Debians sikkerhedsbulletin

DSA-1882-1 xapian-omega -- manglende fornuftighedskontrol af inddata

Rapporteret den:
9. sep 2009
Berørte pakker:
xapian-omega
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2009-2947.
Yderligere oplysninger:

Man opdagede at xapian-omega, en CGI-grænseflade til søgning i xapian-databaser, ikke på korrekt vis indkapslede brugerleverede inddata når der blev vist exceptions. En angriber kunne anvende dette til at udføre skripter på tværs af websteder gennem fabrikerede søgeforespørgsler, medførende en exception, og stjæle potentielt følsomme oplysninger fra webapplikationer, der kører på det samme domæne eller indlejre søgemaskinen på et websted.

I den gamle stabile distribution (etch), er dette problem rettet i version 0.9.9-1+etch1.

I den stabile distribution (lenny), er dette problem rettet i version 1.0.7-3+lenny1.

I distributionen testing (squeeze) og i den ustabile (sid) distribution, vil dette problem snart blive rettet.

Vi anbefaler at du opgraderer dine xapian-omega-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.dsc
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.diff.gz
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Kildekode:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.dsc
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7.orig.tar.gz
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.diff.gz
Alpha:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.