"Hironori SAKAMOTO <hsaka@mth.biglobe.ne.jp> found another security
vulnerability in w3m 0.3.2.x that w3m will miss to escape html tag
in img alt attribute, so malicious frame html may deceive you to
access your local files, cookies and so on."
--
This version fixes an URL CRLF Injection Vulnerability:
A CRLF injection vulnerability has been reported for Links that
may allow an attacker to include extra HTTP headers when viewing
web pages.
If Links is called from the command line, carriage return and line
feed (CRLF) characters may be included in the specified URL.
These characters are not escaped when the input is used to construct
a HTTP request.
URL: http://online.securityfocus.com/bid/5499/discussion/
espie@ brad@ ok
--
Perl module that provides an extension to HTML::Template
which allows expressions in the template syntax.
From: Jim Geovedi <jim@corebsd.or.id>
brad@ ok
submitted by Dan Weeks <danimal@danimal.org>
Privoxy is a web proxy with advanced filtering capabilities for protecting
privacy, filtering web page content, managing cookies, controlling access,
and removing ads, banners, pop-ups and other obnoxious Internet junk.
Privoxy has a very flexible configuration and can be customized to suit
individual needs and tastes. Privoxy has application for both stand-alone
systems and multi-user networks.
naddy@ OK
SECURITY: This fixes a vulnerability where w3m fails to escape HTML
tags in frame contents, so malicious frame HTML can deceive you and
access your local files, cookies and so on.
Submitted by Peter Galbavy <peter.galbavy@knowtion.net>.
This module is made for CGI scripting. It decodes the parameters
passed to the CGI. It does nothing more, so it's much smaller and
loads more quickly than CGI.pm.
A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.