Le Mar 14 nov 06 à 20:14:26 +0100, Remko Lodder <[EMAIL PROTECTED]> écrivait : > Simon L. Nielsen wrote: > >On 2006.11.14 16:57:17 +0000, Xin LI wrote: > >>delphij 2006-11-14 16:57:17 UTC > >> > >> FreeBSD ports repository > >> > >> Modified files: > >> security/vuxml vuln.xml > >> Log: > >> The Command Injection Vulnerability was corrected by awstats 6.5_2,1. > >> > >> Submitted by: Alex Samorukov > >> PR: ports/105233 > > > >Have you checked that the issues have really been fixed? > > > > That was exactly the reason why I did not mark the entry > as fixed yet...
I committed PR ports/104784, because it seems to me that the submitted patch back-ported fixes from the devel version, as advertized by the maintainer. Unfortunately, AWStats is affected by several vulnerabilities, and it's not clear to me which one is concerned by VuXML ID 2df297a2-dc74-11da-a22b-000c6ec775d9. Perhaps should we precise the CVE references and / or add another entry in VuXML? References: - Vendor's explanations: <http://awstats.sourceforge.net/awstats_security_news.php> - VuXML entry: <http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.html> - PR ports/104784: <http://www.freebsd.org/cgi/query-pr.cgi?pr=104784> - CVE-2006-3681 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3681> - Debian's PR with patches & discussion: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=364443> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365909> Regards, -- Th. Thomas. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"
