NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

use Perl

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Without JavaScript enabled, you might want to use the classic discussion system instead. If you login, you can remember this preference.

I can see their point... (Score:1)

by Phred (5358)

There is change in the Apache logging API starting at 2.0.49 which escapes data written to the error logs. See this link on the mod_perl [apache.org] website. So their may be some concern for those running webmin as root. But in my experience, it's always preferable to run daemons as non privileged users whenever possible.
- Re:I can see their point... (Score:1)
  
  by Phred (5358)
  
  Yikes, what happened to my grammar in that last comment? Where's the edit button? :)
Update (Score:1)

by statico (5018)

After some communcation, the description of the security notice on the Webmin site has been updated, but the incorrect title remains.

--
qw(Ian Langworth)
Details (Score:1)

by rafael (2125)

More details at the Perl foundation weblog [perlfoundation.org].
Update #2 (Score:1)

by statico (5018)

The title has been fixed, plus there's an announcement [perl.org] on the use Perl; main page.

--
qw(Ian Langworth)
Hmmm (Score:1)

by Abigail (26)

Let's see. Webmin uses Sys::Syslog, whose syslog function, unlike its C-library cousin, passes its arguments to sprintf, a Perl function that contains an integer overflow bug. sprintf also happily accepts tainted data.
Yet you claim the fault lies entirely at the side of webmin.
I disagree. Sure, webmin has a fault, but the results of the fault wouldn't be as damaging as they are now because of the overflow bug in sprintf.