htdig: SECURITY: Announcement of ht://Dig 3.1.0b4 RPMs


Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Tue, 5 Jan 1999 14:54:40 -0600 (CST)


A security vulnerability was found in htnotify, from ht://Dig 3.1.0b1
through b3, and is corrected in 3.1.0b4.

I've just uploaded source and binary rpms for the ht://Dig 3.1.0b4
web site search engine to incoming.redhat.com, for eventual inclusion
on contrib.redhat.com. In the interim, they can be downloaded from the
SCRC web site, at

        http://www.scrc.umanitoba.ca/htdig/rpms/

The following RPMs were built on Red Hat Linux 4.2 and 5.0 respectively:

htdig-3.1.0b4-0.i386.rpm
htdig-3.1.0b4-0.sparc.rpm
htdig-3.1.0b4-0.src.rpm
htdig-3.1.0b4-0glibc.i386.rpm
htdig-3.1.0b4-0glibc.src.rpm

Name : htdig Distribution: (none)
Version : 3.1.0b4 Vendor: (none)
Release : 0 Build Date: Mon Jan 04 16:52:04 1999
Install date: Tue Jan 05 09:57:35 1999 Build Host: cliff.scrc.umanitoba.ca
Group : Networking/Utilities Source RPM: htdig-3.1.0b4-0.src.rpm
Size : 2759569
Packager : Gilles Detillieux <grdetil@scrc.umanitoba.ca>
URL : http://www.htdig.org/
Summary : A web indexing and searching system for a small domain or intranet
Description :
The ht://Dig system is a complete world wide web indexing and searching
system for a small domain or intranet. This system is not meant to replace
the need for powerful internet-wide search systems like Lycos, Infoseek,
Webcrawler and AltaVista. Instead it is meant to cover the search needs for
a single company, campus, or even a particular sub section of a web site.

As opposed to some WAIS-based or web-server based search engines, ht://Dig
can span several web servers at a site. The type of these different web
servers doesn't matter as long as they understand the HTTP 1.0 protocol.

According to Geoff Hutchison:
> I didn't get a chance to announce version 3.1.0b4 over the "holiday
> break." Basically the changes include fixes for memory leaks in htnotify
> and htsearch (that "20x performance decrease") and a BIG SECURITY HOLE in
> htnotify.
>
> Let me make this very clear: if you use htnotify, either upgrade to
> 3.1.0b4 or don't use htnotify. Period.
>
> The hole allows malicious users to execute commands running as the same
> user as that running htnotify. This occurs when htnotify runs in to a
> webpage with a malicious tag. It does not occur when using htdig,
> htmerge, htfuzzy, or htsearch.
>
> I do not know of any cases where this hole has been used. It is present in
> all of the 3.1.0bX versions up to 3.1.0b4. It may be present, though to a
> lesser degree, in previous versions.

I should add that the performance decrease from 3.1.0b2 to 3.1.0b3 &
b4 has not been completely corrected in htsearch. Some of this was
due to the memory leak, but a lot of it was due to extra database I/O
caused by htsearch's new ranking algorithm, when the search matches a
very large number of documents. This problem has yet to be addressed,
but an upgrade to 3.1.0b4 is still highly recommended because of all
the other bug fixes introduced since 3.1.0b2.

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930
----------------------------------------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig-request@sdsu.edu containing the single word "unsubscribe" in
the body of the message.



This archive was generated by hypermail 2.0b3 on Thu Jan 07 1999 - 07:52:38 PST