Summary: | <net-news/canto-curses-0.9.3: Improper Sanitization of URL feeds (CVE-2013-7416) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | avx <idevelop> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | pinkbyte |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~2 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 548184 | ||
Bug Blocks: |
Description
avx
2014-12-27 02:17:55 UTC
Canto Curses 0.9.0 contains a security fix, as noted in the next comment. CVE-2013-7416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7416): canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers to execute arbitrary commands via shell metacharacters in a URL in a feed. Thanks for picking that up under the security banner, but shouldn't the version in portage get masked for the time being? New versions of canto-curses and canto-daemon are in tree. Old versions was dropped. Package has never been stable, closing as noglsa |