September 8, 2009, 5:00 pm
It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website.
For the oldstable distribution (etch), this problem has been fixed in version 0.9.9-1+etch1.
For the stable distribution (lenny), this problem has been fixed in version 1.0.7-3+lenny1.
For the testing (squeeze) and unstable (sid) distribution, this problem will be fixed soon.
We recommend that you upgrade your xapian-omega packages...