GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Jan 27, 2018 5:26 pm Post subject: [ GLSA 201801-20 ] Fossil |
 |
|
Gentoo Linux Security Advisory
Title: Fossil: User-assisted execution of arbitrary code (GLSA 201801-20)
Severity: normal
Exploitable: remote
Date: 2018-01-27
Bug(s): #640208
ID: 201801-20
Synopsis
A vulnerability has been discovered in Fossil allowing for
user-assisted remote execution of arbitrary code.
Background
Fossil is a simple, high-reliability, distributed software configuration
management system.
Affected Packages
Package: dev-vcs/fossil
Vulnerable: < 2.4
Unaffected: >= 2.4
Architectures: All supported architectures
Description
Fossil does not properly validate SSH sync protocol URLs.
Impact
A remote attacker, by enticing a user to open a specially crafted URL,
could possibly execute arbitrary commands with the privileges of the user
running the application.
Workaround
There is no known workaround at this time.
Resolution
All Fossil users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/fossil-2.4"
|
References
CVE-2017-17459 |
|
News & Announcements
