[Xapian-discuss] Cross-site scripting issue in Omega
Olly Betts
olly at survex.com
Fri Sep 11 03:23:46 BST 2009
On Wed, Sep 09, 2009 at 02:25:06PM +0100, Olly Betts wrote:
> There's a cross-site scripting issue in Omega - exception messages
> don't currently get HTML entities escaped, but can contain CGI parameter
> values in some cases.
I've created a page to collect links for this - if you have a link to an
announcement of fixed packages for a particular platform, please add it
here:
http://trac.xapian.org/wiki/SecurityFixes/2009-09-09
I've also created an index page, and linked it from the front page of
the wiki:
http://trac.xapian.org/wiki/SecurityFixes
It's not that I expect we'll have many security fixes (the current rate
is one per decade!), but I think it's important to make information
about them easy to find.
> Patched Debian packages should appear shortly, and I intend to release
> 1.0.16 soon including this fix.
The Debian security team have released my updates for stable and
oldstable, and there are fixed packages in unstable, which should
migrate to testing tomorrow. I'll upload fixed backports for Ubuntu to
the PPA in the next few days.
And as you've probably already seen, I released 1.0.16 yesterday.
Cheers,
Olly
More information about the Xapian-discuss
mailing list