http://bugzilla.opensuse.org/show_bug.cgi?id=1065619 Bug ID: 1065619 Summary: VUL-0: CVE-2017-15924: In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allowscommand injection via shell metacharacters in a JSON configuration requestreceived via 127.0.0.1 UDP traffic, related to the add_server, Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: hillwoodroc@gmail.com Reporter: meissner@suse.com QA Contact: qa-bugs@suse.de Found By: Security Response Team Blocker: --- CVE-2017-15924 In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15924 http://seclists.org/oss-sec/2017/q4/137 http://www.debian.org/security/2017/dsa-4009 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15924.html https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c55... https://github.com/shadowsocks/shadowsocks-libev/issues/1734 https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/ http://openwall.com/lists/oss-security/2017/10/13/2 -- You are receiving this mail because: You are on the CC list for the bug.