Univention Bugzilla – Bug 47489
xapian-core: Multiple issues (4.3)
Last modified: 2018-08-15 13:14:42 CEST
New Debian xapian-core 1.4.3-2+deb9u1 fixes: This update addresses the following issue(s): * * A cross-site scripting vulnerability in queryparser/termgenerator_internal.cc in Xapian xapian-core before 1.4.6 exists due to incomplete HTML escaping by Xapian::MSet::snippet(). (CVE-2018-0499) 1.4.3-2+deb9u1 (Fri, 06 Jul 2018 09:52:48 +1200) * Fix MSet::snippet() to escape HTML in all cases (CVE-2018-499). New patch: cve-2018-0499-mset-snippet-escaping.patch
--- mirror/ftp/4.3/unmaintained/4.3-0/source/xapian-core_1.4.3-2.dsc +++ apt/ucs_4.3-0-errata4.3-1/source/xapian-core_1.4.3-2+deb9u1.dsc @@ -1,3 +1,8 @@ +1.4.3-2+deb9u1 [Fri, 06 Jul 2018 09:52:48 +1200] Olly Betts <olly@survex.com>: + + * Fix MSet::snippet() to escape HTML in all cases (CVE-2018-499). + New patch: cve-2018-0499-mset-snippet-escaping.patch (Closes: #902886) + 1.4.3-2 [Thu, 06 Apr 2017 06:48:18 +1200] Olly Betts <olly@survex.com>: * Fix incorrect results for unweighted AND with certain subqueries (new <http://10.200.17.11/4.3-1/#2859195356706459303>
OK: patches OK: piuparts OK: yaml OK: errata-announce -V --only xapian-core.yaml [4.3-1] 711fbc02d6 Bug #47489: xapian-core 1.4.3-2+deb9u1 doc/errata/staging/xapian-core.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+)
<http://errata.software-univention.de/ucs/4.3/199.html>