Security Information / 2017 / Security Information -- DSA-3977-1 newsbeuter

Debian Security Advisory

DSA-3977-1 newsbeuter -- security update

Date Reported:

18 Sep 2017

Affected Packages:

newsbeuter

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 876004.
In Mitre's CVE dictionary: CVE-2017-14500.

More information:

It was discovered that podbeuter, the podcast fetcher in newsbeuter, a text-mode RSS feed reader, did not properly escape the name of the media enclosure (the podcast file), allowing a remote attacker to run an arbitrary shell command on the client machine. This is only exploitable if the file is also played in podbeuter.

For the oldstable distribution (jessie), this problem has been fixed in version 2.8-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in version 2.9-5+deb9u2.

For the unstable distribution (sid), this problem has been fixed in version 2.9-7.

We recommend that you upgrade your newsbeuter packages.