Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1611 xdg-utils security update 28 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xdg-utils Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-18266 Reference: ESB-2018.1551 Original Bulletin: http://www.debian.org/security/2018/dsa-4211 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4211-1 security@debian.org https://www.debian.org/security/ Luciano Bello May 25, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : xdg-utils CVE ID : CVE-2017-18266 Debian Bug : 898317 Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party could manipulate the parameters used by the browser when opened. This manipulation could set, for example, a proxy to which the network traffic could be intercepted for that particular execution. For the oldstable distribution (jessie), this problem has been fixed in version 1.1.0~rc1+git20111210-7.4+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.1.1-1+deb9u1. We recommend that you upgrade your xdg-utils packages. For the detailed security status of xdg-utils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xdg-utils Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlsIeHIACgkQbsLe9o/+ N3QWGw/8CwtaHUg4RLm1vZ+6/gQatNNTE7Hzq1v5p9Y2A3MRGF7aklTHlyg9Pa1s fO2JYyeInMNwFVohL0CHr1iPbs/NSuFCEvBMONXrFChlKpOfp/UBv2xc/mqM1bXl +9RAfZ30ZcrNs0mKJwzOm927ec+TZZLukLJPXvVqcANmy4GOPpraZWMz037xawEG wEq9MdFhqLbBwXrqBIutP11/8BUUZVPlZj/dTeqp3lqlvnOx5iD5MSGxiU7vag7c MeuDen5hyjFX/NgoXkSURcnFiOjc6zlWS6bxR5cs0nW9PdwKHJk8XP+g8uVrDIVd CNgQlJU+liVQG1ZuM2OhLf0nkTC33QChRieZ3lYrPdnGi3U4Jc5D27HrgxKk6Mx0 g9QLF37DEZPtsp2QsRBA3IuAievwmgbpud2l65SosXnh08cImyhnkzSue/efMns5 zDZcx6xAOusz1KEFh5wSOnYgYFrtH6r8BliDFQX1q5xhLZCvndnoiDrZ94Ptgx8Q WP9h9SqfSLtDOKUj2c1WoJA0m1MXzXh+/lDGGAPpRNqTo/+7KeU3/yu2D1ZalAcC 1upPysxYQlCo5JY7dfdNxu9wbzbOWeUY/v6mTBPxALOrEKZpDuPhxawtFSD0MOS0 LQNRnH5bh9ubJAMXumeIkIamtWoXQjDJuKapds7eG3aYUtI2Pf8= =0fNN - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWwtaDGaOgq3Tt24GAQhgiA//d9UD9HIcRr1H7iGLC7LUMiZag4n9Th+C Uwk0YUJhs25CJlYFVWyzuIDfWlVarPQ8ciHvM6Q0BvXWy0g7Z4XoOllM9ZS1Dh6o olJ5g/06Mg6oXAr6DMzHJZmbgwTbeo7luo8p1Ww7wfa7i8ynobOPWZWoKCRV1AL9 Z8jUudRxVjbBMPfUUnxcgzF1bP8cT/5EncalQdJlLvSVJWzJb4LB6diRDk9STxa6 pzlKWJOwEul8n+PHKwFpx/zqhUm9ic1pjjHq1C2XzQP2BAcdcJcJz0HNIvuWnke1 ABLBqOjLxa/lwgPbNOiZnND8Wd/diAqcrN8ucZvXDWzQSFK+K97q4dkhSu0ZahK2 FahlUAtE7B0ZuKO1ghzOWLENEwehQcszt18BiZmbCbdsa6KZq/QFx9y4WwxA5QGI B+Z7npZsZcTewDZqqfEXKpm09GNIr2rkZC9loKRtP7lCaDEMCweypJt5biWkczXR tHHWXqUhK1x4ZOM+4JE75pO7Rcn/0QwwdYN0YdUXBp2i31fG0rN4JvcH9g33e+xS VEUrqBd/n/17ALTD9HgoK8cJxVnsNQUAYkFGk45lljY9vi4PHJZwTrw1T3J8R44w +duWhx1u2fQ0CmiDGtwh6D8PHIwcYUgdL0W+vFQ8DSh2089iI94MXH2F5SnHHVGd C1E0fGmoVio= =CwGI -----END PGP SIGNATURE-----