From lurker-index@localhost Thu Mar 02 14:01:22 2006 Return-Path: X-Original-To: wesley@terpstra.ca Delivered-To: wesley@terpstra.ca Received: from localhost (localhost [127.0.0.1]) by linux-geeks.de (Postfix) with ESMTP id 4A3F42A844F for ; Thu, 2 Mar 2006 14:01:08 +0100 (CET) Received: from lists-outbound.sourceforge.net (lists-outbound.sourceforge.net [66.35.250.225]) by linux-geeks.de (Postfix) with ESMTP id BDAB92A844E for ; Thu, 2 Mar 2006 14:01:06 +0100 (CET) Received: from sc8-sf-list1-b.sourceforge.net (sc8-sf-list1-b.sourceforge.net [10.3.1.7]) by sc8-sf-spam2.sourceforge.net (Postfix) with ESMTP id 3DAAA1250D; Thu, 2 Mar 2006 05:01:05 -0800 (PST) Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.92] helo=mail.sourceforge.net) by sc8-sf-list1.sourceforge.net with esmtp (Exim 4.30) id 1FEnPj-0000I2-PA for lurker-users@lists.sourceforge.net; Thu, 02 Mar 2006 05:00:15 -0800 Received: from linux-geeks.de ([213.133.99.198]) by mail.sourceforge.net with esmtp (Exim 4.44) id 1FEnPi-0008AD-Et for lurker-users@lists.sourceforge.net; Thu, 02 Mar 2006 05:00:16 -0800 Received: from localhost (localhost [127.0.0.1]) by linux-geeks.de (Postfix) with ESMTP id CAA3F2A844E for ; Thu, 2 Mar 2006 14:00:10 +0100 (CET) Received: from [192.168.3.131] (unknown [192.168.3.131]) by linux-geeks.de (Postfix) with ESMTP id D24A62A844F for ; Thu, 2 Mar 2006 14:00:02 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v746.2) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-56--211553774" To: Lurker Users From: "Wesley W. Terpstra" X-Pgp-Agent: GPGMail 1.1.1 (Tiger) X-Gpgmail-State: signed X-Mailer: Apple Mail (2.746.2) Subject: [Lurker-users] Serious security vulnerabilities found Sender: lurker-users-admin@lists.sourceforge.net Errors-To: lurker-users-admin@lists.sourceforge.net X-BeenThere: lurker-users@lists.sourceforge.net X-Mailman-Version: 2.0.9-sf.net Precedence: bulk List-Unsubscribe: , List-Id: Lurker Project Support List-Post: List-Help: List-Subscribe: , List-Archive: Date: Thu, 2 Mar 2006 14:00:03 +0100 X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on linux-geeks.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.3 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-56--211553774 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed I regret to report that there exists, in all versions of lurker (from 0.1a to 2.0), a number of security problems. These were reported to me by Moritz Naumann, http://www.moritz-naumann.com. I am writing this email to give you advance notice. Please be prepared to upgrade your lurker installations on Monday, when a patched version will be released. Until that time, you may wish to disable access to your lurker archive. Here is the involved time-line: 01.03.06 07:51:39 +0100 -- Moritz Naumann begins testing lurker 01.03.06 13:09:25 +0100 -- Moritz Naumann reports the problem to me 01.03.06 14:42:46 +0100 -- A very severe form of the flaw is found 01.03.06 15:19:53 +0100 -- A patch is committed to CVS resolving the issues 02.03.06 14:00:00 +0100 -- This announcement ... Moritz Naumann and his colleague, Tim Brown, continue to inspect lurker for additional vulnerabilities 06.03.06 12:00:00 +0100 -- Lurker 2.1 will be released ... a full disclosure will be published by Moritz Naumann. For obvious reasons, I will not be detailing the exact nature of the flaws. They include the usual cross-site scripting problems, but also one flaw I would classify as severe. None of the flaws allow arbitrary code execution, nor do they directly compromise the server. The full disclosure from Moritz Naumann will provide complete details. I will be working together with Jonas to make sure the debian package (and backported fix for 1.2) are made available at the same time as the public release. Please help me ensure that as few people as possible continue to run a vulnerable version of lurker by spreading the word. Once Moritz Naumann discloses the exact nature of the flaw, any un-upgraded lurker installation will be at risk. --Apple-Mail-56--211553774 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEBuxWvLvElXGKklYRAkVeAKCIUXjHmwh+vmD8W7wmabTzvTQV0ACeOnQc B//cAh3Og+kDjYtwYvuwUOk= =Imz/ -----END PGP SIGNATURE----- --Apple-Mail-56--211553774-- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Lurker-users mailing list Lurker-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lurker-users