Upstream developers of lxr, a general hypertext cross-referencing tool, have been alerted of a vulnerability that allows a remote attacker to read arbitrary files on the host system as user www-data. This could disclose local files that were not meant to be shared with the public.
For the stable distribution (woody) this problem has been fixed in version 0.3-3.
The old stable distribution (potato) is not affected since it does not contain an lxr package.
For the unstable distribution (sid) this problem has been fixed in version 0.3-4.
We recommend that you upgrade your lxr package.
MD5 checksums of the listed files are available in the original advisory.