Patches are here: http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff
Aaron please attach on updated ebuild. I'm not sure of the confidentiality status yet, so filing as restricted.
Created attachment 51079 [details] awstats-6.3-r1.ebuild
Created attachment 51080 [details, diff] awstats-6.3-CAN-2005-0016.diff Had to modify the patch as it is for 6.2 which is no longer in portage.
I just noticed after looking at the patch that the lines being patched out are not the same as in the 6.2 patch... this looks like it only affects 6.2. 6.3 uses a Sanitize subroutine which looks to do the same thing: #------------------------------------------------------------------------------ # Function: Clean a string of all chars that are not char or _ - \ / . \s # Parameters: stringtoclean # Input: None # Output: None # Return: cleanedstring #------------------------------------------------------------------------------ sub Sanitize { my $stringtoclean=shift; $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g; return $stringtoclean; }
Thx for the swift reaction. Aaron this is at least semi-public. Please commit the reduced patch.
Committed. Kept keywords.
CAN-2005-0016 configdir,pluginmode variable, fixed in 6.3 CAN-2005-0362 [no]loadplugin,pluginmode variables, fixed in 6.3 CAN-2005-0363 config variable, fixed in the latest patch Development version 6.4 contains : - Fix security hole that allowed a user to read log file content even when plugin rawlog was not enabled. That may also require additional patching...
I've backported all the bugfixes from 6.4 to 6.3. I also renamed the current patch as I thought CAN-2005-0016 covered all of the variables. I uploaded the patch to the mirrors so I'll commit the revbump in a few hours.
This is all public from awstats changelogs and te PDF analysis. Not sure if we should release this as an update to the old GLSA or a brand-new one.
Committed.
UPDATE to GLSA 200501-36 sent
We should doublecheck that everything in http://www.securityfocus.com/archive/1/390368/2005-02-12/2005-02-18/0 has been covered.
These mails are about CAN-2005-0362 and -363, so this is covered.