Detections
Analytics
Debian DSA-999-1 : lurker - several vulnerabilities
medium Nessus Plugin ID 22865
Synopsis
The remote Debian host is missing a security-related update.Description
Several security related problems have been discovered in lurker, an archive tool for mailing lists with integrated search engine. The Common Vulnerabilities and Exposures project identifies the following problems :- CVE-2006-1062 Lurker's mechanism for specifying configuration files was vulnerable to being overridden. As lurker includes sections of unparsed config files in its output, an attacker could manipulate lurker into reading any file readable by the www-data user.
- CVE-2006-1063 It is possible for a remote attacker to create or overwrite files in any writable directory that is named 'mbox'.
- CVE-2006-1064 Missing input sanitising allows an attacker to inject arbitrary web script or HTML.
Solution
Upgrade the lurker package.The old stable distribution (woody) does not contain lurker packages.
For the stable distribution (sarge) these problems have been fixed in version 1.2-5sarge1.
See Also
https://security-tracker.debian.org/tracker/CVE-2006-1062
https://security-tracker.debian.org/tracker/CVE-2006-1063
Plugin Details
Severity: Medium
ID: 22865
File Name: debian_DSA-999.nasl
Version: 1.19
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 10/14/2006
Updated: 1/4/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:lurker, cpe:/o:debian:debian_linux:3.1
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Patch Publication Date: 3/14/2006
Vulnerability Publication Date: 3/6/2006
Reference Information
CVE: CVE-2006-1062, CVE-2006-1063, CVE-2006-1064
DSA: 999