I regret to report that there exists, in all versions of lurker (from  
0.1a to 2.0), a number of security problems. These were reported to  
me by Moritz Naumann, http://www.moritz-naumann.com. I am writing  
this email to give you advance notice. Please be prepared to upgrade  
your lurker installations on Monday, when a patched version will be  
released. Until that time, you may wish to disable access to your  
lurker archive.

Here is the involved time-line:
01.03.06 07:51:39 +0100 -- Moritz Naumann begins testing lurker
01.03.06 13:09:25 +0100 -- Moritz Naumann reports the problem to me
01.03.06 14:42:46 +0100 -- A very severe form of the flaw is found
01.03.06 15:19:53 +0100 -- A patch is committed to CVS resolving the  
issues
02.03.06 14:00:00 +0100 -- This announcement
... Moritz Naumann and his colleague, Tim Brown, continue to inspect  
lurker for additional vulnerabilities
06.03.06 12:00:00 +0100 -- Lurker 2.1 will be released
... a full disclosure will be published by Moritz Naumann.

For obvious reasons, I will not be detailing the exact nature of the  
flaws. They include the usual cross-site scripting problems, but also  
one flaw I would classify as severe. None of the flaws allow  
arbitrary code execution, nor do they directly compromise the server.  
The full disclosure from Moritz Naumann will provide complete details.

I will be working together with Jonas to make sure the debian package  
(and backported fix for 1.2) are made available at the same time as  
the public release.

Please help me ensure that as few people as possible continue to run  
a vulnerable version of lurker by spreading the word. Once Moritz  
Naumann discloses the exact nature of the flaw, any un-upgraded  
lurker installation will be at risk.