235225 CVE-2008-3714 2008-08-19 20:20 0000 net-www/awstats <6.9 awstats.pl Cross-site scripting (CVE-2008-3714) 2008-10-16 21:48:08 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912 B3 [noglsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org Jan.Schubert@GMX.li web-apps@gentoo.org rbu@gentoo.org 2008-08-19 20:20:14 0000 CVE-2008-3714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3714): Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945. rbu@gentoo.org 2008-08-19 20:48:41 0000 Upstream applied this patch: http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912 6.9 Beta is tagged, and contains the "fix"(?). rbu@gentoo.org 2008-08-19 20:57:31 0000 upstream bug report: http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764 wrobel@gentoo.org 2008-10-11 18:36:29 0000 awstats-6.9 is in the tree. Targets: alpha amd64 hppa ppc x86 Jan.Schubert@GMX.li 2008-10-11 21:14:23 0000 works on ~amd64 but seems to remove old installations from htdocs if USE=vhost is not set, which is different from other webapps I use (gallery for example). maekke@gentoo.org 2008-10-12 15:06:02 0000 amd64/x86 stable armin76@gentoo.org 2008-10-12 16:02:42 0000 alpha stable jer@gentoo.org 2008-10-13 16:30:27 0000 Stable for HPPA. dertobi123@gentoo.org 2008-10-16 18:14:23 0000 ppc stable keytoaster@gentoo.org 2008-10-16 18:50:48 0000 Ready for vote, I vote NO. py@gentoo.org 2008-10-16 21:48:08 0000 No too, closing.