Your message dated Sat, 23 Sep 2017 11:33:22 +0000 with message-id <e1dvigu-000ehx...@fasolo.debian.org> and subject line Bug#876004: fixed in newsbeuter 2.8-2+deb8u2 has caused the Debian Bug report #876004, regarding newsbeuter: CVE-2017-14500: Podbeuter podcast fetcher: remote code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876004 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: newsbeuter Version: 2.8-2 Severity: grave Tags: upstream patch security Justification: user security hole Forwarded: https://github.com/akrennmair/newsbeuter/issues/598 Hi, the following vulnerability was published for newsbeuter. CVE-2017-14500[0]: | Improper Neutralization of Special Elements used in an OS Command in | the podcast playback function of Podbeuter in Newsbeuter 0.3 through | 2.9 allows remote attackers to perform user-assisted code execution by | crafting an RSS item with a media enclosure (i.e., a podcast file) that | includes shell metacharacters in its filename, related to | pb_controller.cpp and queueloader.cpp, a different vulnerability than | CVE-2017-12904. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 [1] https://github.com/akrennmair/newsbeuter/issues/598 [2] http://openwall.com/lists/oss-security/2017/09/16/1 [3] https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: newsbeuter Source-Version: 2.8-2+deb8u2 We believe that the bug you reported is fixed in the latest version of newsbeuter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated newsbeuter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 17 Sep 2017 16:55:08 +0200 Source: newsbeuter Binary: newsbeuter newsbeuter-dbg Architecture: source Version: 2.8-2+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Nico Golde <n...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 876004 Description: newsbeuter - text mode rss feed reader with podcast support newsbeuter-dbg - debugging symbols for newsbeuter Changes: newsbeuter (2.8-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Work around shell code in podcast names (CVE-2017-14500) Remote code execution in podbeuter. (Closes: #876004) Checksums-Sha1: 0cb92bcc9e7d325369b878af0681560f4dd0a6c2 2082 newsbeuter_2.8-2+deb8u2.dsc dd95126da1a52eb34447a7e5783651799095b046 7632 newsbeuter_2.8-2+deb8u2.debian.tar.xz Checksums-Sha256: 907af9c8f1503d5cc2e004a34122e5efa106ba64c0296dedb97beaf71637c23d 2082 newsbeuter_2.8-2+deb8u2.dsc 3835384ce14a4039bfb44e724cd54da6f1c8782257eb072175b9d37f0078a35c 7632 newsbeuter_2.8-2+deb8u2.debian.tar.xz Files: 8d2d56cde178654e225e1068a711332c 2082 net optional newsbeuter_2.8-2+deb8u2.dsc 3e5ecf0f0c192d77f054b2a6e4558391 7632 net optional newsbeuter_2.8-2+deb8u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm+jqVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EhFwP/1LeR+AWjxf2O0QnqeXHHRAOE3rxk/u7 a3xtOLSzHYvJJcfuI0TwPz5oHHJ1o+Dk3pe342hHvwnalpxgCUqcf+bd/r81koll rd62yNen8fdNpczOdlJNLTwty5Ur1S28igChBxSYIZewFpKirm2O6LQQGbQZugEo tB+mNgVz3tlbRDGZuOhsS/Td0PU20ZZp/ERaZ8TxKJ9OfniZfzG72y9wOJH+BM3K ZIboObF1LEj53y9j/7lrb/EY7Z+zax9eDIx8lzHFUbDvixMoFCc8scfhrMMX7LtD B0UuIQtXnZ48gSZDA2BSy2KNz1vRE6EiNLfAjL81gUfj5AJOGuXf93bTO46PQo6B 6zhx3U/CMhKEVxVd3EfQ2NwNtHvVd3equoDzlO/DDfN81n+V9aGi/0IGRfO0hJlK SjZW+0gjB7pjcynyKrRkv0EXbdLv87LbIJdYJyeE6WIwDk5rm6LYtBvDPbD3Qc6m so6WIJ6NaVbkq8EXoo+ylcNpJW5xTGgy87AniI0tfX6q0xzMq8CnYKj2ZHDYRYST MWMXZ8PiV8C4n5LQoAmJHQKuN2JCO2alv/ZBY+tInOKQseQnOiMuVkRvMnD8YCWa +J4AZFv3eOk4va5t6mDw1cP8agqQJwgI0JBdR3gbtRYcTxMvOlyEYgmqkJDe7Mjb UwBtjLdd0i8m =5P++ -----END PGP SIGNATURE-----
--- End Message ---
