Security Advisory Moderate: htdig security update

Advisory: RHSA-2007:1095-3
Type: Security Advisory
Severity: Moderate
Issued on: 2007-12-03
Last updated on: 2007-12-03
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.6.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.6.z)
Red Hat Enterprise Linux EUS (v. 5.1.z server)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20071095.xml
CVEs (cve.mitre.org): CVE-2007-6110

Details

Updated htdig packages that resolve a security issue are now available for
Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The ht://Dig system is a complete World Wide Web indexing and searching
system for a small domain or intranet.

A cross-site scripting flaw was discovered in a htdig search page. An
attacker could construct a carefully crafted URL, which once visited by an
unsuspecting user, could cause a user's Web browser to execute malicious
script in the context of the visited htdig search Web page. (CVE-2007-6110)

Users of htdig are advised to upgrade to these updated packages, which
contain backported patch to resolve this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
htdig-3.2.0b6-9.0.1.el5_1.src.rpm     6fb7a2b9503cb113ee8e487ab2b8807f
 
IA-32:
htdig-web-3.2.0b6-9.0.1.el5_1.i386.rpm
File outdated by:  RHBA-2009:0291		     aefa60c107dfcc2d0c8d0b33c630ca20
 
x86_64:
htdig-web-3.2.0b6-9.0.1.el5_1.x86_64.rpm
File outdated by:  RHBA-2009:0291		     96781f707fa53abab3c5d21a42dac088
 
Red Hat Desktop (v. 4)
SRPMS:
htdig-3.2.0b6-4.el4_6.src.rpm     da98d8dfeea252f3970e81a7e120ac5c
 
IA-32:
htdig-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     72213d098b97f44c998fb6e23fb9e457
htdig-web-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     474e7f333c8d034c8694707695141645
 
x86_64:
htdig-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     8ac0056031b94ab4a7e70fff903ae276
htdig-web-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     01fd44996ad52b0c4f007bf8d5e98220
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
htdig-3.2.0b6-9.0.1.el5_1.src.rpm     6fb7a2b9503cb113ee8e487ab2b8807f
 
IA-32:
htdig-3.2.0b6-9.0.1.el5_1.i386.rpm
File outdated by:  RHBA-2009:0291		     ac3f6f528f6cfb5f64201d3e49d8bbb4
htdig-web-3.2.0b6-9.0.1.el5_1.i386.rpm
File outdated by:  RHBA-2009:0291		     aefa60c107dfcc2d0c8d0b33c630ca20
 
IA-64:
htdig-3.2.0b6-9.0.1.el5_1.ia64.rpm
File outdated by:  RHBA-2009:0291		     f57e46687f0d15873845de89150adf91
htdig-web-3.2.0b6-9.0.1.el5_1.ia64.rpm
File outdated by:  RHBA-2009:0291		     a9b7aca74782dbe539fb10f8e693f878
 
PPC:
htdig-3.2.0b6-9.0.1.el5_1.ppc.rpm
File outdated by:  RHBA-2009:0291		     4f680df4472a686244522cdba9db032e
htdig-web-3.2.0b6-9.0.1.el5_1.ppc.rpm
File outdated by:  RHBA-2009:0291		     1b7d0c503366d10bf6ab5a8f36a7fbab
 
s390x:
htdig-3.2.0b6-9.0.1.el5_1.s390x.rpm
File outdated by:  RHBA-2009:0291		     4a2b460e0e83827631644c92d6b2f9cc
htdig-web-3.2.0b6-9.0.1.el5_1.s390x.rpm
File outdated by:  RHBA-2009:0291		     0295ecf635676b1970e9df3cd1991b0a
 
x86_64:
htdig-3.2.0b6-9.0.1.el5_1.x86_64.rpm
File outdated by:  RHBA-2009:0291		     8eddaa8a12f404ce14ea4588ee4e4b3b
htdig-web-3.2.0b6-9.0.1.el5_1.x86_64.rpm
File outdated by:  RHBA-2009:0291		     96781f707fa53abab3c5d21a42dac088
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
htdig-3.2.0b6-4.el4_6.src.rpm     da98d8dfeea252f3970e81a7e120ac5c
 
IA-32:
htdig-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     72213d098b97f44c998fb6e23fb9e457
htdig-web-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     474e7f333c8d034c8694707695141645
 
