Source: kildclient Version: 2.11.1-1 Severity: normal Tags: security upstream Control: fixed -1 2.11.1-1+deb7u1
Hi, the following vulnerability was published for kildclient. This is possibly just a negliglible impact, but since LTS project did release a DLA, think it is good to track the CVE and fix the issue similarly in unstable, thus this bug. If you want to address the issue as well for jessie and stretch, can you contact the SRM for it and schedule an update via a point release? CVE-2017-17511[0]: | KildClient 3.1.0 does not validate strings before launching the program | specified by the BROWSER environment variable, which might allow remote | attackers to conduct argument-injection attacks via a crafted URL, | related to prefs.c and worldgui.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17511 Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team