Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1882-1] New xapian-omega packages fix cross-site script

From Nico Golde@1:229/2 to All on Wed Sep 9 15:40:35 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------- Debian Security Advisory DSA-1882-1 [email protected] http://www.debian.org/security/ Nico Golde September 9th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : xapian-omega
Vulnerability : missing input sanitization
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2947

It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting
attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain
or embedding the search engine into a website.

For the oldstable distribution (etch), this problem has been fixed in
version 0.9.9-1+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.7-3+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.

We recommend that you upgrade your xapian-omega packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.dsc
Size/MD5 checksum: 1309 5a6c3eb3466e76a5cd0195da96d646c8
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.diff.gz
Size/MD5 checksum: 7283 fa1327788649c4b702555552484298ca
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9.orig.tar.gz
Size/MD5 checksum: 456940 cf2cfa2d98948ba6c5440db5e5baabc6

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_alpha.deb
Size/MD5 checksum: 264408 37050849b159d950718961ee8c9fc53a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_amd64.deb
Size/MD5 checksum: 243398 039ab294a191863a6f11f9461d442fdb

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_arm.deb
Size/MD5 checksum: 271312 71c448519cc2952134c3c604d46e364b

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_hppa.deb
Size/MD5 checksum: 261640 6ec25e571ae0f72f2ce677d02f7a33c0

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_i386.deb
Size/MD5 checksum: 247156 79d32ec1534b0c47306adc9e34ff7a2c

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_ia64.deb
Size/MD5 checksum: 295998 0d0b0e45a813c5c3384beea87bf67d70

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mips.deb
Size/MD5 checksum: 242622 75cbb4b5d4ccb7b17ebc5e43d3964550

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mipsel.deb
Size/MD5 checksum: 242346 ea46d3fee9009a61628a40d548677579

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_powerpc.deb
Size/MD5 checksum: 249362 13726168ebf17a82cde5d53b839b4921

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_s390.deb
Size/MD5 checksum: 235796 1190383d3c937065802b81fae40fdaa1

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_sparc.deb
Size/MD5 checksum: 242226 b7d5339d30fb2c16fcd2efe4364b36f7

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.dsc
Size/MD5 checksum: 1802 cfe788a8d23049aa8424c4c6ff572989
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7.orig.tar.gz
Size/MD5 checksum: 498784 8a143dcee3f6463277dc63cd1c9ef39d
http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1.diff.gz
Size/MD5 checksum: 9310 57f3cb25f1a6b8355e0922d083cb8e54

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_alpha.deb
Size/MD5 checksum: 280398 374175b22352fd3375430756f134e392

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_amd64.deb
Size/MD5 checksum: 255794 da184e290012863e97bb0b91bb7e61c3

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_arm.deb
Size/MD5 checksum: 270630 55379e802f6532e59e78d75300d86093

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_1.0.7-3+lenny1_armel.deb
Size/MD5 checksum: 243456 f2020f9eb2927a0688bacde831f6e8c7

hppa architecture (HP PA RISC)

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet
- Michal Wronka
  Thu Jun 4 23:19:58 2026
  from Wroclaw, Poland via Telnet
- Michal Wronka
  Thu Jun 4 23:17:20 2026
  from Wroclaw, Poland via SSH
- Michal Wronka
  Thu Jun 4 23:13:51 2026
  from Wroclaw, Poland via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	714
Nodes:	16 (2 / 14)
Uptime:	142:14:36
Calls:	12,088
Calls today:	1
Files:	14,998
Messages:	6,517,451

[SECURITY] [DSA 1882-1] New xapian-omega packages fix cross-site script

Who's Online

Recent Visitors

System Info