IA-64:
htdig-3.2.0b6-4.el4_6.ia64.rpm
File outdated by:  RHBA-2008:0149		     b04ec2235312dc8b3558c75d2afa92dc
htdig-web-3.2.0b6-4.el4_6.ia64.rpm
File outdated by:  RHBA-2008:0149		     17ce8f1c662a0afc393146f46aee53d9
 
PPC:
htdig-3.2.0b6-4.el4_6.ppc.rpm
File outdated by:  RHBA-2008:0149		     869cb51f3cdb285524d670c709e2a09f
htdig-web-3.2.0b6-4.el4_6.ppc.rpm
File outdated by:  RHBA-2008:0149		     455c3345b5fb1f485e7330e7e20463a3
 
s390:
htdig-3.2.0b6-4.el4_6.s390.rpm
File outdated by:  RHBA-2008:0149		     1985d5c661d5cd431fd0a8a7fcf31989
htdig-web-3.2.0b6-4.el4_6.s390.rpm
File outdated by:  RHBA-2008:0149		     7bdc5aa5361bd1bc423ffff3477024f8
 
s390x:
htdig-3.2.0b6-4.el4_6.s390x.rpm
File outdated by:  RHBA-2008:0149		     5e2b7d6dbe5e48e76c7e9435b24a10c4
htdig-web-3.2.0b6-4.el4_6.s390x.rpm
File outdated by:  RHBA-2008:0149		     0e783d736547810277c5bb9854fd69ac
 
x86_64:
htdig-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     8ac0056031b94ab4a7e70fff903ae276
htdig-web-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     01fd44996ad52b0c4f007bf8d5e98220
 
Red Hat Enterprise Linux AS (v. 4.6.z)
SRPMS:
htdig-3.2.0b6-4.el4_6.src.rpm     da98d8dfeea252f3970e81a7e120ac5c
 
IA-32:
htdig-3.2.0b6-4.el4_6.i386.rpm     72213d098b97f44c998fb6e23fb9e457
htdig-web-3.2.0b6-4.el4_6.i386.rpm     474e7f333c8d034c8694707695141645
 
IA-64:
htdig-3.2.0b6-4.el4_6.ia64.rpm     b04ec2235312dc8b3558c75d2afa92dc
htdig-web-3.2.0b6-4.el4_6.ia64.rpm     17ce8f1c662a0afc393146f46aee53d9
 
PPC:
htdig-3.2.0b6-4.el4_6.ppc.rpm     869cb51f3cdb285524d670c709e2a09f
htdig-web-3.2.0b6-4.el4_6.ppc.rpm     455c3345b5fb1f485e7330e7e20463a3
 
s390:
htdig-3.2.0b6-4.el4_6.s390.rpm     1985d5c661d5cd431fd0a8a7fcf31989
htdig-web-3.2.0b6-4.el4_6.s390.rpm     7bdc5aa5361bd1bc423ffff3477024f8
 
s390x:
htdig-3.2.0b6-4.el4_6.s390x.rpm     5e2b7d6dbe5e48e76c7e9435b24a10c4
htdig-web-3.2.0b6-4.el4_6.s390x.rpm     0e783d736547810277c5bb9854fd69ac
 
x86_64:
htdig-3.2.0b6-4.el4_6.x86_64.rpm     8ac0056031b94ab4a7e70fff903ae276
htdig-web-3.2.0b6-4.el4_6.x86_64.rpm     01fd44996ad52b0c4f007bf8d5e98220
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
htdig-3.2.0b6-9.0.1.el5_1.src.rpm     6fb7a2b9503cb113ee8e487ab2b8807f
 
IA-32:
htdig-3.2.0b6-9.0.1.el5_1.i386.rpm
File outdated by:  RHBA-2009:0291		     ac3f6f528f6cfb5f64201d3e49d8bbb4
 
x86_64:
htdig-3.2.0b6-9.0.1.el5_1.x86_64.rpm
File outdated by:  RHBA-2009:0291		     8eddaa8a12f404ce14ea4588ee4e4b3b
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
htdig-3.2.0b6-4.el4_6.src.rpm     da98d8dfeea252f3970e81a7e120ac5c
 
IA-32:
htdig-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     72213d098b97f44c998fb6e23fb9e457
htdig-web-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     474e7f333c8d034c8694707695141645
 
