A few weeks ago on the mailing list I discussed an XSS in the URL that is printed on Pound-generated redirect HTML pages. Ideally I think the solution is to escape and print them Apache style. A patch was posted.
Regards, Kevin On Wed, Dec 28, 2011 at 7:15 AM, Robert Segall <[email protected]> wrote: > This is to announce the release of Pound v2.6. This is a stable version. > Changes since version 2.6f: > > Enhancements: > - allow multiple AddHeader directives > > Bug fixes: > - fixed memory leak in config/AddHeader > - removed call to AC_FUNC_MALLOC for AIX compatability > - workaround for AIX getaddrinfo() bug > > Changes since 2.5 (last stable version): > > Enhancements: > - support for SNI via multiple Cert directives (thanks to Joe Gooch) > - pre-defined number of threads for better performance on small > hardware > - translate hexadecimal characters in URL for pattern matching > - added support for a "Disabled" directive in the configuration > - added some more detailed error logging > - allow multiple AddHeader directives > > Bug fixes: > - keep sessions for disabled back-ends, continue using them until > the time-out > - fixed some minor memory leaks > - user IgnoreCase for CheckURL too > - fixed some issues with OpenSolaris build (thanks to Spradling > Cloyce) > - fixed some AIX build problems > - added support for OpenSSL 1.0 > - fix for possible request smuggling by using multiple headers > - changed long to long long for support of requests larger than 2GB > > The software is at version 2.6 (production quality). Further testing > (especially under heavy loads), improvements and suggestions are > welcome. > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-32-512 30 19 > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
