Security Information / 2006 / Security Information -- DSA-999-1 lurker

Debian Security Advisory

DSA-999-1 lurker -- several vulnerabilities

Date Reported:

14 Mar 2006

Affected Packages:

lurker

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2006-1062, CVE-2006-1063, CVE-2006-1064.

More information:

Several security related problems have been discovered in lurker, an archive tool for mailing lists with integrated search engine. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2006-1062

  Lurker's mechanism for specifying configuration files was vulnerable to being overridden. As lurker includes sections of unparsed config files in its output, an attacker could manipulate lurker into reading any file readable by the www-data user.

• CVE-2006-1063

  It is possible for a remote attacker to create or overwrite files in any writable directory that is named "mbox".

• CVE-2006-1064

  Missing input sanitising allows an attacker to inject arbitrary web script or HTML.

The old stable distribution (woody) does not contain lurker packages.

For the stable distribution (sarge) these problems have been fixed in version 1.2-5sarge1.

For the unstable distribution (sid) these problems have been fixed in version 2.1-1.

We recommend that you upgrade your lurker package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1.dsc

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1.diff.gz

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2.orig.tar.gz

Alpha:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_alpha.deb

AMD64:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_amd64.deb

ARM:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_arm.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_ia64.deb

HPPA:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_hppa.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_m68k.deb

Big endian MIPS:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_mips.deb

Little endian MIPS:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.