rpms/awstats/FC-5 awstats-6.5-CVE-2006-1945.patch, NONE, 1.1 awstats.README.SELinux, NONE, 1.1 .cvsignore, 1.6, 1.7 awstats.spec, 1.12, 1.13 sources, 1.9, 1.10
Aurelien Bompard (abompard)
fedora-extras-commits at redhat.com
Sun May 7 23:40:35 UTC 2006
- Previous message (by thread): rpms/awstats/FC-4 awstats-6.5-CVE-2006-1945.patch, NONE, 1.1 .cvsignore, 1.6, 1.7 awstats.spec, 1.10, 1.11 sources, 1.9, 1.10
- Next message (by thread): rpms/awstats/devel awstats.spec,1.13,1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: abompard
Update of /cvs/extras/rpms/awstats/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14808/FC-5
Modified Files:
.cvsignore awstats.spec sources
Added Files:
awstats-6.5-CVE-2006-1945.patch awstats.README.SELinux
Log Message:
revert to version 6.5 (build failed for FC-4 and 5 anyway) and backport the fix for the vulnerability
awstats-6.5-CVE-2006-1945.patch:
--- NEW FILE awstats-6.5-CVE-2006-1945.patch ---
diff -u -r1.860 -r1.861
--- wwwroot/cgi-bin/awstats.pl 9 Jan 2006 18:51:06 -0000 1.860
+++ wwwroot/cgi-bin/awstats.pl 22 Jan 2006 12:55:14 -0000 1.861
@@ -5542,7 +5542,7 @@
# No update but report by default when run from a browser
$UpdateStats=($QueryString=~/update=1/i?1:0);
- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); }
+ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); }
if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
@@ -5591,7 +5591,7 @@
# Update with no report by default when run from command line
$UpdateStats=1;
- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; }
+ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); }
if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; }
if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); }
if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); }
--- NEW FILE awstats.README.SELinux ---
==========================
SELinux support in AWStats
==========================
What is the problem ?
---------------------
AWStats is a CGI script, and needs to be labelled correctly to be called
from Apache.
The files in ``/usr/share/awstats/wwwroot/cgi-bin`` need to have the
``httpd_sys_script_exec_t`` type, and the databases files in
``/var/lib/awstats`` need to have the ``httpd_sys_script_rw_t`` type.
How do we solve it ?
--------------------
You can change the type with the ``chcon`` command::
chcon -R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin
chcon -R -t httpd_sys_script_rw_t /var/lib/awstats
But these modifications will be lost if the system is relabeled (you can
request a relabel with the system-config-security tool).
To make these changes permanent, this package sets the contexts by running
the following commands::
semanage fcontext -a -t httpd_sys_script_exec_t \
'/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'
Please send your bug reports (if any ;) ) to https://bugzilla.redhat.com
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-5/.cvsignore,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- .cvsignore 7 May 2006 08:17:09 -0000 1.6
+++ .cvsignore 7 May 2006 23:40:34 -0000 1.7
@@ -1 +1 @@
-awstats-6.6.tar.gz
+awstats-6.5.tar.gz
Index: awstats.spec
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-5/awstats.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- awstats.spec 7 May 2006 08:17:09 -0000 1.12
+++ awstats.spec 7 May 2006 23:40:34 -0000 1.13
@@ -1,13 +1,14 @@
Name: awstats
-Version: 6.6
-Release: 0.1.beta%{?dist}
+Version: 6.5
+Release: 4%{?dist}
Summary: Advanced Web Statistics
License: GPL
Group: Applications/Internet
URL: http://awstats.sourceforge.net
-#Source0: http://dl.sf.net/awstats/awstats-6.6.tar.gz
-Source0: http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
+Source0: http://dl.sf.net/awstats/awstats-6.5.tar.gz
+#Source0: http://awstats.sourceforge.net/files/awstats-6.5.tar.gz
Source1: awstats.README.SELinux
+Patch0: awstats-6.5-CVE-2006-1945.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: httpd
@@ -34,6 +35,8 @@
%prep
%setup -q
+# no backup or the orig file will be installed
+%patch0 -p0
# Fix style sheets.
perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
# Fix some bad file permissions here for convenience.
@@ -49,7 +52,7 @@
rm -rf $RPM_BUILD_ROOT
### Create cron job
-%{__cat} <<EOF >awstats.cron
+cat <<EOF >awstats.cron
#!/bin/bash
if [ -f %{_localstatedir}/log/httpd/access_log ] ; then
@@ -173,8 +176,8 @@
%changelog
-* Sun May 07 2006 Aurelien Bompard <gauret[AT]free.fr> 6.6-0.1.beta
-- version 6.6 (beta), fixes CVE-2005-2732 (bug 190921, 190922, and 190923)
+* Mon May 08 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-4
+- add patch to fix CVE-2006-1945 (bugs 190921, 190922 and 190923)
* Sun Apr 09 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-3
- SELinux support: use semanage to label the cgi and the database files
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-5/sources,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- sources 7 May 2006 08:17:09 -0000 1.9
+++ sources 7 May 2006 23:40:34 -0000 1.10
@@ -1 +1 @@
-c9b65c5a58011fdb4ec611feec17eee4 awstats-6.6.tar.gz
+aef00b2ff5c5413bd2a868299cabd69a awstats-6.5.tar.gz
- Previous message (by thread): rpms/awstats/FC-4 awstats-6.5-CVE-2006-1945.patch, NONE, 1.1 .cvsignore, 1.6, 1.7 awstats.spec, 1.10, 1.11 sources, 1.9, 1.10
- Next message (by thread): rpms/awstats/devel awstats.spec,1.13,1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list