Detections
Analytics

Debian DSA-1477-1 : yarssr - missing input sanitising

medium Nessus Plugin ID 30112

Synopsis

The remote Debian host is missing a security-related update.

Description

Duncan Gilmore discovered that yarssr, an RSS aggregator and reader, performs insufficient input sanitising, which could result in the execution of arbitrary shell commands if a malformed feed is read.

Due to a technical limitation of the archive management scripts, the fix for the old stable distribution (sarge) needs to be postponed by a few days.

Solution

Upgrade the yarssr packages.

For the stable distribution (etch), this problem has been fixed in version 0.2.2-1etch1.

See Also

https://www.debian.org/security/2008/dsa-1477

Plugin Details

Severity: Medium

ID: 30112

File Name: debian_DSA-1477.nasl

Version: 1.13

Type: local

Agent: unix

Published: 1/29/2008

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:yarssr, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 1/27/2008

Reference Information

CVE: CVE-2007-5837

CWE: 94

DSA: 1477