Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235225 (CVE-2008-3714) - net-www/awstats <6.9 awstats.pl Cross-site scripting (CVE-2008-3714)
Summary: net-www/awstats <6.9 awstats.pl Cross-site scripting (CVE-2008-3714)
Status: RESOLVED FIXED
Alias: CVE-2008-3714
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://awstats.cvs.sourceforge.net/aw...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-19 20:20 UTC by Robert Buchholz (RETIRED)
Modified: 2008-10-16 21:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:20:14 UTC
CVE-2008-3714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3714):
  Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows
  remote attackers to inject arbitrary web script or HTML via the query_string,
  a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:48:41 UTC
Upstream applied this patch:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912

6.9 Beta is tagged, and contains the "fix"(?).
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:57:31 UTC
upstream bug report:
http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2008-10-11 18:36:29 UTC
awstats-6.9 is in the tree.

Targets:

alpha amd64 hppa ppc x86
Comment 4 Jan Schubert 2008-10-11 21:14:23 UTC
works on ~amd64 but seems to remove old installations from htdocs if USE=vhost is not set, which is different from other webapps I use (gallery for example).
Comment 5 Markus Meier gentoo-dev 2008-10-12 15:06:02 UTC
amd64/x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-10-12 16:02:42 UTC
alpha stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-10-13 16:30:27 UTC
Stable for HPPA.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-16 18:14:23 UTC
ppc stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-16 18:50:48 UTC
Ready for vote, I vote NO.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-10-16 21:48:08 UTC
No too, closing.