERuIJLcTSXhM6E 02SXbv3hwQKGmmQSrCrMNm084nspiv9XYhCo63Qc6qtheQbk78ceLdsWLoHdukSX 0bR83OM1K9R4E5ifRGvIcv66hMWYibFAzRbzLhRSruCBI/80O3KivRVJAK5EX+x4 atn7R74riCO+DFck6W3ewV+kc6cX1QEDQcSyOAMdoZPcr2V9//UedXVERfK6rsyh z0VacjGOzYdma0PeiLNglRop/rLycXfIjs5f0WmczxROlLNryBw= =VFZm -----END PGP SIGNATURE-----
--- End Message ---
