From https://bugzilla.redhat.com/show_bug.cgi?id=871159 : A new CleanXSS() function was added [1] to awstats' awredir.pl cgi script and is part of the 7.1 release [2]. The additional function aims to clean strings of HTML tags so as to avoid XSS flaws. It doesn't indicate whether or not it was possible to actually inject arbitrary HTML into these strings or whether this was just a hardening mechanism, however this would be applicable to all currently supported versions of awstats. [1] http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?r1=1.13&r2=1.14 [2] http://awstats.sourceforge.net/docs/awstats_changelog.txt
And obviously there is no new version, they just re-released 7.1 as usual. Sigh, on it.
CVE-2012-4547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4547): Unspecified vulnerability in awredir.pl in AWStats before 7.1 has unknown impact and attack vectors.
Diego / web-apps: ok to stabilize? (Thanks for the fast bump, Diego.)
Yes okay to stabilize, been using it since the bump and it's okay. Just the usual fixes I suppose.
(In reply to comment #4) > Yes okay to stabilize, been using it since the bump and it's okay. Just the > usual fixes I suppose. Great, thanks. Arches, please test and mark stable =www-misc/awstats-7.1_p20121017
amd64 stable
Stable for HPPA.
x86 done.
stable ppc
Thanks, everyone. Closing noglsa for XSS only.