SECURITY ADVISORY 20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.
It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.
Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.
Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.
Stephen Turner
analog-author@lists.isite.net
--
Dillo is a graphical web browser that's completely written in C,
very fast, small in code and binary. It basically depends on GTK+,
and renders a good subset of HTML, frames are managed same as lynx,
no jvm, no javascript.
i386-unknown-freebsd3.5 when I'm actually on a powerpc-unknown-openbsd3.0
system, turns out there is a stale auto-generated autoconf.h in the
distfile.
*) mark BROKEN:
HANDLER THREAD PROBLEM: java.net.SocketException: Resource temporarily unavailable: Resource temporarily unavailable
java.net.SocketException: Resource temporarily unavailable: Resource temporarily unavailable
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:90)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
at java.io.BufferedInputStream.read(BufferedInputStream.java:204)
at org.apache.tomcat.service.connector.AJP12RequestAdapter.readNextRequest(Ajp12ConnectionHandler.java:233)
at org.apache.tomcat.service.connector.Ajp12ConnectionHandler.processConnection(Ajp12ConnectionHandler.java:147)
at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:501)
at java.lang.Thread.run(Thread.java:484)
closes a security issue in multipart form handling (buffer overflow)
temporarily disable the freetds flavour, since the m4 patch cannot
seem to be regenerated
PHP supports multipart/form-data POST requests (as described in RFC1867)
known as POST fileuploads. Unfourtunately there are several flaws in the
php_mime_split function that could be used by an attacker to execute
arbitrary code.
- broken boundary check
- arbitrary heap overflow
--
Ok'd by: maintainer
This program is an add-on for Analog, which produces nice looking
reports from the analysis of your logfiles. It does not require
Analog to be installed, merely the output from analog to be available
From Kenneth J. Hendrickson <Kenneth.Hendrickson@Home.com>, PR #2285.
* md5 -> distinfo
* Remove a SECURITY file that doesn't document any security issues.
Hironori Sakamoto found some vulnerabilities in w3m support scripts,
such as multipart.cgi, w3mman2html.cgi and w3mhelp.cgi. Attacker
could run arbitrary commands on user's machine with user's privilege
by using malicious html pages.
DSO's on. This is so we don't get tripped up on archs that do not have DSO
support yet (i.e. ELF-based archs & static only archs).
--
Pointed out by pval@'s macppc broken ports list
--
- fixes a possible security issue as posted to BugTraq (unconfirmed,
exploitability unknown)
- tmpnam() -> mkstemp() in htpasswd
- kqueue() fixes
- a number of other fixes and improvements
to be installed inside the main Zope tree.
--
Page Templates are a web page generation tool. They help programmers
and designers collaborate in producing dynamic web pages for Zope
web applications. Designers can use them to maintain pages without
having to abandon their tools, while preserving the work required
to embed those pages in an application.
The goal of Page Templates is natural workflow. A designer will use
a WYSIWYG HTML editor to create a template, then a programmer will
edit it to make it part of an application. If required, the designer
can load the template back into his editor and make further changes
to its structure and appearance. By taking reasonable steps to
preserve the changes made by the programmer, he will not disrupt
the application.
WWW: ${HOMEPAGE}
w3m is a pager/text-based WWW browser. This is the multilingualization
(m17n) version.
It used to be a flavor of www/w3m but the different versions keep diverging.
Radical pruning to make this port manageable again:
- Remove image and m17n flavors. The corresponding functionality
may eventually return in some other form.
- Rename kanji flavor to "japanese".
* Fix wayward indentation introduced in 1.0.4 which caused -browser
to fail.
* Note that SURFRAW_browser was made obsolete in 1.0.4.
SURFRAW_text_browser and SURFRAW_graphical_browser replace its
functionality.
* State extra clearly the format of ~/.surfraw.conf.
- regress
- add zope-instance relative path support
- do optimizing compile on python files too, like lang/python, and use optimized in default zope-instance start script
o Install share file into ${datadir}/<package> (automake pkgdata,
.in files @datadir@/@PACKAGE@); requires /etc/surfraw.conf upgrade
o @dirrm share/stuff the package owns
naddy@ ok
- add in similar fopen disable patch for php.ini-optimized
- bump version to php-4.0.6p1 to reflect all the backports
and bugfixes in the last two commits
(checked by heko, naddy)
- work with any LOCALBASE for most flavors (heko)
- turn off url_fopen by default for better security, most people
never use it
- correctly detect the crypt function as part of libc,
not a separate library
- unbreak curl, since 7.9 is now present in our tree
- more informative INSTALL script (naddy, heko)
o Add gtk flavor, don't build it yet in www/amaya/Makefile until some
scrollbar dysfunctionality is fixed.
o Build amaya against system versions of: jpeg, png, zlib,
expat, md5; some of the patches for this come from FreeBSD
o Add HOMEPAGE
o Unify dictionary installation to a common $frag (a bunch
of dictionaries will be imported later separately)
o Take over maintainer; ok naddy@
o Fix missing trailing slash in MASTER_SITES
This may only cover up a symptom of an underlying problem with perl
5.6.1 so currently mod_perl should be used with caution until we
find the real bug - probably in the perl sources
found by Pavel Kovorin <pvk@tsinet.ru>
the pkgspecs are only useful for packages made from our tree and since the
package versions are well within the minimum versions then change back
to *.
and just prints a warning. RUN_DEPENDS only.
- Specify the lowest possible versions of the dependeny entries with which
this can be installed, instead of matching all.
from maintainer Nikolay Sturm <nikolay.sturm@desy.de>
Jesred is a redirector for the Squid proxy. It was derived from
Squirm 1.0 betaB and some parts of squid. Author claims that it's
about two or three times faster than original Squirm, and has some
added features.
MAINTAINER= Couderc Damien <couderc.damien@wanadoo.fr>
---
HTML::CGIChecker is a module for web developers to parse HTML and
to detect HTML code that could break a page in some way.
This module is not a HTML validator, but it allows one to check the
HTML code that users post to a web application, for example to a
discussion board, to prevent them to post a piece of code that would
render the rest of a page it is displayed on unusable.
- expand upon comment about supporting dynamic loading
- no need to "mkdir ${WRKSRC}" in post-extract target
- add better enable script and rename it from gzip-enable to
mod_gzip-enable to match the module name
- replace INSTALL script with MESSAGE
--
http_load runs multiple HTTP fetches in parallel, to test the throughput
of a web server.
However unlike most such test clients, it runs in a single process, so it
doesn't bog down the client machine. It can be configured to do HTTPS
fetches as well.
---
CGI::XMLApplication is a CGI application class, that intends to
enable perl artists to implement CGIs that make use of XML/XSLT
functionality, without taking too much care about specialized
errorchecking. Also it is ment to provide the power of the XML::LibXML
/ XML::LibXSLT module package.
--
mod_gzip transparently compresses the output of apache to
client browsers. It uses the 'Accept-Encoding' header to
determine whether or not the client browser wants gzipped
content.
XmHTML is a high performance Motif Widget capable of displaying
HTML 3.2 conforming text.
WWW: http://www.xs4all.nl/~ripley/XmHTML
MAINTAINER= Nikolay Sturm <Nikolay.Sturm@desy.de>
Version 3.2.2 fixes a large number of bugs and all known specification
compliance issues. The 3.2.x branch will continue in maintenance mode,
but no new feature releases are planned.
Version 3.2.2 fixes a large number of bugs and all known specification
compliance issues. The 3.2.x branch will continue in maintenance mode,
but no new feature releases are planned.
