Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRepository QA checks <repo-qa-checks@gentoo.org>2018-03-11 16:49:57 +0000
committerRepository QA checks <repo-qa-checks@gentoo.org>2018-03-11 16:49:57 +0000
commitf69f93693524f20f5d69928ab431e76d1751e65d (patch)
treedb887571b57bd55f61b5c7aaed0e1f482bdeb54c
parentMerge updates from master (diff)
parentAdded GLSA 201803-04 (diff)
downloadgentoo-f69f93693524f20f5d69928ab431e76d1751e65d.tar.gz
gentoo-f69f93693524f20f5d69928ab431e76d1751e65d.tar.bz2
gentoo-f69f93693524f20f5d69928ab431e76d1751e65d.zip
Merge commit 'a3a9d59f86ebf5d6e6d86f34addc40bfcfe72e5a'
Diffstat
-rw-r--r--metadata/glsa/glsa-201803-04.xml51
1 files changed, 51 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201803-04.xml b/metadata/glsa/glsa-201803-04.xml
new file mode 100644
index 000000000000..fbb8dc4ac337
--- /dev/null
+++ b/metadata/glsa/glsa-201803-04.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201803-04">
+ <title>Newsbeuter: User-assisted execution of arbitrary code</title>
+ <synopsis>A vulnerability in Newsbeuter may allow remote attackers to execute
+ arbitrary shell commands.
+ </synopsis>
+ <product type="ebuild">newsbeuter</product>
+ <announced>2018-03-11</announced>
+ <revised count="1">2018-03-11</revised>
+ <bug>631150</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-news/newsbeuter" auto="yes" arch="*">
+ <vulnerable range="le">2.9-r3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Newsbeuter is a RSS/Atom feed reader for the text console.</p>
+
+ </background>
+ <description>
+ <p>Newsbeuter does not properly escape shell meta-characters in an RSS item
+ with a media enclosure in the podcast playback function of Podbeuter.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to open a feed with a specially
+ crafted media enclosure, could possibly execute arbitrary shell commands
+ with the privileges of the user running the application.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for Newsbeuter and recommends that users
+ unmerge the package:
+ </p>
+
+ <code>
+ # emerge --unmerge "net-news/newsbeuter"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14500">CVE-2017-14500</uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-02-05T14:58:55Z">chrisadr</metadata>
+ <metadata tag="submitter" timestamp="2018-03-11T16:29:05Z">chrisadr</metadata>
+</glsa>