Affects: net-proxy/paros <= 3.2.5
Paros's HSQLDB integrated database application (in Java) has a default blank 'sa' password.
this allows access to all Paros information in the application database (which may be particularly sensitive as Paros is a security auditing application), and access to execute arbitary Java statements (part of stored procedure functionality).
because it is installed as an application, system access may be possible if a security policy is not properly defined for the JVM (most JVM's don't have one).
Resolution: upgrade to 3.2.8, purge older ebuilds from portage.
Credits: Andrew Christansen
net-proxy please advise.
I've marked 3.2.8 stable on x86 (its probation time elapsed anyway), erased old versions (excepting the latest stable - 3.2.4) and I've bumped to 3.2.9.
ready for glsa
Thx for reporting.