"Cross-site scripting (XSS) vulnerability in ht://dig allows remote
attackers to execute arbitrary web script or HTML via the config
parameter, which is not properly sanitized before it is displayed
in an error message."
Patch from Debian. Bump PKGREVISION.
The following is from the web page:
Release notes for htdig-3.1.6 1 Feb 2002
As with previous releases, this version cleans up some remaining bugs and adds a few
heavily-requested features. As the latest stable release, it is recommended for all
production servers.
* Fixed another nasty security hole in htsearch, which would allow a denial of service
attack or forcing htsearch to read in config files outside of the configuration
directory.
* Fixed some problems with htmerge, including problems with words beginning with special
characters and merging multiple databases.
* Fixed a bug in handling hopcounts.
* Fixed problems in handling non-standard relative HTTP redirects.
* Fixed bugs in external parsers support including being confused by charset information
in the Content-Type header and handling binary output from external converters.
* Fixed bugs in the default English endings database. (Under ispell, it wasn't quite
intended for the accuracy needed for our usage.)
* Fixed additional bugs in the endings fuzzy algorithm.
* Fixed bugs with compiling with gcc-3.0 and later.
* Fixed bugs compiling and running on Mac OS X.
* Fixed problems with servers not returning a Last-Modified date--now assums indexing
time as modification time.
* Fixed a variety of bugs in the HTML parser to more flexibly handle non-standard HTML.
* Fixed problems in the TCP connection code and will more reliably timeout when a
connection hangs and will retry bad connections several times before giving up.
* Added the -m "minimal" flag to htdig for only indexing a set list of URLs and made the
-l (log) flag the default behavior so that htdig will stop and restart automatically.
* Added htdump and htload programs for dumping ASCII representations of the databases
and reloading the same.
* Added support for htnotify to collect multiple URLs and allow easy customization of
notification messages, including the new attributes htnotify_replyto,
htnotify_webmaster, htnotify_prefix_file, and htnotify_suffix_file.
* Added a new "accents" fuzzy algorithm to morph accents, including the new accents_db
attribute.
* Added a 'list all' feature to htsearch with a query of '*' or the current
prefix_match_character.
* Added date restricted searching to htsearch including relative dates.
* Added documentation on running ht://Dig and the rundig script.
* Added METADESCRIPTION and NSTARS variables to the htsearch templates as well as
support for $=(var) template variable references.
* Added new config attributes to htsearch for restrict and exclude which work like the
normal htsearch form variables if the form variables are not set.
* Added many new attributes, including ignore_dead_servers description_meta_tag_names,
max_keywords, translate_latin1, url_rewrite_rules, search_rewrite_rules,
anchor_target, ignore_alt_text, search_results_contenttype, boolean_keywords,
boolean_syntax_errors, multimatch_method, maximum_page_buttons, max_excerpts,
plural_suffix, any_keywords and use_doc_date.
* Extended the build_select_lists attribute to support select multiple, radio boxes and
checkboxes.
* Revised the documentation to make it clearer in parts, including the url_part_aliases
attribute.
* Updated various contributed utilities including doc2html, xmlsearch, rundig.sh,
htparsedoc, acroconv.pl, multidig, etc.
* A variety of other bug fixes, and many documentation updates. See the ChangeLog for
details.
or at <http://www.htdig.org/RELEASE.html>.
To the package
- - Remove NOT_FOR_PLATFORM, as I failed to duplicate the reported problem
(using a mac68k-1.3H system).
- - Move htsearch to libexec/cgi-bin, where apache might look for it.
- - Don't extract included db-2.6.4 directory.
- - Add comment to patch for configure.in, explaining how to reconstruct
patch to configure. Committing them both eases maintenance and permits
building without extracting htdig-*/db, and without autoconf.
suggestions by Kimmo Suominen.
- - Disable build on NetBSD-1.3[A-J] (needs libstdc++).
- - Use databases/db (currently db-2.7.3), instead of
included db-2.6.4.
