Mailing List Archive

Analog version 5.23 released
| This is the analog-announce mailing list. To unsubscribe from this
| mailing list, go to
Dear analog users,

Welcome to this list, if you've joined since the last message.

This is to let you know that I have just released version 5.23 of analog,
which among other things fixes an important bug in the form interface.

I've issued the security advisory below against previous versions: but
please note that this issue will only affect a small proportion of users,
namely those who have installed the form interface and made it available to
untrusted users. Most people don't need to upgrade from 5.22. Read the
advisory for more information.

My other news is that I've got a new job, but I'll save that for another
mail later in the week because I want to get this one sent out.

Stephen Turner, Cambridge, UK
"This is Henman's 8th Wimbledon, and he's only lost 7 matches." BBC, 2/Jul/01


Program: analog form interface,
Versions: all versions prior to 5.23
Operating systems: all
Type: denial of service (disk space)
This advisory _only_ affects users who have installed the optional
form interface to analog,, and made it available to
untrusted users. Please note that it's not usually a good idea to do
this anyway. There are other obvious denial-of-service attacks
available to untrusted users who can run CPU-intensive programs on
your system, which this advisory cannot and does not attempt to
address. is the CGI front end to analog, allowing analog to be
controlled from a web form. As a security precaution, anlgform refuses
to pass on to analog certain commands which should not be available to
untrusted users.

In all versions prior to 5.23, the default installation of the program
omitted one command which should have been on this forbidden list. The
PROGRESSFREQ command allows regular updates on the progress of analog
to be written to stderr. If an untrusted user can use this command, he
can set the updates to be written very often, quickly filling up the
web server error log. On a typical machine, this could prevent any
messages being written to any other system log files, which could mask
another attack.

Users in the vulnerable category are advised to consider whether should be available to untrusted users at all. If they
still want to make it available, they are advised to upgrade to
version 5.23 of analog immediately. The URL for analog is

Stephen Turner