ASA-201708-15 generated external raw

[ASA-201708-15] newsbeuter: arbitrary code execution
Arch Linux Security Advisory ASA-201708-15 ========================================== Severity: High Date : 2017-08-20 CVE-ID : CVE-2017-12904 Package : newsbeuter Type : arbitrary code execution Remote : Yes Link : Summary ======= The package newsbeuter before version 2.9-7 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.9-7. # pacman -Syu "newsbeuter>=2.9-7" The problem has been fixed upstream but no release is available yet. Workaround ========== Don't bookmark items. Description =========== An attacker can craft an RSS item with shell code in the title and/or URL. When such an item is bookmarked, the shell will execute that code. The vulnerability is triggered when bookmark-cmd is called. Impact ====== A remote attacker can execute an arbitrary command on the affected host by tricking a user into bookmarking a specially crafted RSS item. References ==========!topic/newsbeuter/iFqSE7Vz-DE