[Secure-testing-team] Bug#885007: kildclient: CVE-2017-17511
Salvatore Bonaccorso
carnil at debian.org
Fri Dec 22 20:11:17 UTC 2017
Source: kildclient
Version: 2.11.1-1
Severity: normal
Tags: security upstream
Control: fixed -1 2.11.1-1+deb7u1
Hi,
the following vulnerability was published for kildclient. This is
possibly just a negliglible impact, but since LTS project did release
a DLA, think it is good to track the CVE and fix the issue similarly
in unstable, thus this bug. If you want to address the issue as well
for jessie and stretch, can you contact the SRM for it and schedule an
update via a point release?
CVE-2017-17511[0]:
| KildClient 3.1.0 does not validate strings before launching the program
| specified by the BROWSER environment variable, which might allow remote
| attackers to conduct argument-injection attacks via a crafted URL,
| related to prefs.c and worldgui.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17511
Regards,
Salvatore
More information about the Secure-testing-team
mailing list