Affects: net-proxy/paros <= 3.2.5 Paros's HSQLDB integrated database application (in Java) has a default blank 'sa' password. this allows access to all Paros information in the application database (which may be particularly sensitive as Paros is a security auditing application), and access to execute arbitary Java statements (part of stored procedure functionality). because it is installed as an application, system access may be possible if a security policy is not properly defined for the JVM (most JVM's don't have one). Resolution: upgrade to 3.2.8, purge older ebuilds from portage. Credits: Andrew Christansen
net-proxy please advise.
I've marked 3.2.8 stable on x86 (its probation time elapsed anyway), erased old versions (excepting the latest stable - 3.2.4) and I've bumped to 3.2.9.
ready for glsa
GLSA 200601-15 Thx for reporting.