Univention Bugzilla – Bug 47289
xdg-utils: Multiple issues (4.3)
Last modified: 2018-07-04 14:54:02 CEST
New Debian xdg-utils 1.1.1-1+deb9u1 fixes: This update addresses the following issue(s): * This update addresses the following issue(s): * * The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable. (CVE-2017-18266) 1.1.1-1+deb9u1 (Sun, 20 May 2018 12:44:40 +0300) * Fix CVE-2017-18266,. - Avoid argument injection vulnerability in open_envvar() * CVE-2017-18266 xdg-utils: Argument injection vulnerability in open_envvar() function (CVE-2017-18266)
[4.3-1] 552155d39a Bug #47289: xdg-utils 1.1.1-1+deb9u1 doc/errata/staging/xdg-utils.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) <http://10.200.17.11/4.3-1/#5331814057179364229>
<http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/ErrataValidation/233/console> OK: Jenkins <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/AutotestJoin/lastCompletedBuild/testReport/>
<http://errata.software-univention.de/ucs/4.3/139.html>