Dan Rosenberg discovered that in lxr-cvs, a code-indexing tool with a web frontend, not enough sanitation of user input is performed; an attacker can take advantage of this and pass script code in order to perform cross-site scripting attacks. For the stable distribution , this problem has been fixed in version 0.9.5+cvs20071020-1+lenny1. For the testing distribution , this problem has been fixed in version 0.9.5+cvs20071020-1.1. We recommend that you upgrade your lxr-cvs packages.