Debian Security Advisory
DSA-3977-1 newsbeuter -- security update
- Date Reported:
- 18 Sep 2017
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 876004.
In Mitre's CVE dictionary: CVE-2017-14500.
- More information:
It was discovered that podbeuter, the podcast fetcher in newsbeuter, a text-mode RSS feed reader, did not properly escape the name of the media enclosure (the podcast file), allowing a remote attacker to run an arbitrary shell command on the client machine. This is only exploitable if the file is also played in podbeuter.
For the oldstable distribution (jessie), this problem has been fixed in version 2.8-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in version 2.9-5+deb9u2.
For the unstable distribution (sid), this problem has been fixed in version 2.9-7.
We recommend that you upgrade your newsbeuter packages.