—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
– ————————————————————————-
Debian Security Advisory DSA-3165-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
February 21, 2015 http://www.debian.org/security/faq
– ————————————————————————-
Package : xdg-utils
CVE ID : CVE-2015-1877
Debian Bug : 777722
Jiri Horner discovered a way to cause xdg-open, a tool that automatically
opens URLs in a user’s preferred application, to execute arbitrary
commands remotely.
This problem only affects /bin/sh implementations that don’t sanitize
local variables. Dash, which is the default /bin/sh in Debian is
affected. Bash as /bin/sh is known to be unaffected.
For the stable distribution (wheezy), this problem has been fixed in
version 1.1.0~rc1+git20111210-6+deb7u3.
For the upcoming stable (jessie) and unstable (sid) distributions,
this problem will be fixed soon.
We recommend that you upgrade your xdg-utils packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQQcBAEBCgAGBQJU6WG2AAoJELjWss0C1vRzmEof/3yl6xrjW+HidxZWt1gFfxE5
f7h5IvNqT3CYkR2oTUruUH8CuKqGgGDOdF3Xg62gid2C0KnK5Y67ZLKPYrxTM1EY
yP5XZvBwHWO05SMx9qpyk0qCknTESXKVongIA5QVAJxfKfStnGa6igHJzNdremp+
qpm/0IpAu50RF7jWJ1RI3EFAYT0xWwFlBqhEGVEZXEE+4BSR87NL66UG5qaXuiT6
K1Tuj7s1mEPuXrL/Kg8wpFV8e6RUuHSQgeWZ3lTLB13AnMeZnOMRDG/rf8/iruhX
GXl50mzReTeVzexd6CerG7lZkORWHIhPvRl4H/4UcuH5QIUrWEM/ipDgYlzvw/W/
c2gesywaO/F8b8TKy9sC/3VHQNXaFr9ar/lShkHU6z1XyqerHbFQWWZb9yc0zSwB
TPOzI4YMylklkorrOm9HeFbSIrB+pfOI9ivQSapQqucrkejXy0R47bwy2FJY8QZj
4D2MkAwjhlDiRWGVyvqRges/s8+zBUzMIhlfNq54xI7ZaPlUAPEQ3fInLFZJ5v2a
RDFtqvpzdi3GL3vR/ntdiu3zl+gK2OOfgHVe5CWdZIqTcGNmUa4W8Gy6KoTOJGRq
UMrvp7qKI0lTF9tyQbpDi9Dq8h74foxnfrdEpcasNVLlup5SAKRgtiUnmku4I5Ts
Hp81UqYWWdWjoD97U1pcy+3xgQeariDMMN5WDDYKzT5FTTcvSHEmeRtb3p88fqM/
kDiUD+Muda7j6nfWHVgsO5p9lhi8WrWpry0WAaZ7w64HXhgb8WM0/aWcn8onY+R/
jcSkKyKFEk+b71nYrgS4JWhzNATCu6kgPH0kLNvJiHZkA9rVHWxsqZfthCBrysEm
aCftGyqEkGJFWVcFwxXkCb6NwN9tIE/rJj7iIi2Wp1cVSQGJA24Zyr8n8EprCnYm
kMGEw33+iYo3xdTTie0XWR3yMop7R/yw/FXGGjkkptBnMS4EHizZsvTtyQskO15V
q9qI4rfMAmV4AOY4U8eJoARZ++haeAbQ+JArjwtxnQUY3ZuYDIDiUFv1LHVKGM+c
UXdRgiLMhz00ejTLLAD5x8MZ08MFED7E9km3zHuzKmd1QS1V0OSZc8jEquDd1IRd
ivc0DIRGae55zzgqwkZV6znFIY81cmd5sFAMrtQBy4pmhp6WWFHh1W8JETc+l/t+
HcIA1FMMhUC/peWUyJkkA0o+TpDpbfnfSwOJoQAxeXgslU2XyOU8r/mc3ze2/GSu
Z/zbVLr62agmh0Y44hdTHFGBlZcYPDHJiKjqcBvQSjTk5BvN0FcQ7m3HTz0lYHpb
dnbBCteP/c4srJwjTwCuPVTlz2WI9mzg1NNTvVWaB/ivLSPiGky/lqKt058N0Gk=
=eXk5
—–END PGP SIGNATURE—–
—
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/E1YPOed-0007aq-NY@alpha.psidef.org