Your message dated Tue, 09 May 2006 14:47:14 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#364443: fixed in awstats 6.5-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: awstats
Severity: important
Tags: security
CVE-2006-1945 says:
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
and earlier allows remote attackers to inject arbitrary web script or
HTML via the config parameter.
http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
This flaw exists because input passed to "config" paremeter in
"awstats.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity. Also
doing XSS vuln. check attacker will get full path disclosure.
This affects version 6.5 (build 1.857) and earlier.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16+vserver
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
--- End Message ---
--- Begin Message ---
Source: awstats
Source-Version: 6.5-2
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_6.5-2.diff.gz
to pool/main/a/awstats/awstats_6.5-2.diff.gz
awstats_6.5-2.dsc
to pool/main/a/awstats/awstats_6.5-2.dsc
awstats_6.5-2_all.deb
to pool/main/a/awstats/awstats_6.5-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 9 May 2006 23:10:43 +0200
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian AWStats Team <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 364443 365909 365910
Changes:
awstats (6.5-2) unstable; urgency=high
.
[ Charles Fry ]
* Require AWSTATS_ENABLE_CONFIG_DIR environmental variable in order to
enable configdir. Closes: #365910 (thanks to Hendrik Weimer
<[EMAIL PROTECTED]>)
* Integrated security patches from upstream:
+ Decode QueryString. Closes: #364443 (thanks to Micah Anderson
<[EMAIL PROTECTED]>)
+ Sanitize migrate parameter. Closes: #365909 (thanks to Hendrik Weimer
<[EMAIL PROTECTED]>)
* Indent Homepage in long description, per debian reference guideline
.
[ Jonas Smedegaard ]
* Update local cdbs snippet copyright-check.mk:
+ Broaden scan to also look for "(c)" by default.
+ Make egrep options configurable.
* Semi-auto-update debian/control:
+ Bump up versioned build-dependency on debhelper.
* Semi-auto-update debian/copyright_hints (nothing remarkable).
* Set urgency=high as this upload fixes security-related bugs
(bug#365909: CVE-2006-2237).
* Fix including a couple of example shell scripts ignored by mistake.
Files:
bf575ea8463263271c52860d1d7904f1 759 web optional awstats_6.5-2.dsc
1829b872bf69228e57040378475e07a1 18596 web optional awstats_6.5-2.diff.gz
85e53aff0e62a8809e18232617e5aa7f 854100 web optional awstats_6.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEYQq/n7DbMsAkQLgRAiKtAJwK4hhf+YU8JANbIsdQ6kvmyujL9QCfRl3U
BCIAGnkI7rd5QDS9ZUBwze4=
=nSGA
-----END PGP SIGNATURE-----
--- End Message ---
