Charles Fry a écrit :
Hi Laurent,
Can you please comment on these vulnerabilities, especially
CVE-2006-3681?
This vulnerability is true.
Are these fixed in 6.6? When do you expect to release
6.6?
It is fixed in 6.6. I have just launched the beta start for 6.6 meanings
code in current 6.6 package will not change (except for bug corrections
found during beta).
Beta last about 2 month.
I also updated the AWStats security page to report this vulnerability code:
http://awstats.sourceforge.net/awstats_security_news.php
It is the hole #3 in this page.
thanks,
Charles
-----Original Message-----
From: Alec Berryman <[EMAIL PROTECTED]>
Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
CVE-2006-3682: multiple vulnerabilities
Date: Wed, 19 Jul 2006 22:32:54 -0400
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Reply-To: Alec Berryman <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Package: awstats
Version: 6.5-2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
to inject arbitrary web script or HTML via the (1) refererpagesfilter,
(2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
hostfilter, or (6) hostfilterex parameters, a different set of vectors
than CVE-2006-1945."
CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
remote attackers to obtain the installation path via the (1) year, (2)
pluginmode or (3) month parameters."
I have not verified either vulnerability. The original advisory [1]
has sample exploits.
This is not the same as #364443 or #365909. Sarge is probably affected.
Please mention the CVEs in your changelog.
Thanks,
Alec
[1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
5nTPB7EkA5xCCZLPv6xgF7I=
=AN2l
-----END PGP SIGNATURE-----
_______________________________________________
Pkg-awstats-devel mailing list
[EMAIL PROTECTED]
http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel
--
Laurent Destailleur.
---------------------------------------------------------------
EMail: [EMAIL PROTECTED]
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy
AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
