-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1882-1                    security@debian.org
http://www.debian.org/security/                                 Nico Golde
September 9th, 2009                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : xapian-omega
Vulnerability  : missing input sanitization
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2009-2947

It was discovered that xapian-omega, a CGI interface for searching xapian
databases, is not properly escaping user supplied input when printing
exceptions.  An attacker can use this to conduct cross-site scripting
attacks via crafted search queries resulting in an exception and steal
potentially sensitive data from web applications running on the same domain
or embedding the search engine into a website.

For the oldstable distribution (etch), this problem has been fixed in
version 0.9.9-1+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.7-3+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.


We recommend that you upgrade your xapian-omega packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:     1309 5a6c3eb3466e76a5cd0195da96d646c8
      Size/MD5 checksum:     7283 fa1327788649c4b702555552484298ca
      Size/MD5 checksum:   456940 cf2cfa2d98948ba6c5440db5e5baabc6

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   264408 37050849b159d950718961ee8c9fc53a

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   243398 039ab294a191863a6f11f9461d442fdb

arm architecture (ARM)

      Size/MD5 checksum:   271312 71c448519cc2952134c3c604d46e364b

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   261640 6ec25e571ae0f72f2ce677d02f7a33c0

i386 architecture (Intel ia32)

      Size/MD5 checksum:   247156 79d32ec1534b0c47306adc9e34ff7a2c

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   295998 0d0b0e45a813c5c3384beea87bf67d70

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   242622 75cbb4b5d4ccb7b17ebc5e43d3964550

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   242346 ea46d3fee9009a61628a40d548677579

powerpc architecture (PowerPC)

      Size/MD5 checksum:   249362 13726168ebf17a82cde5d53b839b4921

s390 architecture (IBM S/390)

      Size/MD5 checksum:   235796 1190383d3c937065802b81fae40fdaa1

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   242226 b7d5339d30fb2c16fcd2efe4364b36f7


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:     1802 cfe788a8d23049aa8424c4c6ff572989
      Size/MD5 checksum:   498784 8a143dcee3f6463277dc63cd1c9ef39d
      Size/MD5 checksum:     9310 57f3cb25f1a6b8355e0922d083cb8e54

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   280398 374175b22352fd3375430756f134e392

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   255794 da184e290012863e97bb0b91bb7e61c3

arm architecture (ARM)

      Size/MD5 checksum:   270630 55379e802f6532e59e78d75300d86093

armel architecture (ARM EABI)

      Size/MD5 checksum:   243456 f2020f9eb2927a0688bacde831f6e8c7

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   274178 2f08d1aebded06cd3fae819f1395fc70

i386 architecture (Intel ia32)

      Size/MD5 checksum:   255186 f482f45caaef44e4b69009652f61dc4f

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   303624 e4d9ed8617e10e1f7d3f65181f13b4fd

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   251162 dbf38b5195aa541201fab2a5a4dbcfc6

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   249966 f9e4ef33ba44d55a4f7d6b7cf400a4c7

powerpc architecture (PowerPC)

      Size/MD5 checksum:   265718 6b631cbffaa25046e9772f933fd7c18e

s390 architecture (IBM S/390)

      Size/MD5 checksum:   253984 5d2b17a735cb2775559bde3dc7f74048

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   259420 fc3bc1f75ed01b7e8ea723d0e4f6b822


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-1882-1: New xapian-omega packages fix cross-site scripting

September 9, 2009
It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions

Summary

It was discovered that xapian-omega, a CGI interface for searching xapian
databases, is not properly escaping user supplied input when printing
exceptions. An attacker can use this to conduct cross-site scripting
attacks via crafted search queries resulting in an exception and steal
potentially sensitive data from web applications running on the same domain
or embedding the search engine into a website.

For the oldstable distribution (etch), this problem has been fixed in
version 0.9.9-1+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.7-3+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.


We recommend that you upgrade your xapian-omega packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 1309 5a6c3eb3466e76a5cd0195da96d646c8
Size/MD5 checksum: 7283 fa1327788649c4b702555552484298ca
Size/MD5 checksum: 456940 cf2cfa2d98948ba6c5440db5e5baabc6

alpha architecture (DEC Alpha)

Size/MD5 checksum: 264408 37050849b159d950718961ee8c9fc53a

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 243398 039ab294a191863a6f11f9461d442fdb

arm architecture (ARM)

Size/MD5 checksum: 271312 71c448519cc2952134c3c604d46e364b

hppa architecture (HP PA RISC)

Size/MD5 checksum: 261640 6ec25e571ae0f72f2ce677d02f7a33c0

i386 architecture (Intel ia32)

Size/MD5 checksum: 247156 79d32ec1534b0c47306adc9e34ff7a2c

ia64 architecture (Intel ia64)

Size/MD5 checksum: 295998 0d0b0e45a813c5c3384beea87bf67d70

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 242622 75cbb4b5d4ccb7b17ebc5e43d3964550

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 242346 ea46d3fee9009a61628a40d548677579

powerpc architecture (PowerPC)

Size/MD5 checksum: 249362 13726168ebf17a82cde5d53b839b4921

s390 architecture (IBM S/390)

Size/MD5 checksum: 235796 1190383d3c937065802b81fae40fdaa1

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 242226 b7d5339d30fb2c16fcd2efe4364b36f7


Debian GNU/Linux 5.0 alias lenny

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 1802 cfe788a8d23049aa8424c4c6ff572989
Size/MD5 checksum: 498784 8a143dcee3f6463277dc63cd1c9ef39d
Size/MD5 checksum: 9310 57f3cb25f1a6b8355e0922d083cb8e54

alpha architecture (DEC Alpha)

Size/MD5 checksum: 280398 374175b22352fd3375430756f134e392

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 255794 da184e290012863e97bb0b91bb7e61c3

arm architecture (ARM)

Size/MD5 checksum: 270630 55379e802f6532e59e78d75300d86093

armel architecture (ARM EABI)

Size/MD5 checksum: 243456 f2020f9eb2927a0688bacde831f6e8c7

hppa architecture (HP PA RISC)

Size/MD5 checksum: 274178 2f08d1aebded06cd3fae819f1395fc70

i386 architecture (Intel ia32)

Size/MD5 checksum: 255186 f482f45caaef44e4b69009652f61dc4f

ia64 architecture (Intel ia64)

Size/MD5 checksum: 303624 e4d9ed8617e10e1f7d3f65181f13b4fd

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 251162 dbf38b5195aa541201fab2a5a4dbcfc6

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 249966 f9e4ef33ba44d55a4f7d6b7cf400a4c7

powerpc architecture (PowerPC)

Size/MD5 checksum: 265718 6b631cbffaa25046e9772f933fd7c18e

s390 architecture (IBM S/390)

Size/MD5 checksum: 253984 5d2b17a735cb2775559bde3dc7f74048

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 259420 fc3bc1f75ed01b7e8ea723d0e4f6b822


These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Severity
Package : xapian-omega
Vulnerability : missing input sanitization
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2947

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved