ASA-201708-15 log original external raw

[ASA-201708-15] newsbeuter: arbitrary code execution
Arch Linux Security Advisory ASA-201708-15 ========================================== Severity: High Date : 2017-08-20 CVE-ID : CVE-2017-12904 Package : newsbeuter Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-384 Summary ======= The package newsbeuter before version 2.9-7 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.9-7. # pacman -Syu "newsbeuter>=2.9-7" The problem has been fixed upstream but no release is available yet. Workaround ========== Don't bookmark items. Description =========== Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted shell command execution by crafting an RSS item that includes shell code in its title and/or URL. When the user bookmarks such item the shell code will be executed. Impact ====== A remote attacker can execute an arbitrary command on the affected host by tricking a user into bookmarking a specially crafted RSS item. References ========== https://github.com/akrennmair/newsbeuter/issues/591 https://github.com/akrennmair/newsbeuter/commit/3b84203448f077dff6f83ba986f916884184852c https://github.com/akrennmair/newsbeuter/commit/d1460189f6f810ca9a3687af7bc43feb7f2af2d9 https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE https://security.archlinux.org/CVE-2017-12904