Gentoo Full Text Bug Listing

Bug 235225 - net-www/awstats <6.9 awstats.pl Cross-site scripting (CVE-2008-3714)

Bug#: 235225 (CVE-2008-3714)	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: Linux	Status: RESOLVED	Severity: minor	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
Summary: net-www/awstats <6.9 awstats.pl Cross-site scripting (CVE-2008-3714)
Keywords:
Status Whiteboard: B3 [noglsa]
Opened: 2008-08-19 20:20 0000

Description:

Opened: 2008-08-19 20:20 0000

CVE-2008-3714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3714):
  Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows
  remote attackers to inject arbitrary web script or HTML via the query_string,
  a different vulnerability than CVE-2006-3681 and CVE-2006-1945.

------- Comment #1 From Robert Buchholz 2008-08-19 20:48:41 0000 -------

Upstream applied this patch:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912

6.9 Beta is tagged, and contains the "fix"(?).

------- Comment #2 From Robert Buchholz 2008-08-19 20:57:31 0000 -------

upstream bug report:
http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764

------- Comment #3 From Gunnar Wrobel 2008-10-11 18:36:29 0000 -------

awstats-6.9 is in the tree.

Targets:

alpha amd64 hppa ppc x86

------- Comment #4 From Jan Schubert 2008-10-11 21:14:23 0000 -------

works on ~amd64 but seems to remove old installations from htdocs if USE=vhost
is not set, which is different from other webapps I use (gallery for example).

------- Comment #5 From Markus Meier 2008-10-12 15:06:02 0000 -------

amd64/x86 stable

------- Comment #6 From Raúl Porcel 2008-10-12 16:02:42 0000 -------

alpha stable

------- Comment #7 From Jeroen Roovers 2008-10-13 16:30:27 0000 -------

Stable for HPPA.

------- Comment #8 From Tobias Scherbaum 2008-10-16 18:14:23 0000 -------

ppc stable

------- Comment #9 From Tobias Heinlein 2008-10-16 18:50:48 0000 -------

Ready for vote, I vote NO.

------- Comment #10 From Pierre-Yves Rofes 2008-10-16 21:48:08 0000 -------

No too, closing.