Search This Blog

Wednesday, September 09, 2009

[SECURITY] [DSA 1882-1] New xapian-omega packages fix cross-site scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1882-1 security@debian.org
http://www.debian.org/security/ Nico Golde
September 9th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : xapian-omega
Vulnerability : missing input sanitization
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2947

It was discovered that xapian-omega, a CGI interface for searching xapian
databases, is not properly escaping user supplied input when printing
exceptions. An attacker can use this to conduct cross-site scripting
attacks via crafted search queries resulting in an exception and steal
potentially sensitive data from web applications running on the same domain
or embedding the search engine into a website.

For the oldstable distribution (etch), this problem has been fixed in
version 0.9.9-1+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.7-3+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.


We recommend that you upgrade your xapian-omega packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.dsc
Size/MD5 checksum: 1309 5a6c3eb3466e76a5cd0195da96d646c8
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.diff.gz
Size/MD5 checksum: 7283 fa1327788649c4b702555552484298ca
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9.orig.tar.gz
Size/MD5 checksum: 456940 cf2cfa2d98948ba6c5440db5e5baabc6

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_alpha.deb
Size/MD5 checksum: 264408 37050849b159d950718961ee8c9fc53a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_amd64.deb
Size/MD5 checksum: 243398 039ab294a191863a6f11f9461d442fdb

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_arm.deb
Size/MD5 checksum: 271312 71c448519cc2952134c3c604d46e364b

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_hppa.deb
Size/MD5 checksum: 261640 6ec25e571ae0f72f2ce677d02f7a33c0

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_i386.deb
Size/MD5 checksum: 247156 79d32ec1534b0c47306adc9e34ff7a2c

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_ia64.deb
Size/MD5 checksum: 295998 0d0b0e45a813c5c3384beea87bf67d70

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mips.deb
Size/MD5 checksum: 242622 75cbb4b5d4ccb7b17ebc5e43d3964550

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mipsel.deb
Size/MD5 checksum: 242346 ea46d3fee9009a61628a40d548677579

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_powerpc.deb
Size/MD5 checksum: 249362 13726168ebf17a82cde5d53b839b4921

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_s390.deb
Size/MD5 checksum: 235796 1190383d3c937065802b81fae40fdaa1

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_sparc.deb
Size/MD5 checksum: 242226 b7d5339d30fb2c16fcd2efe4364b36f7


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.dsc
Size/MD5 checksum: 1802 cfe788a8d23049aa8424c4c6ff572989
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7.orig.tar.gz
Size/MD5 checksum: 498784 8a143dcee3f6463277dc63cd1c9ef39d
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.diff.gz
Size/MD5 checksum: 9310 57f3cb25f1a6b8355e0922d083cb8e54

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_alpha.deb
Size/MD5 checksum: 280398 374175b22352fd3375430756f134e392

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_amd64.deb
Size/MD5 checksum: 255794 da184e290012863e97bb0b91bb7e61c3

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_arm.deb
Size/MD5 checksum: 270630 55379e802f6532e59e78d75300d86093

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_armel.deb
Size/MD5 checksum: 243456 f2020f9eb2927a0688bacde831f6e8c7

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_hppa.deb
Size/MD5 checksum: 274178 2f08d1aebded06cd3fae819f1395fc70

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_i386.deb
Size/MD5 checksum: 255186 f482f45caaef44e4b69009652f61dc4f

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_ia64.deb
Size/MD5 checksum: 303624 e4d9ed8617e10e1f7d3f65181f13b4fd

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_mips.deb
Size/MD5 checksum: 251162 dbf38b5195aa541201fab2a5a4dbcfc6

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_mipsel.deb
Size/MD5 checksum: 249966 f9e4ef33ba44d55a4f7d6b7cf400a4c7

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_powerpc.deb
Size/MD5 checksum: 265718 6b631cbffaa25046e9772f933fd7c18e

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_s390.deb
Size/MD5 checksum: 253984 5d2b17a735cb2775559bde3dc7f74048

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_sparc.deb
Size/MD5 checksum: 259420 fc3bc1f75ed01b7e8ea723d0e4f6b822


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqnrekACgkQHYflSXNkfP8DbgCgoD7kFKcBAWh+pn720fNct5A0
rgwAoIPhlz0aYW9OV9Hn9V4h1us82Oe9
=89aO
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: