cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0f20bd7d3f
openbsd-ports/www
History
form f77f85dd37 upgrade to 5.22 
SECURITY ADVISORY                                      20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.

It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.

Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.

Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.

                                                        Stephen Turner
                                         analog-author@lists.isite.net
2002-03-20 13:09:29 +00:00
..
amaya Kill remaining RUN_DEPENDS/BUILD_DEPENDS first parters. 2001-11-13 22:13:22 +00:00
analog upgrade to 5.22 2002-03-20 13:09:29 +00:00
august Kill remaining RUN_DEPENDS/BUILD_DEPENDS first parters. 2001-11-13 22:13:22 +00:00
bk2site DESTDIR is handled correctly by default 2001-10-02 01:16:27 +00:00
bluefish update maintainer 2002-02-28 20:06:27 +00:00
cgicc CONFIGURE_STYLE=gnu w/ proper MODGNU_CONFIG_GUESS_DIRS 2001-09-28 06:02:12 +00:00
cgiparse Zap default MAINTAINER from Makefile. 2001-10-28 13:05:44 +00:00
decss www: integrate COMMENT, bump NEED_VERSION. 2001-05-06 04:22:45 +00:00
dillo Update comment, thanks jcs@ 2002-03-20 11:43:52 +00:00
flashplugin no regression test framework 2001-10-25 16:14:51 +00:00
hotjava Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
http_load - woops, since this was an existing port set MAINTAINER back to the 2001-08-06 00:41:48 +00:00
http_ping add http_ping port 2001-08-06 00:33:25 +00:00
jakarta-tomcat update to jakarta-tomcat 3.2.4 2002-03-12 12:57:28 +00:00
jesred update maintainer 2002-02-28 20:06:27 +00:00
jserv *) update to jserv 3.2.4 (sync with jakarta-tomcat 3.2.4) 2002-03-12 13:04:31 +00:00
junkbuster * Fix a typo that causes crashes during config file parsing. 2002-01-20 23:26:07 +00:00
konqueror-embedded Move konqueror-embedded files out of the way, so that no conflict is left. 2002-03-18 04:11:20 +00:00
libghttp sync libtool patches 2001-09-18 20:48:03 +00:00
linkchecker Update Python dependencies. 2002-02-15 19:53:42 +00:00
links update www/links to 0.96; espie@ ok. 2001-07-10 22:51:49 +00:00
mhonarc Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
mindterm Fix master site and homepage; from maintainer marcm@lectroid.net 2001-12-27 00:36:49 +00:00
mod_auth_radius Enable these modules on alpha, powerpc and sparc64. 2002-03-17 05:04:36 +00:00
mod_frontpage change strcat -> strlcat, strcpy -> strlcpy, sprintf -> snprintf 2002-03-15 20:50:04 +00:00
mod_gzip Enable these modules on alpha, powerpc and sparc64. 2002-03-17 05:04:36 +00:00
mod_perl Enable these modules on alpha, powerpc and sparc64. 2002-03-17 04:55:03 +00:00
mozilla add PERMIT_* to shut up reports about this 2001-12-27 12:59:01 +00:00
netscape upgrade to version 4.79 2001-11-19 12:23:52 +00:00
nscache Full lib-depends. 2001-10-24 12:38:46 +00:00
opera Ping-pong. File descriptor sharing across rfork() is safely available 2002-02-27 18:43:34 +00:00
p5-Apache-DBI Kill remaining RUN_DEPENDS/BUILD_DEPENDS first parters. 2001-11-13 22:13:22 +00:00
p5-Apache-MP3 Update to 2.22: 2002-02-07 12:21:39 +00:00
p5-Blatte-HTML Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
p5-CGI Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
p5-CGI-XMLApplication Upgrade to CGI-XMLApplication-1.1.1 2002-01-01 15:25:32 +00:00
p5-HTML-Base Zap default MAINTAINER from Makefile. 2001-10-28 13:05:44 +00:00
p5-HTML-CGIChecker Initial import of HTML-CGIChecker-0.90 2001-08-15 06:48:01 +00:00
p5-HTML-Embperl Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
p5-HTML-Format add p5-HTML-Format (used by demime) 2001-12-26 23:23:25 +00:00
p5-HTML-FromText update my e-mail address and slight tidy 2001-09-07 22:47:38 +00:00
p5-HTML-Mason Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
p5-HTML-Parser Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
p5-HTML-Stream upgrade to version 1.54 2001-10-29 06:53:29 +00:00
p5-HTML-Table upgrade to version 1.12a 2001-10-29 06:55:33 +00:00
p5-HTML-TableExtract Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
p5-HTML-Tagset www: integrate COMMENT, bump NEED_VERSION. 2001-05-06 04:22:45 +00:00
p5-HTML-Tree Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
p5-HTTP-GHTTP Use MACHINE_ARCH instead of ARCH in PLIST for m68k-based architectures. 2001-05-10 19:20:40 +00:00
p5-libwww update to p5-libwww-5.63 2001-12-27 22:06:38 +00:00
p5-URI Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
php3 Enable these modules on alpha, powerpc and sparc64. 2002-03-17 04:55:03 +00:00
php4 Enable these modules on alpha, powerpc and sparc64. 2002-03-17 04:55:03 +00:00
reportmagic Import reportmagic 2.13l; submitted by Sam Smith <s@msmith.net>. 2002-02-27 01:01:57 +00:00
squid remove section which disables optimization, our compiler does not seem to have this bug. also fixes build on powerpc. 2002-03-19 15:20:07 +00:00
surfraw Update to 1.0.7: 2001-12-25 17:26:50 +00:00
thttpd upgrade to thttpd 2.22b4 2001-11-24 03:13:57 +00:00
tidy www: integrate COMMENT, bump NEED_VERSION. 2001-05-06 04:22:45 +00:00
transproxy transproxy is used with pf, not ipfilter; nick@wanadoo.be 2002-02-11 13:38:27 +00:00
w3m fix distfile fetching for m17n flavor 2002-03-11 23:00:24 +00:00
w3mir Kill first component of BUILD_DEPENDS. 2001-11-10 15:00:47 +00:00
webalizer NO_REGRESS= Yes 2001-11-13 20:14:39 +00:00
weblint www: integrate COMMENT, bump NEED_VERSION. 2001-05-06 04:22:45 +00:00
wwwcount md5 -> distinfo 2001-12-27 03:59:43 +00:00
wwwoffle Zap default MAINTAINER from Makefile. 2001-10-28 13:05:44 +00:00
xmhtml NO_REGRESS, from maintainer 2001-10-31 20:09:18 +00:00
zope zope 2.5.0 2002-02-15 19:55:56 +00:00
zope-cmf add zope-cmf-1.2 2002-03-12 02:55:18 +00:00
Makefile Add dillo 2002-03-18 14:39:23 +00:00