A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.
The issue involves the security of the indexes of ZCatalog objects. A flaw
in the security settings of ZCatalog allows anonymous users to call arbitrary
methods of catalog indexes. The vulnerability also allows untrusted code to
do the same.
--
From: MAINTAINER
- include the domxml extension as a subpackage
- include some extra modules with PEAR which also disappeared
- only link against freetype1, not freetype2
from a buffer overflow.
- Pick up any plugins in lib/ns-plugins by default.
Issue pointed out by David Krause <openbsd@davidkrause.com>.
Principal changes ok kevlo@
Users are advised to install the www/flashplugin port for Flash support.
--
tinyproxy is a GPLed, lightweight HTTP/SSL proxy. Designed from the ground
up to be fast and yet small, it is an ideal solution for sites where a
full-featured HTTP proxy is required, but the system resources required to
run a more demanding HTTP proxy are unavailable. tinyproxy is fully compatible
with all existing web browsers, and has a number of useful features.
- patch for snmp to link with libdes
- stop libtool from helpfully mangling the ld.so hints file with
crap from the ports build directory by removing the finish_command
- MESSAGE file reflects phpxs command
- ltmain patch no longer needed
- move the php.ini extension lines to the end of the file
- introduce a new 'phpxs' command which enables/disables
modules from a shell without needing to manually edit php.ini
- libphp4.so now installs into the same module dir as the extensions
- php4-enable is now done by 'phpxs -s' so remove it
tested by wilfried@, feedback from naddy@
--
Nag is the Horde task list application. It stores todo items, things
due later this week, etc. It is very similar in functionality to
the Palm ToDo application.
--
Kronolith is the Horde calendar application. It provides a stable
and featureful individual calendar system for every Horde user, and
collaboration/scheduling features are starting to take shape. It
makes extensive use of the Horde Framework to provide integration
with other applications.
--
Turba is the Horde contact management application. It makes heavy
use of the Horde framework to provide integration with other
applications such as the IMP webmail system.
My Calendar is a lightweight, easy-to-use Web calendar.
There is also an included email script that you can have cron run everyday
to remind you of upcoming appointments.
Included is a script to convert an online calendar to a printable postscript
format using pscal.
PEAR is a set of class libraries for PHP4 - similar to CPAN.
This module installs the default 4.2.1 modules, and some extra ones
which mysteriously disappeared from the 4.1.2 -> 4.2.1 transition.
Also included are some command-line utilities to add more modules from
the PEAR web site.
espie@ ok
This module generates a bunch of php4 extensions as shared modules,
and seperates them out into multiple packages.
End result is that you can pkg_add individual modules now without
getting into the mess of flavors that we've had in the past.
Work by wilfried@ and me, espie@ ok
Installs the barebones php4 with only the gettext, iconv and recode
modules compiled in.
All of the other modules have to be installed as shared modules on
top of this.
In addition to the Apache module, this package also includes a php
command-line binary which can be used in shell scripts. The binary
uses the same /var/www/conf/php.ini file as the Apache module.
There is some non-i386 breakage at the moment (notably macppc).
Work by wilfried@ and me. espie@ ok
A few PEAR modules have disappeared completely during the PECL transition
so they are temporarily included here to avoid breaking dependencies
within the ports tree.
GtkHTML is a lightweight HTML rendering/printing/editing engine.
It was originally based on KHTMLW, part of the KDE project, but is
now being developed independently.
Submitted by maintainer Marc Matteo <marcm@lectroid.net>, with
some fixes from me.
calamaris parses logfiles from Squid, NetCache, Inktomi Traffic Server,
Oops! proxy server, Novell Internet Caching System, Compaq Tasksmart
or Netscape/iplanet Web Proxy Server and generates a report.
Written in perl5.
* bump NEED_VERSION
* security fix: buffer overflow in DNS resolver
* includes other bugfixes
* some strcpy/strncpy/sprintf calls changed to strlcpy/snprintf
The issue involves a vulnerability involving "through the web code"
inadvertently allowing an untrusted user to remotely shut down a
Zope server by allowing the user to inject special headers into the
response. If you allow untrusted users to write "through the web"
code like Python Scripts, DTML Methods, or Page Templates, your
Zope server is vulnerable.
- use parsedir result to append '/',
- use ftpOpenDir instead of recoding it by hand,
- handle special case of an empty path, for URLs without trailing slashes
(last problem found by brad@).
Turns out the launcher spawns children, but is not the main process.
For whatever reason, the SIGCHLD handler did not get propagated, and
it doesn't serve any purpose to add waitpid to Slave::kill, since it's
not run from the launcher, but the main process...
knows if 2.5.1 is going to come out in time for the release.
Also add my patch to fix setuid support (not used by default) and
set our own version string to distinguish this from an "official"
Zope release.
"Apache::ASP provides an Active Server Pages port to the Apache Web
Server with Perl scripting only, and enables developing of dynamic
web applications with session management and embedded perl code."
SECURITY ADVISORY 20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.
It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.
Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.
Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.
Stephen Turner
analog-author@lists.isite.net
--
Dillo is a graphical web browser that's completely written in C,
very fast, small in code and binary. It basically depends on GTK+,
and renders a good subset of HTML, frames are managed same as lynx,
no jvm, no javascript.
i386-unknown-freebsd3.5 when I'm actually on a powerpc-unknown-openbsd3.0
system, turns out there is a stale auto-generated autoconf.h in the
distfile.
*) mark BROKEN:
HANDLER THREAD PROBLEM: java.net.SocketException: Resource temporarily unavailable: Resource temporarily unavailable
java.net.SocketException: Resource temporarily unavailable: Resource temporarily unavailable
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:90)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
at java.io.BufferedInputStream.read(BufferedInputStream.java:204)
at org.apache.tomcat.service.connector.AJP12RequestAdapter.readNextRequest(Ajp12ConnectionHandler.java:233)
at org.apache.tomcat.service.connector.Ajp12ConnectionHandler.processConnection(Ajp12ConnectionHandler.java:147)
at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:501)
at java.lang.Thread.run(Thread.java:484)
closes a security issue in multipart form handling (buffer overflow)
temporarily disable the freetds flavour, since the m4 patch cannot
seem to be regenerated
PHP supports multipart/form-data POST requests (as described in RFC1867)
known as POST fileuploads. Unfourtunately there are several flaws in the
php_mime_split function that could be used by an attacker to execute
arbitrary code.
- broken boundary check
- arbitrary heap overflow
--
Ok'd by: maintainer
This program is an add-on for Analog, which produces nice looking
reports from the analysis of your logfiles. It does not require
Analog to be installed, merely the output from analog to be available
