Debian 10206 Published by

The following two updates has been released for Debian GNU/Linux 7 LTS:

DLA 1060-1: libxml2 security update
DLA 1061-1: newsbeuter security update



DLA 1060-1: libxml2 security update




Package : libxml2
Version : 2.8.0+dfsg1-7+wheezy9
CVE ID : CVE-2017-0663 CVE-2017-7376


CVE-2017-0663

Invalid casting of different structs could enable an attacker to
remotely execute some code within the context of an unprivileged
process.

CVE-2017-7376

Incorrect limit used for port values.


For Debian 7 "Wheezy", these problems have been fixed in version
2.8.0+dfsg1-7+wheezy9.

We recommend that you upgrade your libxml2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1061-1: newsbeuter security update




Package : newsbeuter
Version : 2.5-2+deb7u2
CVE ID : CVE-2017-12904


Jeriko One discovered that newsbeuter, a text-mode RSS feed reader,
did not properly escape the title and description of a news article
when bookmarking it. This allowed a remote attacker to run an
arbitrary shell command on the client machine.


For Debian 7 "Wheezy", these problems have been fixed in version
2.5-2+deb7u2.

We recommend that you upgrade your newsbeuter packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS