Linux Security
Linux Security
Linux Security

Debian: DSA-1882-1: New xapian-omega packages fix cross-site scripting

Date 09 Sep 2009
364
Posted By LinuxSecurity Advisories
It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1882-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.debian.org/security/                                 Nico Golde
September 9th, 2009                     https://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : xapian-omega
Vulnerability  : missing input sanitization
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2009-2947

It was discovered that xapian-omega, a CGI interface for searching xapian
databases, is not properly escaping user supplied input when printing
exceptions.  An attacker can use this to conduct cross-site scripting
attacks via crafted search queries resulting in an exception and steal
potentially sensitive data from web applications running on the same domain
or embedding the search engine into a website.

For the oldstable distribution (etch), this problem has been fixed in
version 0.9.9-1+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.7-3+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.


We recommend that you upgrade your xapian-omega packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.dsc
    Size/MD5 checksum:     1309 5a6c3eb3466e76a5cd0195da96d646c8
  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.diff.gz
    Size/MD5 checksum:     7283 fa1327788649c4b702555552484298ca
  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9.orig.tar.gz
    Size/MD5 checksum:   456940 cf2cfa2d98948ba6c5440db5e5baabc6

alpha architecture (DEC Alpha)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_alpha.deb
    Size/MD5 checksum:   264408 37050849b159d950718961ee8c9fc53a

amd64 architecture (AMD x86_64 (AMD64))

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_amd64.deb
    Size/MD5 checksum:   243398 039ab294a191863a6f11f9461d442fdb

arm architecture (ARM)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_arm.deb
    Size/MD5 checksum:   271312 71c448519cc2952134c3c604d46e364b

hppa architecture (HP PA RISC)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_hppa.deb
    Size/MD5 checksum:   261640 6ec25e571ae0f72f2ce677d02f7a33c0

i386 architecture (Intel ia32)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_i386.deb
    Size/MD5 checksum:   247156 79d32ec1534b0c47306adc9e34ff7a2c

ia64 architecture (Intel ia64)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_ia64.deb
    Size/MD5 checksum:   295998 0d0b0e45a813c5c3384beea87bf67d70

mips architecture (MIPS (Big Endian))

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mips.deb
    Size/MD5 checksum:   242622 75cbb4b5d4ccb7b17ebc5e43d3964550

mipsel architecture (MIPS (Little Endian))

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mipsel.deb
    Size/MD5 checksum:   242346 ea46d3fee9009a61628a40d548677579

powerpc architecture (PowerPC)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_powerpc.deb
    Size/MD5 checksum:   249362 13726168ebf17a82cde5d53b839b4921

s390 architecture (IBM S/390)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_s390.deb
    Size/MD5 checksum:   235796 1190383d3c937065802b81fae40fdaa1

sparc architecture (Sun SPARC/UltraSPARC)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_sparc.deb
    Size/MD5 checksum:   242226 b7d5339d30fb2c16fcd2efe4364b36f7


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.dsc
    Size/MD5 checksum:     1802 cfe788a8d23049aa8424c4c6ff572989
  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7.orig.tar.gz
    Size/MD5 checksum:   498784 8a143dcee3f6463277dc63cd1c9ef39d
  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.diff.gz
    Size/MD5 checksum:     9310 57f3cb25f1a6b8355e0922d083cb8e54

alpha architecture (DEC Alpha)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_alpha.deb
    Size/MD5 checksum:   280398 374175b22352fd3375430756f134e392

amd64 architecture (AMD x86_64 (AMD64))

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_amd64.deb
    Size/MD5 checksum:   255794 da184e290012863e97bb0b91bb7e61c3

arm architecture (ARM)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_arm.deb
    Size/MD5 checksum:   270630 55379e802f6532e59e78d75300d86093

armel architecture (ARM EABI)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_armel.deb
    Size/MD5 checksum:   243456 f2020f9eb2927a0688bacde831f6e8c7

hppa architecture (HP PA RISC)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_hppa.deb
    Size/MD5 checksum:   274178 2f08d1aebded06cd3fae819f1395fc70

i386 architecture (Intel ia32)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_i386.deb
    Size/MD5 checksum:   255186 f482f45caaef44e4b69009652f61dc4f

ia64 architecture (Intel ia64)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_ia64.deb
    Size/MD5 checksum:   303624 e4d9ed8617e10e1f7d3f65181f13b4fd

mips architecture (MIPS (Big Endian))

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_mips.deb
    Size/MD5 checksum:   251162 dbf38b5195aa541201fab2a5a4dbcfc6

mipsel architecture (MIPS (Little Endian))

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_mipsel.deb
    Size/MD5 checksum:   249966 f9e4ef33ba44d55a4f7d6b7cf400a4c7

powerpc architecture (PowerPC)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_powerpc.deb
    Size/MD5 checksum:   265718 6b631cbffaa25046e9772f933fd7c18e

s390 architecture (IBM S/390)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_s390.deb
    Size/MD5 checksum:   253984 5d2b17a735cb2775559bde3dc7f74048

sparc architecture (Sun SPARC/UltraSPARC)

  https://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_sparc.deb
    Size/MD5 checksum:   259420 fc3bc1f75ed01b7e8ea723d0e4f6b822


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb https://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
Package info: `apt-cache show ' and https://packages.debian.org/

Advisories

LinuxSecurity Poll

How frequently do you patch/update your system?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum 0 answer(s) and maximum 3 answer(s).
/main-polls/52-how-frequently-do-you-patch-update-your-system?task=poll.vote&format=json
52
radio
[{"id":"179","title":"As soon as patches\/updates are released - I track advisories for my distro(s) diligently","votes":"43","type":"x","order":"1","pct":84.31,"resources":[]},{"id":"180","title":"Every so often, when I think of it","votes":"4","type":"x","order":"2","pct":7.84,"resources":[]},{"id":"181","title":"Hardly ever","votes":"4","type":"x","order":"3","pct":7.84,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

Please vote first in order to view vote results.

VOTE ON THE POLL PAGE


VIEW MORE POLLS

bottom 200

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.