Your message dated Sat, 23 Sep 2017 10:03:10 +0000 with message-id <e1dvhhc-00024f...@fasolo.debian.org> and subject line Bug#876004: fixed in newsbeuter 2.9-5+deb9u2 has caused the Debian Bug report #876004, regarding newsbeuter: CVE-2017-14500: Podbeuter podcast fetcher: remote code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876004 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: newsbeuter Version: 2.8-2 Severity: grave Tags: upstream patch security Justification: user security hole Forwarded: https://github.com/akrennmair/newsbeuter/issues/598 Hi, the following vulnerability was published for newsbeuter. CVE-2017-14500[0]: | Improper Neutralization of Special Elements used in an OS Command in | the podcast playback function of Podbeuter in Newsbeuter 0.3 through | 2.9 allows remote attackers to perform user-assisted code execution by | crafting an RSS item with a media enclosure (i.e., a podcast file) that | includes shell metacharacters in its filename, related to | pb_controller.cpp and queueloader.cpp, a different vulnerability than | CVE-2017-12904. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 [1] https://github.com/akrennmair/newsbeuter/issues/598 [2] http://openwall.com/lists/oss-security/2017/09/16/1 [3] https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: newsbeuter Source-Version: 2.9-5+deb9u2 We believe that the bug you reported is fixed in the latest version of newsbeuter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated newsbeuter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 17 Sep 2017 14:58:20 +0200 Source: newsbeuter Binary: newsbeuter Architecture: source Version: 2.9-5+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Nikos Tsipinakis <ni...@tsipinakis.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 876004 Description: newsbeuter - text mode rss feed reader with podcast support Changes: newsbeuter (2.9-5+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Work around shell code in podcast names (CVE-2017-14500) Remote code execution in podbeuter. (Closes: #876004) Checksums-Sha1: ef25279e5d1615f2eaf54c0b08d2a4789a1bcb16 2101 newsbeuter_2.9-5+deb9u2.dsc c5dfa057bfff21892155a7744fd02c3318815ab4 26264 newsbeuter_2.9-5+deb9u2.debian.tar.xz Checksums-Sha256: b280354f47c5001cf8ff821ad1988333872ea096b2bcc82d12836a53ffc7e93a 2101 newsbeuter_2.9-5+deb9u2.dsc 0e7e0be698b887c5a4c9533430ba0d9303912f1ae00b4e93acfe11bb245f7013 26264 newsbeuter_2.9-5+deb9u2.debian.tar.xz Files: 27612b469ab355dbc8f6184173c16774 2101 net optional newsbeuter_2.9-5+deb9u2.dsc 08b95c582abca0e4d428352cccaf920b 26264 net optional newsbeuter_2.9-5+deb9u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm+fgVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuPYP/Ar4g2xiQCgyBbFjSLFKx13YJNjdSBzH wkrxU4Cfa3rgmYrSdmsSqLSWs1edHzqh1qb3PmkH9NG0pGu8naOXdmNwYC8acivz NyangcX0N0f1e9KmSJLuqo+2859JwBr7oKbtUxZzih/ODbvylj5HIF1QjUoc6O1g wTAvK93VULyKMY8VF38SYyFQ1mUi1Hi/kfcoLYk9+fV8tTcBt7n0DVd9dvoJxQJH UToBa/58NkkvdhbF49a7aNSRNtmps4sNZtKp3CB4iZwsIG2OboKlWu4Uvs7yUP3o R/h//htEliDQCN7YurCqKLU0PYYovLasZR+k64yrrVNt+iXY/3CUUVnzb9QlNee3 6ZNqrYQNWgB0wxXFzH0rG3X4XXB39yfZ8Igc94ULysm3faina0FwZEOPPmHITClF Vqm+gD/zlnykMzZdMgi12clygoNwyw6uSwR/Rm0MqEr/h7/SZEvBTpUI2banelbp ddDvQWQVDhQnUXLsltdkG4NuWCUcMaGCVj/HY6oD0bCVL1hK9UrCJXTd5xywxtR1 khAmybXcJ6wiGG8bXSmFeR+1SgN12VBmmIqS5+CDbsjcY753beytyhu/+SFSqp/z Ut829pQwwUDFIxo6/hPPFe8J2Xlehbs6rG44bxX/eUl8ead59bzn5kHCw/BgxeoJ HfaVbxjmo+vq =kAB/ -----END PGP SIGNATURE-----
--- End Message ---
