Debian Security Advisory

DSA-999-1 lurker -- several vulnerabilities

Date Reported:
14 Mar 2006
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2006-1062, CVE-2006-1063, CVE-2006-1064.
More information:

Several security related problems have been discovered in lurker, an archive tool for mailing lists with integrated search engine. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2006-1062

    Lurker's mechanism for specifying configuration files was vulnerable to being overridden. As lurker includes sections of unparsed config files in its output, an attacker could manipulate lurker into reading any file readable by the www-data user.

  • CVE-2006-1063

    It is possible for a remote attacker to create or overwrite files in any writable directory that is named "mbox".

  • CVE-2006-1064

    Missing input sanitising allows an attacker to inject arbitrary web script or HTML.

The old stable distribution (woody) does not contain lurker packages.

For the stable distribution (sarge) these problems have been fixed in version 1.2-5sarge1.

For the unstable distribution (sid) these problems have been fixed in version 2.1-1.

We recommend that you upgrade your lurker package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.