Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: buster Severity: normal The sabnzbdplus package in buster is affected by a security issue (CVE-2020-13124), permitting code execution from the program's web interface through crafted settings. By default, the web interface is only accessible from localhost, with no authentication required. Affected versions are 2.0.0RC1 - 3.0.0Beta3 (inclusive), see the upstream security advisory [1] for details. The issue has been fixed in testing and unstable already via a regular upload of a newer upstream release. For buster, the relevant upstream commits have been backported, see the attached debdiff. The security team was contacted but didn't consider this issue severe enough to warrant a DSA, and suggested going with a regular update instead [2]. [1] https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-9x87-96gg-33w2 [2] https://security-tracker.debian.org/tracker/CVE-2020-13124
Attachment:
buster_sabnzbdplus_2.3.6+dfsg-1.debdiff
Description: Binary data
Attachment:
pgp0xOuum7xmb.pgp
Description: OpenPGP digital signature