Debian Security Advisory

DSA-999-1 lurker -- several vulnerabilities

Date Reported:

14 Mar 2006

Affected Packages:

lurker

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2006-1062, CVE-2006-1063, CVE-2006-1064.

More information:

Several security related problems have been discovered in lurker, an archive tool for mailing lists with integrated search engine. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2006-1062
Lurker's mechanism for specifying configuration files was vulnerable to being overridden. As lurker includes sections of unparsed config files in its output, an attacker could manipulate lurker into reading any file readable by the www-data user.
CVE-2006-1063
It is possible for a remote attacker to create or overwrite files in any writable directory that is named "mbox".
CVE-2006-1064
Missing input sanitising allows an attacker to inject arbitrary web script or HTML.

The old stable distribution (woody) does not contain lurker packages.

For the stable distribution (sarge) these problems have been fixed in version 1.2-5sarge1.

For the unstable distribution (sid) these problems have been fixed in version 2.1-1.

We recommend that you upgrade your lurker package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1.dsc; http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1.diff.gz; http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarge1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.