Mailinglist Archive: opensuse-security (240 mails)
| < Previous | Next > |
ht://Dig
- From: Tobias Burnus <burnus@xxxxxx>
- Date: Mon, 28 Feb 2000 13:33:19 +0100
- Message-id: <38BA6B0F.457E6875@xxxxxx>
Hi,
will be there an update by SuSE?
Or is
~> rpm -q htdig
htdig-3.1.2-28
not affected?
Tobias
http://lwn.net/daily/htdig-hole.html
> Date: Fri, 25 Feb 2000 18:52:44 -0600
> To: lwn@xxxxxxx
> From: Geoff Hutchison <ghutchis@xxxxxxxxxxxxxxxx>
> Subject: [SECURITY] Security hole in ht://Dig's htsearch
>
> (What follows was sent to the htdig, htdig3-announce and htdig3-dev
> mailing lists earlier today.)
>
> Hi,
>
> I'm sending this message out essentially twice. The contents are
> included in the ht://Dig 3.1.5 release notes at
> <http://www.htdig.org/RELEASE.html>;, but I wanted to make sure
> everyone got the message. There is a security hole in all versions of
> the htsearch CGI prior to version 3.1.5 (just released).
>
> This hole can allow remote users to read any file on your system that
> the UID running your webserver can read.
>
> It is *strongly* recommended that you upgrade to 3.1.5 ASAP. Anyone
> upgrading from a 3.1.x stable release will find the process fairly
> painless and to fix the hole, they can simply drop in the new CGI.
> The databases themselves are not affected. You may also wish to look
> at the new default templates as they make use of new features and
> generate cleaner HTML output.
>
> Anyone using version 3.2.0b1 is suggested to upgrade to the latest
> development snapshot. The next beta version, 3.2.0b2, will be
> released shortly to address this issue and other bugs.
>
> More detailed information will be posted to the BugTraq mailing list
> in a day or two.
>
> -Geoff Hutchison
> Williams Students Online
> http://wso.williams.edu/
will be there an update by SuSE?
Or is
~> rpm -q htdig
htdig-3.1.2-28
not affected?
Tobias
http://lwn.net/daily/htdig-hole.html
> Date: Fri, 25 Feb 2000 18:52:44 -0600
> To: lwn@xxxxxxx
> From: Geoff Hutchison <ghutchis@xxxxxxxxxxxxxxxx>
> Subject: [SECURITY] Security hole in ht://Dig's htsearch
>
> (What follows was sent to the htdig, htdig3-announce and htdig3-dev
> mailing lists earlier today.)
>
> Hi,
>
> I'm sending this message out essentially twice. The contents are
> included in the ht://Dig 3.1.5 release notes at
> <http://www.htdig.org/RELEASE.html>;, but I wanted to make sure
> everyone got the message. There is a security hole in all versions of
> the htsearch CGI prior to version 3.1.5 (just released).
>
> This hole can allow remote users to read any file on your system that
> the UID running your webserver can read.
>
> It is *strongly* recommended that you upgrade to 3.1.5 ASAP. Anyone
> upgrading from a 3.1.x stable release will find the process fairly
> painless and to fix the hole, they can simply drop in the new CGI.
> The databases themselves are not affected. You may also wish to look
> at the new default templates as they make use of new features and
> generate cleaner HTML output.
>
> Anyone using version 3.2.0b1 is suggested to upgrade to the latest
> development snapshot. The next beta version, 3.2.0b2, will be
> released shortly to address this issue and other bugs.
>
> More detailed information will be posted to the BugTraq mailing list
> in a day or two.
>
> -Geoff Hutchison
> Williams Students Online
> http://wso.williams.edu/
| < Previous | Next > |