htdig: SECURITY: Announcement of 3.1.0b4

Geoff Hutchison (
Fri, 1 Jan 1999 01:39:09 -0500 (EST)

I didn't get a chance to announce version 3.1.0b4 over the "holiday
break." Basically the changes include fixes for memory leaks in htnotify
and htsearch (that "20x performance decrease") and a BIG SECURITY HOLE in

Let me make this very clear: if you use htnotify, either upgrade to
or don't use htnotify. Period.

The hole allows malicious users to execute commands running as the same
user as that running htnotify. This occurs when htnotify runs in to a
webpage with a malicious tag. It does not occur when using htdig,
htmerge, htfuzzy, or htsearch.

I do not know of any cases where this hole has been used. It is present in
all of the 3.1.0bX versions up to 3.1.0b4. It may be present, though to a
lesser degree, in previous versions.

-Geoff Hutchison
Williams Students Online

To unsubscribe from the htdig mailing list, send a message to containing the single word "unsubscribe" in
the body of the message.

This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:29:57 PST