I regret to report that there exists, in all versions of lurker (from
0.1a to 2.0), a number of security problems. These were reported to
me by Moritz Naumann,
http://www.moritz-naumann.com. I am writing
this email to give you advance notice. Please be prepared to upgrade
your lurker installations on Monday, when a patched version will be
released. Until that time, you may wish to disable access to your
lurker archive.
Here is the involved time-line:
01.03.06 07:51:39 +0100 -- Moritz Naumann begins testing lurker
01.03.06 13:09:25 +0100 -- Moritz Naumann reports the problem to me
01.03.06 14:42:46 +0100 -- A very severe form of the flaw is found
01.03.06 15:19:53 +0100 -- A patch is committed to CVS resolving the
issues
02.03.06 14:00:00 +0100 -- This announcement
... Moritz Naumann and his colleague, Tim Brown, continue to inspect
lurker for additional vulnerabilities
06.03.06 12:00:00 +0100 -- Lurker 2.1 will be released
... a full disclosure will be published by Moritz Naumann.
For obvious reasons, I will not be detailing the exact nature of the
flaws. They include the usual cross-site scripting problems, but also
one flaw I would classify as severe. None of the flaws allow
arbitrary code execution, nor do they directly compromise the server.
The full disclosure from Moritz Naumann will provide complete details.
I will be working together with Jonas to make sure the debian package
(and backported fix for 1.2) are made available at the same time as
the public release.
Please help me ensure that as few people as possible continue to run
a vulnerable version of lurker by spreading the word. Once Moritz
Naumann discloses the exact nature of the flaw, any un-upgraded
lurker installation will be at risk.
(text/plain)
