calamaris parses logfiles from Squid, NetCache, Inktomi Traffic Server,
Oops! proxy server, Novell Internet Caching System, Compaq Tasksmart
or Netscape/iplanet Web Proxy Server and generates a report.
Written in perl5.
* bump NEED_VERSION
* security fix: buffer overflow in DNS resolver
* includes other bugfixes
* some strcpy/strncpy/sprintf calls changed to strlcpy/snprintf
The issue involves a vulnerability involving "through the web code"
inadvertently allowing an untrusted user to remotely shut down a
Zope server by allowing the user to inject special headers into the
response. If you allow untrusted users to write "through the web"
code like Python Scripts, DTML Methods, or Page Templates, your
Zope server is vulnerable.
- use parsedir result to append '/',
- use ftpOpenDir instead of recoding it by hand,
- handle special case of an empty path, for URLs without trailing slashes
(last problem found by brad@).
Turns out the launcher spawns children, but is not the main process.
For whatever reason, the SIGCHLD handler did not get propagated, and
it doesn't serve any purpose to add waitpid to Slave::kill, since it's
not run from the launcher, but the main process...
knows if 2.5.1 is going to come out in time for the release.
Also add my patch to fix setuid support (not used by default) and
set our own version string to distinguish this from an "official"
Zope release.
"Apache::ASP provides an Active Server Pages port to the Apache Web
Server with Perl scripting only, and enables developing of dynamic
web applications with session management and embedded perl code."
SECURITY ADVISORY 20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.
It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.
Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.
Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.
Stephen Turner
analog-author@lists.isite.net
