Debian Security Advisory

htdig -- remote users can read files with webserver uid

Date Reported:

26 Feb 2000

Affected Packages:

htdig

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2000-0208.

More information:

The version of htdig that was distribution in Debian GNU/Linux 2.1 (aka slink) is vulnerable to a remote attack. There was a vulnerability in the htsearch script that allowed remote users to read any file on the webserver that is readable by the uid under which the server is running. This has been fixed in version 3.1.5-0.1. We recommend you upgrade your htdig package immediately.

Fixed in:

Source:: http://security.debian.org/dists/slink/updates/source/htdig_3.1.5-0.1.diff.gz; http://security.debian.org/dists/slink/updates/source/htdig_3.1.5-0.1.dsc; http://security.debian.org/dists/slink/updates/source/htdig_3.1.5.orig.tar.gz
alpha:: http://security.debian.org/dists/slink/updates/binary-alpha/htdig_3.1.5-0.1_alpha.deb
i386:: http://security.debian.org/dists/slink/updates/binary-i386/htdig_3.1.5-0.1_i386.deb
m68k:: http://security.debian.org/dists/slink/updates/binary-m68k/htdig_3.1.5-0.1_m68k.deb
sparc:: http://security.debian.org/dists/slink/updates/binary-sparc/htdig_3.1.5-0.1_sparc.deb