IA-64:
htdig-3.2.0b6-4.el4_6.ia64.rpm
File outdated by:  RHBA-2008:0149		     b04ec2235312dc8b3558c75d2afa92dc
htdig-web-3.2.0b6-4.el4_6.ia64.rpm
File outdated by:  RHBA-2008:0149		     17ce8f1c662a0afc393146f46aee53d9
 
x86_64:
htdig-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     8ac0056031b94ab4a7e70fff903ae276
htdig-web-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     01fd44996ad52b0c4f007bf8d5e98220
 
Red Hat Enterprise Linux ES (v. 4.6.z)
SRPMS:
htdig-3.2.0b6-4.el4_6.src.rpm     da98d8dfeea252f3970e81a7e120ac5c
 
IA-32:
htdig-3.2.0b6-4.el4_6.i386.rpm     72213d098b97f44c998fb6e23fb9e457
htdig-web-3.2.0b6-4.el4_6.i386.rpm     474e7f333c8d034c8694707695141645
 
IA-64:
htdig-3.2.0b6-4.el4_6.ia64.rpm     b04ec2235312dc8b3558c75d2afa92dc
htdig-web-3.2.0b6-4.el4_6.ia64.rpm     17ce8f1c662a0afc393146f46aee53d9
 
x86_64:
htdig-3.2.0b6-4.el4_6.x86_64.rpm     8ac0056031b94ab4a7e70fff903ae276
htdig-web-3.2.0b6-4.el4_6.x86_64.rpm     01fd44996ad52b0c4f007bf8d5e98220
 
Red Hat Enterprise Linux EUS (v. 5.1.z server)
SRPMS:
htdig-3.2.0b6-9.0.1.el5_1.src.rpm     6fb7a2b9503cb113ee8e487ab2b8807f
 
IA-32:
htdig-3.2.0b6-9.0.1.el5_1.i386.rpm     ac3f6f528f6cfb5f64201d3e49d8bbb4
htdig-web-3.2.0b6-9.0.1.el5_1.i386.rpm     aefa60c107dfcc2d0c8d0b33c630ca20
 
IA-64:
htdig-3.2.0b6-9.0.1.el5_1.ia64.rpm     f57e46687f0d15873845de89150adf91
htdig-web-3.2.0b6-9.0.1.el5_1.ia64.rpm     a9b7aca74782dbe539fb10f8e693f878
 
PPC:
htdig-3.2.0b6-9.0.1.el5_1.ppc.rpm     4f680df4472a686244522cdba9db032e
htdig-web-3.2.0b6-9.0.1.el5_1.ppc.rpm     1b7d0c503366d10bf6ab5a8f36a7fbab
 
s390x:
htdig-3.2.0b6-9.0.1.el5_1.s390x.rpm     4a2b460e0e83827631644c92d6b2f9cc
htdig-web-3.2.0b6-9.0.1.el5_1.s390x.rpm     0295ecf635676b1970e9df3cd1991b0a
 
x86_64:
htdig-3.2.0b6-9.0.1.el5_1.x86_64.rpm     8eddaa8a12f404ce14ea4588ee4e4b3b
htdig-web-3.2.0b6-9.0.1.el5_1.x86_64.rpm     96781f707fa53abab3c5d21a42dac088
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
htdig-3.2.0b6-4.el4_6.src.rpm     da98d8dfeea252f3970e81a7e120ac5c
 
IA-32:
htdig-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     72213d098b97f44c998fb6e23fb9e457
htdig-web-3.2.0b6-4.el4_6.i386.rpm
File outdated by:  RHBA-2008:0149		     474e7f333c8d034c8694707695141645
 
IA-64:
htdig-3.2.0b6-4.el4_6.ia64.rpm
File outdated by:  RHBA-2008:0149		     b04ec2235312dc8b3558c75d2afa92dc
htdig-web-3.2.0b6-4.el4_6.ia64.rpm
File outdated by:  RHBA-2008:0149		     17ce8f1c662a0afc393146f46aee53d9
 
x86_64:
htdig-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     8ac0056031b94ab4a7e70fff903ae276
htdig-web-3.2.0b6-4.el4_6.x86_64.rpm
File outdated by:  RHBA-2008:0149		     01fd44996ad52b0c4f007bf8d5e98220
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

399561 - CVE-2007-6110 htdig htsearch XSS vulnerability


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6110
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/