-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 10 Mar 2006 17:07:31 +0100
Source: lurker
Binary: lurker
Architecture: source i386
Version: 1.2-5sarge1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Meurer <mejo@debian.org>
Changed-By: Jonas Meurer <mejo@debian.org>
Description:
lurker - Archive tool for mailing lists with search engine
Changes:
lurker (1.2-5sarge1) stable-security; urgency=high
.
* merge patch from Wesley Terpstra to fix several major security bugs:
- Lurker's mechanism for specifying configuration files was vulnerable
to being overridden. As lurker includes sections of unparsed config
files in its output, an attacker could manipulate lurker into reading
any file readable by the www-data user. (CVE-2006-1062)
- It were possible for a remote attacker to create or overwrite files
in any writable directory that is named "mbox". (CVE-2006-1063)
- Missing input sanitising allowed an attacker to inject arbitrary
web script or HTML. (CVE-2006-1064)
* ship the INSTALL file and a NEWS.Debian file for documenting the necessary
changes.
* restart apache{2,-perl,-ssl} if it includes /etc/lurker/apache.conf at
/etc/apache*/conf.d/lurker
Files:
ac6e3c86ae34b5416c0ea6417247d9c0 604 mail optional lurker_1.2-5sarge1.dsc
393391e4c2489fb1c76c5f7c8e9bb099 273185 mail optional lurker_1.2.orig.tar.gz
a155c855f422c82b52e9d976c6aa232b 31019 mail optional lurker_1.2-5sarge1.diff.gz
450251b9af338b820ccb3f1304230dff 510092 mail optional lurker_1.2-5sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEEbOTd6lUs+JfIQIRAvOvAKCZxHp+oPdo6HA0qw5OkdijTllY8ACePsxW
WMXlt0cp1vOMuB/dQNvbHsU=
=7St2
-----END PGP SIGNATURE-----
Accepted:
lurker_1.2-5sarge1.diff.gz
to pool/main/l/lurker/lurker_1.2-5sarge1.diff.gz
lurker_1.2-5sarge1.dsc
to pool/main/l/lurker/lurker_1.2-5sarge1.dsc
lurker_1.2-5sarge1_i386.deb
to pool/main/l/lurker/lurker_1.2-5sarge1_i386.deb
