Security 10810 Published by

A new security update for Debian GNU/Linux is available

DSA-264-1 lxr -- missing filename sanitizing

Upstream developers of lxr, a general hypertext cross-referencing tool, have been alerted of a vulnerability that allows a remote attacker to read arbitrary files on the host system as user www-data. This could disclose local files that were not meant to be shared with the public.

For the stable distribution (woody) this problem has been fixed in version 0.3-3.

The old stable distribution (potato) is not affected since it does not contain an lxr package.

For the unstable distribution (sid) this problem has been fixed in version 0.3-4.

Read more