Commit Graph

33 Commits

Author SHA1 Message Date
form
d57fd5fdbc Upgrade to 5.23 (form interface security fix). 2002-05-15 02:14:19 +00:00
espie
d900d189e1 Bump NEED_VERSION 2002-03-21 21:25:50 +00:00
form
f77f85dd37 upgrade to 5.22
SECURITY ADVISORY                                      20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.

It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.

Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.

Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.

                                                        Stephen Turner
                                         analog-author@lists.isite.net
2002-03-20 13:09:29 +00:00
form
c8e6ea89c9 upgrade to 5.21 2002-03-01 10:07:25 +00:00
form
b21de6366f upgrade to 5.1 2001-11-22 11:10:39 +00:00
form
9bd965814b upgrade to 5.03 2001-08-13 03:44:39 +00:00
form
bf1c914d7a upgrade to 5.02
http://www.reverse.net/analog/ -> http://redmoon.reverse.net/analog/
There seems to be a problem with analog.cx's website, so
put mirrors ahead and temporarily change HOMEPAGE.

Thanks to Jeff Bachtel <Jeff.Bachtel@isc.tamu.edu>
2001-07-03 02:24:13 +00:00
form
39d8f16d44 upgrade to 5.01 2001-05-20 05:56:36 +00:00
form
8c3046a465 move COMMENT to Makefile 2001-03-29 09:52:20 +00:00
form
0079eab07b Use SYSCONFDIR instead of hardcoded /etc; naddy@ 2001-02-27 03:46:23 +00:00
form
3ffad06f7c Update to 4.16.
Fixed buffer overflow.

>SECURITY ADVISORY                                   13th February 2001
>----------------------------------------------------------------------
>Program: analog
>Versions: all versions except 4.16 and 4.90beta3
>Operating systems: all
>----------------------------------------------------------------------
>There is a buffer overflow bug in all versions of analog released
>prior to today. A malicious user could use an ALIAS command to
>construct very long strings which were not checked for length.
>
>This bug is particularly dangerous if the form interface (which allows
>unknown users to run the program via a CGI script) has been installed.
>
>This bug was discovered by the program author, and there is no known
>exploit. However, users are advised to upgrade to one of the two safe
>versions immediately, especially if they have installed the form
>interface. The URL is http://www.analog.cx/
>
>I apologise for the inconvenience.
>                                                        Stephen Turner
2001-02-25 08:04:05 +00:00
form
e6b3c0df6c upgrade to 4.14 2001-01-23 11:37:44 +00:00
form
cf210ccbab Upgrade to 4.13 2000-12-22 10:55:03 +00:00
form
9e65d3c443 add full name to MAINTAINER 2000-10-09 06:50:25 +00:00
form
1c122d39ff fix compiling; turan@
add HOMEPAGE
2000-06-16 03:32:24 +00:00
form
bf7a0796c3 remove FAKE=yes 2000-06-15 05:37:11 +00:00
form
e6d76ad7f4 upgrade to 4.11
install examples
2000-05-31 18:48:37 +00:00
form
663876fb09 upgrade to 4.1 2000-04-01 17:23:54 +00:00
form
ecdca085b0 Upgrade 4.04. 2000-03-22 10:37:15 +00:00
form
4d5be7f9d8 Upgrade to 4.03.
Fake.
PERMIT_*
2000-03-20 11:04:48 +00:00
turan
3c4165d831 again 2000-03-03 12:43:46 +00:00
turan
03325804f1 broken, installs files automatically in /etc 2000-03-03 11:25:05 +00:00
form
124cb55ce6 update to 4.02 2000-02-16 20:10:32 +00:00
espie
4420842031 All the Makefiles cvs missed first time around... 2000-02-16 10:52:08 +00:00
form
32e033aaa8 Update to 4.01. 1999-12-20 03:04:44 +00:00
form
663f31d987 update to 4.0 1999-12-13 17:26:55 +00:00
form
75847d18a5 update to 3.32 1999-09-16 14:09:25 +00:00
form
ad72b49b62 Update to 3.31. 1999-07-05 19:35:57 +00:00
brad
edfc222a46 - change email addresses, form@ to ports@
- remove unnecessary comments
1999-04-09 04:11:45 +00:00
fgsch
1d37567787 Update to 3.11. Change master sites. 1999-02-24 06:07:26 +00:00
form
7c4ea1f82d update to 3.1 1998-11-10 05:06:35 +00:00
form
03a6993c8e form@vs.itam.nsc.ru -> form@openbsd.org 1998-10-20 08:39:43 +00:00
form
2b84583430 analog 3.0, powerful httpd log analyzer with CGI. 1998-08-11 09:14:46 +00:00