Security Advisory htdig security update

Advisory: RHSA-2005:090-05
Type: Security Advisory
Severity: Moderate
Issued on: 2005-02-15
Last updated on: 2005-02-15
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2005-0085

Details

Updated htdig packages that fix a security flaw are now available for
Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat
Security Response Team.

The ht://Dig system is a Web search and indexing system for a small domain
or intranet.

Michael Krax reported a cross-site scripting bug affecting htdig. An
attacker could construct a carefully crafted URL which can cause a web
browser to execute malicious script once visited. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2005-0085
to this issue.

Users of htdig should upgrade to these updated packages, which contain a
backported patch, and are not vulnerable to this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
htdig-3.2.0b6-3.40.1.src.rpm     bb2c2485bc40ac6842dc81c17d63f0af
 
IA-32:
htdig-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     3a92066c374c430a9e581b76b65358db
htdig-web-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     f7af349ddce35eb4681a416ca0d24ad9
 
x86_64:
htdig-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     1c00d64041cd9b2a2975222d1a6285a3
htdig-web-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     4e295161fb868cb875a3e581d680138c
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
htdig-3.2.0b6-3.40.1.src.rpm     bb2c2485bc40ac6842dc81c17d63f0af
 
IA-32:
htdig-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     3a92066c374c430a9e581b76b65358db
htdig-web-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     f7af349ddce35eb4681a416ca0d24ad9
 
IA-64:
htdig-3.2.0b6-3.40.1.ia64.rpm
File outdated by:  RHBA-2008:0149		     764d07486a1df065acf0e4b41145efea
htdig-web-3.2.0b6-3.40.1.ia64.rpm
File outdated by:  RHBA-2008:0149		     42f417c64c812c224cb061b09bf819d8
 
PPC:
htdig-3.2.0b6-3.40.1.ppc.rpm
File outdated by:  RHBA-2008:0149		     0b67dcc567f484da5a2100cbb4974b40
htdig-web-3.2.0b6-3.40.1.ppc.rpm
File outdated by:  RHBA-2008:0149		     4c6cad4ee1320469cf8fb5916ccc2f0d
 
s390:
htdig-3.2.0b6-3.40.1.s390.rpm
File outdated by:  RHBA-2008:0149		     db34676305160bc30d1a47dd4e2a15cc
htdig-web-3.2.0b6-3.40.1.s390.rpm
File outdated by:  RHBA-2008:0149		     103e9d013e58acb9888bf2894a22f0d8
 
s390x:
htdig-3.2.0b6-3.40.1.s390x.rpm
File outdated by:  RHBA-2008:0149		     e9afa0d245cf733c2c14c7815de4dc7e
htdig-web-3.2.0b6-3.40.1.s390x.rpm
File outdated by:  RHBA-2008:0149		     5e93175510c2734e7bc15224bac7d9b7
 
x86_64:
htdig-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     1c00d64041cd9b2a2975222d1a6285a3
htdig-web-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     4e295161fb868cb875a3e581d680138c
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
htdig-3.2.0b6-3.40.1.src.rpm     bb2c2485bc40ac6842dc81c17d63f0af
 
IA-32:
htdig-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     3a92066c374c430a9e581b76b65358db
htdig-web-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     f7af349ddce35eb4681a416ca0d24ad9
 
IA-64:
htdig-3.2.0b6-3.40.1.ia64.rpm
File outdated by:  RHBA-2008:0149		     764d07486a1df065acf0e4b41145efea
htdig-web-3.2.0b6-3.40.1.ia64.rpm
File outdated by:  RHBA-2008:0149		     42f417c64c812c224cb061b09bf819d8
 
x86_64:
htdig-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     1c00d64041cd9b2a2975222d1a6285a3
htdig-web-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     4e295161fb868cb875a3e581d680138c
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
htdig-3.2.0b6-3.40.1.src.rpm     bb2c2485bc40ac6842dc81c17d63f0af
 
IA-32:
htdig-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     3a92066c374c430a9e581b76b65358db
htdig-web-3.2.0b6-3.40.1.i386.rpm
File outdated by:  RHBA-2008:0149		     f7af349ddce35eb4681a416ca0d24ad9
 
IA-64:
htdig-3.2.0b6-3.40.1.ia64.rpm
File outdated by:  RHBA-2008:0149		     764d07486a1df065acf0e4b41145efea
htdig-web-3.2.0b6-3.40.1.ia64.rpm
File outdated by:  RHBA-2008:0149		     42f417c64c812c224cb061b09bf819d8
 
x86_64:
htdig-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     1c00d64041cd9b2a2975222d1a6285a3
htdig-web-3.2.0b6-3.40.1.x86_64.rpm
File outdated by:  RHBA-2008:0149		     4e295161fb868cb875a3e581d680138c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

144261 - CAN-2005-0085 XSS vulnerability in htdig 3.2.0b6
145649 - htdig packaging cleanups


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0085

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/