Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293981 - <www-misc/awstats-6.95: Security bump (CVE requested)
Summary: <www-misc/awstats-6.95: Security bump (CVE requested)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://awstats.sourceforge.net/docs/a...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-21 20:04 UTC by Tom Hendrikx
Modified: 2010-11-21 16:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
add ipv6 dependencies for ebuild (awstats.ebuild-ipv6.patch,346 bytes, patch)
2009-11-21 20:07 UTC, Tom Hendrikx 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Hendrikx 2009-11-21 20:04:49 UTC 
Awstats has a new version out (6.95), with some updates in browser and search engine detection, and some security fixes. Renaming the ebuild is enough for a working install.

Also I changed the ebuild to implement the ipv6 USE flag. Diff against current ebuild is attached.

NB I only use static built pages, so I had no opportunity to test the CGI web-interface.
Comment 1 Tom Hendrikx 2009-11-21 20:07:25 UTC 
Created attachment 210816 [details, diff]
add ipv6 dependencies for ebuild
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-11-21 22:45:29 UTC 
Guess if web-apps doesn't mind I'll be doing this (I use awstats myself).
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-11-21 22:59:44 UTC 
Thanks Tom, committed to tree now.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-21 23:17:03 UTC 
There was a security patch, security wants this one. :)
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-05 08:11:22 UTC 
CVE request http://www.openwall.com/lists/oss-security/2009/11/22/1 has still no reply from upstream.

I think it can be regularly stabilized by now regardless of the security implications.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-05 17:39:17 UTC 
Arches, please test and mark stable:
=www-misc/awstats-6.95
Target keywords : "alpha amd64 hppa ppc x86"
Comment 7 Markus Meier gentoo-dev 2010-03-06 13:56:43 UTC 
amd64/x86 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-03-07 16:04:18 UTC 
alpha stable
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 22:33:02 UTC 
Marked ppc stable.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-12 16:45:53 UTC 
Stable for HPPA.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 18:46:18 UTC 
GLSA Vote: No. Too little detail. From $URL:

- Fix security in awredir.pl script by adding a security key required by
  default.
- Enhance security of parameter sanitizing function.

Um, ok.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:20:31 UTC 
Closing noglsa.