The following list does not pretend to be exhaustive. It is intended to give some information in current work direction. Information pertaining to older releases has been archived here.

Known bugs

Vulnerability JVN#72589538 - CVE 2018-0545

Japan Computer Emergency Response Team (JPCERT) reported in March 2018 a vulnerability discovered during Summer 2017 by Touma Hatano (波多野冬馬 氏). This vulnerability allows to execute arbitrary commands with a specially crafted string submitted through General Search form.

This vulnerability affects all LXR versions with enabled free-text search since release 1.0.0.

Fix in 2.3.0 left a possibility to exploit the vulnerability. Fix in release 2.3.1 is now correct.

Users with LXR servers visible from the Internet are advised to update to protect themselves against this vulnerability.

Users who can't/don't want to upgrade should disable the General Search feature. See this tip.

Utilities-related bugs

Release bugs