1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4211-1] xdg-utils security update

    From Luciano Bello@1:229/2 to All on Fri May 25 23:10:01 2018
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4211-1 [email protected] https://www.debian.org/security/ Luciano Bello
    May 25, 2018 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : xdg-utils
    CVE ID : CVE-2017-18266
    Debian Bug : 898317

    Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If
    the environment variable BROWSER in the victim host has a "%s" and the
    victim opens a link crafted by an attacker with xdg-open, the malicious
    party could manipulate the parameters used by the browser when opened.
    This manipulation could set, for example, a proxy to which the network
    traffic could be intercepted for that particular execution.

    For the oldstable distribution (jessie), this problem has been fixed
    in version 1.1.0~rc1+git20111210-7.4+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in
    version 1.1.1-1+deb9u1.

    We recommend that you upgrade your xdg-utils packages.

    For the detailed security status of xdg-utils please refer to
    its security tracker page at: https://security-tracker.debian.org/tracker/xdg-utils

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlsIeHIACgkQbsLe9o/+ N3QWGw/8CwtaHUg4RLm1vZ+6/gQatNNTE7Hzq1v5p9Y2A3MRGF7aklTHlyg9Pa1s fO2JYyeInMNwFVohL0CHr1iPbs/NSuFCEvBMONXrFChlKpOfp/UBv2xc/mqM1bXl +9RAfZ30ZcrNs0mKJwzOm927ec+TZZLukLJPXvVqcANmy4GOPpraZWMz037xawEG wEq9MdFhqLbBwXrqBIutP11/8BUUZVPlZj/dTeqp3lqlvnOx5iD5MSGxiU7vag7c MeuDen5hyjFX/NgoXkSURcnFiOjc6zlWS6bxR5cs0nW9PdwKHJk8XP+g8uVrDIVd CNgQlJU+liVQG1ZuM2OhLf0nkTC33QChRieZ3lYrPdnGi3U4Jc5D27HrgxKk6Mx0 g9QLF37DEZPtsp2QsRBA3IuAievwmgbpud2l65SosXnh08cImyhnkzSue/efMns5 zDZcx6xAOusz1KEFh5wSOnYgYFrtH6r8BliDFQX1q5xhLZCvndnoiDrZ94Ptgx8Q WP9h9SqfSLtDOKUj2c1WoJA0m1MXzXh+/lDGGAPpRNqTo/+7KeU3/yu2D1ZalAcC 1upPysxYQlCo5JY7dfdNxu9wbzbOWeUY/v6mTBPxALOrEKZpDuPhxawtFSD0MOS0 LQNRnH5bh9ubJAMXumeIkIamtWoXQjDJuKapds7eG3aYUtI2Pf8=
    =0fNN
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)