SECURITY ADVISORY 20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.
It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.
Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.
Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.
Stephen Turner
analog-author@lists.isite.net
Castle-Combat is a clone of the arcade classic, Rampart. This version
currently supports 2 to 4 players on local or remote servers. Players
build castle walls, place cannons inside these walls, and shoot at the
walls of their enemy(s). If a player can't build a complete wall around
one of his castles, he loses. The last surviving player wins.
incrementing the fns elisp file needed for Eshell and bumping
Emacs version to 21.1.2 rather then the expected 21.1.1.
Needs more investigation. ok espie@
--
neon is an HTTP and WebDAV client library, with a C interface.
Featuring:
* High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
* Low-level interface to HTTP request handling, to allow implementing new
methods easily.
* persistent connections
* RFC2617 basic and digest authentication (including auth-int, md5-sess)
* Proxy support (including basic/digest authentication)
* SSL/TLS support using OpenSSL (including client certificate support)
* Generic WebDAV 207 XML response handling mechanism
* XML parsing using the expat or libxml parsers
* Easy generation of error messages from 207 error responses
* WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
* WebDAV metadata support: set and remove properties, query any set of
properties (PROPPATCH/PROPFIND).
* autoconf macros supplied for easily embedding neon directly inside an
application source tree.
WWW: http://www.webdev.org/neon/
--
cadaver is a command-line WebDAV client for Unix. It supports file
upload, download, on-screen display, namespace operations (move/copy),
collection creation and deletion, and locking operations.
It even works just fine with Apple's iDisk!
WWW: http://www.webdav.org/cadaver/
o now supports playing mp3 (via madplay/sox)
o include a transformation script called mksong.sh
o rename main binary from tempest to tempest_for_eliza because
there's now another one called tempest_for_mp3
o md5 -> distinfo
o bump NEED_VERSION
o don't need to fool automake
--
Dillo is a graphical web browser that's completely written in C,
very fast, small in code and binary. It basically depends on GTK+,
and renders a good subset of HTML, frames are managed same as lynx,
no jvm, no javascript.
