120352 2006-01-25 15:40 0000 net-proxy/paros <= 3.2.5 default 'sa' password, db and system access 2006-01-29 13:22:10 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.securiteam.com/unixfocus/5NP0815HFG.html B1 [glsa] P2 normal --- 1 thehandoftyr@gmail.com security@gentoo.org net-proxy@gentoo.org thehandoftyr@gmail.com 2006-01-25 15:40:44 0000 Affects: net-proxy/paros <= 3.2.5 Paros's HSQLDB integrated database application (in Java) has a default blank 'sa' password. this allows access to all Paros information in the application database (which may be particularly sensitive as Paros is a security auditing application), and access to execute arbitary Java statements (part of stored procedure functionality). because it is installed as an application, system access may be possible if a security policy is not properly defined for the JVM (most JVM's don't have one). Resolution: upgrade to 3.2.8, purge older ebuilds from portage. Credits: Andrew Christansen jaervosz@gentoo.org 2006-01-25 22:50:40 0000 net-proxy please advise. mrness@gentoo.org 2006-01-26 00:07:47 0000 I've marked 3.2.8 stable on x86 (its probation time elapsed anyway), erased old versions (excepting the latest stable - 3.2.4) and I've bumped to 3.2.9. dercorny@gentoo.org 2006-01-26 11:29:40 0000 ready for glsa jaervosz@gentoo.org 2006-01-29 13:22:10 0000 GLSA 200601-15 Thx for reporting.